berbew | 64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420.exe
Size

72KB
MD5

d8a09438ec607aaf2fafbffcc90ce841
SHA1

787420e161e270b8b9058d233bb63636f78d0406
SHA256

64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420
SHA512

699efa56982a01f2e6a364ac45844c6eb8d3e3f37b9cb774f33b11552a9d0ff8b77388496cbee2146f7a981d5a75ed830cf54a4437e17ce7686ba1277895291d
SSDEEP

1536:jgSWI8V2QCJM2+1BZeqUauwnnGa6bX+uZ5Dggg3:jg9I8V7cM57yauna6bX+8hO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
676	Bmbplc32.exe
2832	Bclhhnca.exe
1160	Bjfaeh32.exe
2208	Belebq32.exe
5084	Cjinkg32.exe
2492	Cabfga32.exe
2000	Cfpnph32.exe
2316	Cmiflbel.exe
1164	Cdcoim32.exe
4676	Cjmgfgdf.exe
2164	Cagobalc.exe
3616	Chagok32.exe
1808	Cnkplejl.exe
3444	Chcddk32.exe
3180	Cnnlaehj.exe
3636	Cegdnopg.exe
1008	Djdmffnn.exe
1868	Danecp32.exe
228	Dhhnpjmh.exe
2196	Djgjlelk.exe
916	Ddonekbl.exe
744	Dkifae32.exe
3364	Dmgbnq32.exe
3984	Ddakjkqi.exe
2804	Dkkcge32.exe
3036	Daekdooc.exe
2560	Dhocqigp.exe
2652	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1252	2652	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cabfga32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 676	3204	64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420.exe	83
PID 3204 wrote to memory of 676	3204	64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420.exe	83
PID 3204 wrote to memory of 676	3204	64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420.exe	83
PID 676 wrote to memory of 2832	676	Bmbplc32.exe	84
PID 676 wrote to memory of 2832	676	Bmbplc32.exe	84
PID 676 wrote to memory of 2832	676	Bmbplc32.exe	84
PID 2832 wrote to memory of 1160	2832	Bclhhnca.exe	85
PID 2832 wrote to memory of 1160	2832	Bclhhnca.exe	85
PID 2832 wrote to memory of 1160	2832	Bclhhnca.exe	85
PID 1160 wrote to memory of 2208	1160	Bjfaeh32.exe	86
PID 1160 wrote to memory of 2208	1160	Bjfaeh32.exe	86
PID 1160 wrote to memory of 2208	1160	Bjfaeh32.exe	86
PID 2208 wrote to memory of 5084	2208	Belebq32.exe	87
PID 2208 wrote to memory of 5084	2208	Belebq32.exe	87
PID 2208 wrote to memory of 5084	2208	Belebq32.exe	87
PID 5084 wrote to memory of 2492	5084	Cjinkg32.exe	88
PID 5084 wrote to memory of 2492	5084	Cjinkg32.exe	88
PID 5084 wrote to memory of 2492	5084	Cjinkg32.exe	88
PID 2492 wrote to memory of 2000	2492	Cabfga32.exe	89
PID 2492 wrote to memory of 2000	2492	Cabfga32.exe	89
PID 2492 wrote to memory of 2000	2492	Cabfga32.exe	89
PID 2000 wrote to memory of 2316	2000	Cfpnph32.exe	90
PID 2000 wrote to memory of 2316	2000	Cfpnph32.exe	90
PID 2000 wrote to memory of 2316	2000	Cfpnph32.exe	90
PID 2316 wrote to memory of 1164	2316	Cmiflbel.exe	91
PID 2316 wrote to memory of 1164	2316	Cmiflbel.exe	91
PID 2316 wrote to memory of 1164	2316	Cmiflbel.exe	91
PID 1164 wrote to memory of 4676	1164	Cdcoim32.exe	92
PID 1164 wrote to memory of 4676	1164	Cdcoim32.exe	92
PID 1164 wrote to memory of 4676	1164	Cdcoim32.exe	92
PID 4676 wrote to memory of 2164	4676	Cjmgfgdf.exe	93
PID 4676 wrote to memory of 2164	4676	Cjmgfgdf.exe	93
PID 4676 wrote to memory of 2164	4676	Cjmgfgdf.exe	93
PID 2164 wrote to memory of 3616	2164	Cagobalc.exe	94
PID 2164 wrote to memory of 3616	2164	Cagobalc.exe	94
PID 2164 wrote to memory of 3616	2164	Cagobalc.exe	94
PID 3616 wrote to memory of 1808	3616	Chagok32.exe	95
PID 3616 wrote to memory of 1808	3616	Chagok32.exe	95
PID 3616 wrote to memory of 1808	3616	Chagok32.exe	95
PID 1808 wrote to memory of 3444	1808	Cnkplejl.exe	96
PID 1808 wrote to memory of 3444	1808	Cnkplejl.exe	96
PID 1808 wrote to memory of 3444	1808	Cnkplejl.exe	96
PID 3444 wrote to memory of 3180	3444	Chcddk32.exe	97
PID 3444 wrote to memory of 3180	3444	Chcddk32.exe	97
PID 3444 wrote to memory of 3180	3444	Chcddk32.exe	97
PID 3180 wrote to memory of 3636	3180	Cnnlaehj.exe	98
PID 3180 wrote to memory of 3636	3180	Cnnlaehj.exe	98
PID 3180 wrote to memory of 3636	3180	Cnnlaehj.exe	98
PID 3636 wrote to memory of 1008	3636	Cegdnopg.exe	99
PID 3636 wrote to memory of 1008	3636	Cegdnopg.exe	99
PID 3636 wrote to memory of 1008	3636	Cegdnopg.exe	99
PID 1008 wrote to memory of 1868	1008	Djdmffnn.exe	100
PID 1008 wrote to memory of 1868	1008	Djdmffnn.exe	100
PID 1008 wrote to memory of 1868	1008	Djdmffnn.exe	100
PID 1868 wrote to memory of 228	1868	Danecp32.exe	101
PID 1868 wrote to memory of 228	1868	Danecp32.exe	101
PID 1868 wrote to memory of 228	1868	Danecp32.exe	101
PID 228 wrote to memory of 2196	228	Dhhnpjmh.exe	102
PID 228 wrote to memory of 2196	228	Dhhnpjmh.exe	102
PID 228 wrote to memory of 2196	228	Dhhnpjmh.exe	102
PID 2196 wrote to memory of 916	2196	Djgjlelk.exe	103
PID 2196 wrote to memory of 916	2196	Djgjlelk.exe	103
PID 2196 wrote to memory of 916	2196	Djgjlelk.exe	103
PID 916 wrote to memory of 744	916	Ddonekbl.exe	104

