berbew | bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b

Analysis

max time kernel
95s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe
Size

63KB
MD5

ef3ab64106eeafb5805d2c8f2d86b873
SHA1

fb876126d396622ccc591c5937b9f95fccb22fce
SHA256

bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b
SHA512

327c356eb6fd9cb11fe8aead5e19d4f6a357584da713204e4ce38a0584d1f69c9273373238b9d7c687f95ce872b8d05ca0457e6e69d7f22f3838d2d53a714631
SSDEEP

1536:hJLEVOhr1YaX8qjfH+Y4zrbQ7DAwsTfHK1H1juIZo:hlEVwr1R8zPpwo/6H1juIZo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
4820	Bfkedibe.exe
4060	Bjfaeh32.exe
1176	Bapiabak.exe
4468	Chjaol32.exe
1824	Cndikf32.exe
1340	Cabfga32.exe
4404	Cdabcm32.exe
1348	Cnffqf32.exe
3600	Ceqnmpfo.exe
2792	Cjmgfgdf.exe
2092	Cmlcbbcj.exe
1952	Cdfkolkf.exe
2196	Cnkplejl.exe
1392	Cffdpghg.exe
1332	Cnnlaehj.exe
2952	Cegdnopg.exe
216	Dhfajjoj.exe
3056	Dopigd32.exe
2420	Danecp32.exe
3920	Dhhnpjmh.exe
3180	Djgjlelk.exe
1752	Dmefhako.exe
4476	Dhkjej32.exe
1724	Dodbbdbb.exe
2348	Daconoae.exe
3820	Dkkcge32.exe
3244	Deagdn32.exe
4604	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Daconoae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1160	4604	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 4820	4648	bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe	82
PID 4648 wrote to memory of 4820	4648	bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe	82
PID 4648 wrote to memory of 4820	4648	bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe	82
PID 4820 wrote to memory of 4060	4820	Bfkedibe.exe	83
PID 4820 wrote to memory of 4060	4820	Bfkedibe.exe	83
PID 4820 wrote to memory of 4060	4820	Bfkedibe.exe	83
PID 4060 wrote to memory of 1176	4060	Bjfaeh32.exe	84
PID 4060 wrote to memory of 1176	4060	Bjfaeh32.exe	84
PID 4060 wrote to memory of 1176	4060	Bjfaeh32.exe	84
PID 1176 wrote to memory of 4468	1176	Bapiabak.exe	85
PID 1176 wrote to memory of 4468	1176	Bapiabak.exe	85
PID 1176 wrote to memory of 4468	1176	Bapiabak.exe	85
PID 4468 wrote to memory of 1824	4468	Chjaol32.exe	86
PID 4468 wrote to memory of 1824	4468	Chjaol32.exe	86
PID 4468 wrote to memory of 1824	4468	Chjaol32.exe	86
PID 1824 wrote to memory of 1340	1824	Cndikf32.exe	87
PID 1824 wrote to memory of 1340	1824	Cndikf32.exe	87
PID 1824 wrote to memory of 1340	1824	Cndikf32.exe	87
PID 1340 wrote to memory of 4404	1340	Cabfga32.exe	88
PID 1340 wrote to memory of 4404	1340	Cabfga32.exe	88
PID 1340 wrote to memory of 4404	1340	Cabfga32.exe	88
PID 4404 wrote to memory of 1348	4404	Cdabcm32.exe	89
PID 4404 wrote to memory of 1348	4404	Cdabcm32.exe	89
PID 4404 wrote to memory of 1348	4404	Cdabcm32.exe	89
PID 1348 wrote to memory of 3600	1348	Cnffqf32.exe	90
PID 1348 wrote to memory of 3600	1348	Cnffqf32.exe	90
PID 1348 wrote to memory of 3600	1348	Cnffqf32.exe	90
PID 3600 wrote to memory of 2792	3600	Ceqnmpfo.exe	91
PID 3600 wrote to memory of 2792	3600	Ceqnmpfo.exe	91
PID 3600 wrote to memory of 2792	3600	Ceqnmpfo.exe	91
PID 2792 wrote to memory of 2092	2792	Cjmgfgdf.exe	92
PID 2792 wrote to memory of 2092	2792	Cjmgfgdf.exe	92
PID 2792 wrote to memory of 2092	2792	Cjmgfgdf.exe	92
PID 2092 wrote to memory of 1952	2092	Cmlcbbcj.exe	93
PID 2092 wrote to memory of 1952	2092	Cmlcbbcj.exe	93
PID 2092 wrote to memory of 1952	2092	Cmlcbbcj.exe	93
PID 1952 wrote to memory of 2196	1952	Cdfkolkf.exe	94
PID 1952 wrote to memory of 2196	1952	Cdfkolkf.exe	94
PID 1952 wrote to memory of 2196	1952	Cdfkolkf.exe	94
PID 2196 wrote to memory of 1392	2196	Cnkplejl.exe	95
PID 2196 wrote to memory of 1392	2196	Cnkplejl.exe	95
PID 2196 wrote to memory of 1392	2196	Cnkplejl.exe	95
PID 1392 wrote to memory of 1332	1392	Cffdpghg.exe	96
PID 1392 wrote to memory of 1332	1392	Cffdpghg.exe	96
PID 1392 wrote to memory of 1332	1392	Cffdpghg.exe	96
PID 1332 wrote to memory of 2952	1332	Cnnlaehj.exe	97
PID 1332 wrote to memory of 2952	1332	Cnnlaehj.exe	97
PID 1332 wrote to memory of 2952	1332	Cnnlaehj.exe	97
PID 2952 wrote to memory of 216	2952	Cegdnopg.exe	98
PID 2952 wrote to memory of 216	2952	Cegdnopg.exe	98
PID 2952 wrote to memory of 216	2952	Cegdnopg.exe	98
PID 216 wrote to memory of 3056	216	Dhfajjoj.exe	99
PID 216 wrote to memory of 3056	216	Dhfajjoj.exe	99
PID 216 wrote to memory of 3056	216	Dhfajjoj.exe	99
PID 3056 wrote to memory of 2420	3056	Dopigd32.exe	100
PID 3056 wrote to memory of 2420	3056	Dopigd32.exe	100
PID 3056 wrote to memory of 2420	3056	Dopigd32.exe	100
PID 2420 wrote to memory of 3920	2420	Danecp32.exe	101
PID 2420 wrote to memory of 3920	2420	Danecp32.exe	101
PID 2420 wrote to memory of 3920	2420	Danecp32.exe	101
PID 3920 wrote to memory of 3180	3920	Dhhnpjmh.exe	102
PID 3920 wrote to memory of 3180	3920	Dhhnpjmh.exe	102
PID 3920 wrote to memory of 3180	3920	Dhhnpjmh.exe	102
PID 3180 wrote to memory of 1752	3180	Djgjlelk.exe	103

C:\Users\Admin\AppData\Local\Temp\bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe
"C:\Users\Admin\AppData\Local\Temp\bdfe6e154842ef6bce1bdf96b06ea347d1706d2a58afc37083cc543d0a1ff47b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\