C:\Users\Admin\AppData\Local\Temp\64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420.exe
"C:\Users\Admin\AppData\Local\Temp\64424d03e2555d07fc5d180b977d2fdd390c016921fc9650b3b470a675d6b420.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\SysWOW64\Bmbplc32.exe
  C:\Windows\system32\Bmbplc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\SysWOW64\Bclhhnca.exe
    C:\Windows\system32\Bclhhnca.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\Bjfaeh32.exe
      C:\Windows\system32\Bjfaeh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 408
        30⤵
        Program crash
        
        PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2652 -ip 2652
1⤵
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
72KB

MD5
35e6c7f4ac0988907eeff665644f4fd2

SHA1
55d5a722c8581cbc2a1076d622ea369204ce002d

SHA256
d8df97306154a33bb3fdb9eedd19f665b47300e89974435fe5164d1fd5932d4e

SHA512
931c59b7da2ecfeee9715b81427ea0bfb2265790d179f989de5d69c9188ce917faae788151edeb09eb0717f07514575c45f995f381e4c83f66f97fa06ba8df93

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
72KB

MD5
3bf650d40d54d71d6aa5c8901246ca8a

SHA1
9b273d525f08058b568401ca696056f11286b567

SHA256
08431fc0d2dff8164c804e7936480e72c97318ad4707003e3407d1bf699cbd37

SHA512
96105dd8e1ed612e357333371adf6016b2ba57438030b703847d958dff69869392d7f6b536a2ed832283045dc6801b7eed87f6265ec62ab888e5610041e878c1

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
72KB

MD5
d4ab9e27a8e4abc592f7f111a0dd1b69

SHA1
bf4311be9b948f3ed56495008e815d1ed722d828

SHA256
7084cd3e37159a5af1471da610815040e666394946220b114f2942752e0392e5

SHA512
d3bbc2fe8da3120689454fd7a4ddeb99b7f54e7253d9050c018139134e8db8ba8ed89d0f6b4bf9b6b3a9d307af127f58012704f94f60d2291a1cf2303d9b6ed7

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
72KB

MD5
b91c19d25537669522cce38a6fc10148

SHA1
d68ac671afda2103add4114897ce6045f2711116

SHA256
87cbfc63393a7fffe8f0591ff2b26fbcfbefe8528624a64d7a46254ae798d769

SHA512
9f22afe75867636f07a797d71fd956ff799e20936baa601d1de23f2f08df9cbd68d4c860ba07a5aa13a97d4d3968da41f49725c8a61642935537927be2865c76

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
72KB

MD5
b60bfd80fd9e4125f86f44ca4dfe42cb

SHA1
1a1efdf4230308cb54281c77210a3dc1198d7058

SHA256
ed202ca8823aa3c26484b11239567b47f2de4fbf29ee9a728cf1d5a1124bb6e9

SHA512
4edbb90a99a40e6d2a6b06936d66faa4a7ba6108ddc6a740128b6f24bf6e36b3cbfbe8323ef31426ad6223f9417c61b236c4a41061554eace47cb84b0a0e182e

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
72KB

MD5
2d924123b8e900f85a788f875e85085d

SHA1
0b96d9e2f9a12446c52da7e65254dd1448e8222d

SHA256
e391f97807c2500559ba6b9922a11fb48a161ac277a8b002ab53a9efd153e630

SHA512
6c22b781268173a93d96fa614220a094903f1f428ae91b064dd529e1d209e0c0d9deae98f02587e4b50dd1d4ada4d85cfdf29f5fe6bb66a49db6e58706d60a04

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
72KB

MD5
aa9caa80ec0756772e1a5b78505d7678

SHA1
e98bab2185ef49965ab1635c4d8fc148a967080e

SHA256
9ab3f3fd6843d75faef1a4de20794e5cc3e1d3d635348fb0e5ab9a9771692d4e

SHA512
c58a2e0e3e2e77f0c270a4d81b8718a9b396aade4d97274f9293a25576dcc9f864764b7f9aaaadbc652943c890cddecdd438fb30f743a71438ebf5f007a469bc

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
72KB

MD5
b460ca5a3f0c53b8e24f87d2ae841661

SHA1
8ac5ad95562554368056df3f648f89ff0b560e70

SHA256
ba9314769b652ced87020f06b58858d6c643dfdf16fd31e2aec0b2738116a6b1

SHA512
b5044680806479b57d8189e0c46b55acf0162db86ae80cfbb0d2a464031f4f19e41d77a0d970c1c58a4afb9b48fdb09b54a92371320f714fef53085ba369e9f9

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
72KB

MD5
17f1469e239827a78ae9867654d34a52

SHA1
e4f9da1071f1ff60e465156caee904c005f676d6

SHA256
0a8792ff8d5c485acfc7c65fdbfaa41505a6059c8580ef58201adf5384b22cf8

SHA512
c4da2e1ca9e4662a748bb3f6ccf2db9c0c80bb1bacc39349239b47492defcaf1cee850f6c4b7342adea6d9fb09b06a44a54efe4e1a8d1bedc4830b54440ce4fc

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
72KB

MD5
86a6a17485461de8bff6fd266a7b1981

SHA1
52f5c3afd9b93ae8bc393c42ef1f5d366adc3b73

SHA256
5ae9f27b99aaeed7f4cfad4a61b2210aba21e0f885b77aa71238943a377307f0

SHA512
098cb2709067b7c6953cb116cd5c1a543b42a0b60499de4bc6d2f83b7e08bec5b55ce8391afcb2b5539acfed0657f27da632b0be806941e7700f9fcc5a5011f0

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
72KB

MD5
1e8ce5baaea66118a7d1a246c20c863d

SHA1
4854870f9ce81d051a5091c29ff933e53a580498

SHA256
7e31eefb91c30d2d4f1abf1b9256748f95d2532d4d6258409182e7f4c3e0eae3

SHA512
c10c5b894afb3cec077b04194351a21bae0519750674eae263f61ec4dddf75e79ad478e08f012812d3f2988856f7a3a8a26fb59d55ee9c37e582b3ead60ab493

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
64KB

MD5
724772ca3d201fc43731cc39e3e5d852

SHA1
3947105c96de71722d3628266f9e5dfcccbeee03

SHA256
e9ab2bdc5fba9bca7475e45bcc3af3240e47ab210f424feb2baa21921d28bced

SHA512
eb0798a80d932b2423858b1d6a10704f6d5b65756b47af99ac3580d112ed40dd1eb49d01431a3660537b91c63a254592ccef06d10e8ec53c43de601349e6ddbb

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
72KB

MD5
494af8fa7090101504dde5ebafe52178

SHA1
b3e98b5617dd6923c0064bd6edcc7241d8b65fa7

SHA256
cb7f079608d8494254147fd22ade8aa53bb4f40f0c6536af02a745fba2c9ec8d

SHA512
3fd13bfd435e6277b140740fa5e5aeed10c04ddfa494259f2f887c97d7912c2fb1fcd8d33f7c6e3d5c2ed6e8387dfd8c365c30269ef61eda43d1f4532d0af681

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
72KB

MD5
ee6befe537062e6e2767d727bd5401d2

SHA1
e7dcfe127cb7599a8d0c3e064965d107cca777e9

SHA256
427959271fe35c2a0157216bd250a57ec8b491bbf2998e2cffec7a89b87ae415

SHA512
41d6bbb62797b1aac96e5b7b5617204f6c2cb87887da2f08535ed306ef23b53308e1b65657dc1bec9b0aa67a33f3b23e0b5615811ee61aaee4c694622ea9107d

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
72KB

MD5
dc01c8518aac2915b93c81e406205f82

SHA1
053d1fa2b7b487a0bb76a43fc80f322625769452

SHA256
824dc01f185ca64d5ca8c58f1d9c026bbe6138425e69b1208e2dd41ec512ace6

SHA512
6af116fa7aa457223e50faa6e6a2e4effd4fabd74a9ea94c1bafb0ce68a932892a56c358afdf9ba04a831f0c92151c2051f8ed7af6a99ccc155bb034b3970a20

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
72KB

MD5
9f76a3b87d1d039f18cda157de04c8ca

SHA1
7e60cf58c44cac16f75173f3d5b107b8d710c229

SHA256
923c4bedc17182284e172f4839f7a7b40ef53f968ca63d9726145e25de3039b1

SHA512
13741f49a3fee8e944511f6315d6ad5d86af20470bb4895bba186a7bc2eda9827f85866065f084bd4407c2eb060703ae410b5f10325ad09afa6ae467d2c8620c

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
72KB

MD5
02aed95a50505ef80b52ea98f4849b22

SHA1
61fd1e931d5f7edb1647052d050fc7c8a0a16f1c

SHA256
d6369d759077914030d08e458135b9b21151e7bce6ac991d65692d9b82b00eb5

SHA512
3492f8f26d30cd242adf924e47aca45d14dc7cfcaed682fcec4723aa2afb6f84752037222b33aa28c5cdd07f3385b58b45f712b49b6fd93ae677c232c07532ef

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
72KB

MD5
2af375aaad39aa4a98a6beeacea84a59

SHA1
d85e4f8173bf9a93d299934f21312397003c0e2f

SHA256
217df8850786c7d8e908252f77378212fc075c4c56b7d2331ee145f909b3dfdb

SHA512
148b13209e6b3a591bad269d5edac659e491a7e3e7128e3eeffa9eafc1a250c45681598dd874738a7070fa72212ad0448b5275a8450b43e9985603f9aec36a68

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
72KB

MD5
25c9ee4898f84f5a5bf2fb2ad53ec502

SHA1
111e1cb09a9c7c86952e2216eb6b52949c658e01

SHA256
1f901dfc71e49af1d8ccb594674b9ff09784ab19736677800701dc4e023103ed

SHA512
718d1fb305adad6715adc245f3e6dbf2d7f98eda56264c6bb0b8b2d77c78b538233f7c09e7188fb21786a9c179c555b94af60eb245df6ea2b5cf89fe1588b083

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
72KB

MD5
1453441fac4d07489605eb7c63e36d0d

SHA1
fa48d20d71efb5206463c591602af0643b84226e

SHA256
64762bafafe534b9fc2ec40f5108f4fd45aeccb7864402d7a82edd37d8ba5bca

SHA512
686c410e6df4c3c8c50f5863e2f5a829f045b3eb964b8072401e1a9e0553c4faf9c7630f2cc215ffd46959793a9db6d6b6fe5e7a4d2e349a570fdcb1536f090a

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
72KB

MD5
978dc28ce59b1d74e99d38b114b22236

SHA1
b0a66afa49f065020f03404b008253f3d30258e3

SHA256
b502798b602653a29894c91a7545464bd41a694d310f03f853c443b5ada11673

SHA512
18aec99c19c7c1f34b0334ac4cd6508337ecc56d66fd4f5a441b0a759c2ba36174b865b91992481fb873bc549dd58bbb5a0e43cd6143e7c5e4ab27bc2c7a8d16

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
72KB

MD5
843cdda43b4eeb038b2e135943dba5ad

SHA1
ba7ff577c2304aa5e0c7c830ff4df8da7f8197bc

SHA256
c33067765d9d5ea8a69d5934640258d82fa5239de792ce28fd64b686f32ca9f5

SHA512
c4fed499ec59d1ed9618408072c9405b4662332b2d192de455f4d19f93ece699ba1a42b10140611ed30f5c004f026ca1496cd96630d578eb3881434e534e372c

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
72KB

MD5
08e46a314542ab91cce224271c4aac54

SHA1
4e790f1f954640e9ff68a70bae841a5256d43cda

SHA256
f8a50b540d4ea492dfeb1469f0c1b1963c2279fbe4ec63aa4edaef7f037350a1

SHA512
158812ba7846f044556e3c14dbc35360e2b968b286fd02d0fb0ff8b3bb1f1d6f04f18ceb991aa30cccd9b4610d1914908e18f1c0d5f15503c5d7251c3e96df0f

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
72KB

MD5
0213c7cb3bda39b3c1fd3b413bdaff9c

SHA1
d174589d7a8784d6b09a5a15fd2773177e83e702

SHA256
8dedae9747ea010876c83e4507c2e26f2a4254a98a6df5d5e63134b2493b928b

SHA512
1fa01b32384b8ae529c4070908fac6bd8c09361d77fc553319ee3a64435a8c069c309f505847375a21c4e630ecf6d5d50db8c7dc080c90d80c5453a5e6411dac

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
72KB

MD5
8477ddc7483d5334706530378285c8e8

SHA1
35d4eab8cd3ae6c88ab4c8516242dc5b65ccc68e

SHA256
aa3ff2b4e4effafc84c9aa25413b28b18ff18eefb1636e8977546e11a769e6bc

SHA512
540adadbde562448eca7b5f7a717ab40c8f8c6d77ebc69355f126abb5c75723c40299bcbf4cf58b37255e7530db7c6619ec895628bcc39815d6a4086935c6662

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
72KB

MD5
a5c7a4ee47aec3cde8db805e736fe2b3

SHA1
69a787359828b08f8326b368348a1a582c1fac34

SHA256
85b25a7fadd336b0df51c06461d4bc09fa9fa6197b9c22864026a0f2f5bcea0f

SHA512
ace0e89d77b96cc139834f497e4dd5728e0e35157f25640199412e550db0fb1c993bece16b37bbc0e11b4256486432063159ebde9aba3bf079f5c545a65629f4

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
72KB

MD5
2d9e42853fdb358c3a76e79aed3c594d

SHA1
62cbd6a5f1784120e4d9f88ce3e6649e57e37802

SHA256
3eb6c5edaf384912f65c30dba57dd843684b8439f35fed28bae5f318a13ba968

SHA512
dca41857964755ed0c1cd733b16a9b5d4b9e13bceaeef590be85263f06a68e15bd7c0f90793a89e7c9450362241a38a95c9c23cd2f69a2892c6a82f57edc1e52

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
72KB

MD5
706bdc3e719020c0dd0e1b323965b390

SHA1
fa60c3e95f2c7b60bc7c9fc99e5f784e9c8843fc

SHA256
1d22a67d7b2e85dfa61b7256ccc56f21c77b54d658ed94a2b78d7fa32b37c543

SHA512
3b32fa7d990fd11a5803cc6b6fa0f5af1e8ff22f497f2719ede28a6427ea53b41fe36c577748bc0fec135037e36fcc10a1baa5d529a7d9800f9e57505575c01f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
72KB

MD5
891a2cde7409e1a4da409f571e419776

SHA1
c0c5db98136174a8df3075ae0e2479e64d573070

SHA256
cb51c76acfeff6a9aa99f90368030bd6188d247f4fda89d405acbdaa2a4ea26e

SHA512
9b0ff94ee2ca6ca97bd11d9f300b9ab5f3e56a71017e946097621bff37362611a42844cfdf302b1046f705f63c0df7fcf1e8702aec02de706a5e199370aa1766

Download Submit
C:\Windows\SysWOW64\Ogfilp32.dll

Filesize
7KB

MD5
4cf2632729e912c095a2327c6723afac

SHA1
8cd6b8cbb8351af1a3076a5b72d01383fc43c15e

SHA256
e15319822c60c2a1f4963c7890a929efc3700b3ec5c31d740d7064c68d41cea8

SHA512
2d7189c6137b748aecabe4f61efaa5296b38edadf85230f9129989750b983d374ba5275ff30341bae56541a760adf304db905e3c4264a1e1bbfc14ba5020b2a4

Download Submit
memory/228-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/228-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3364-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3364-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3444-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3444-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads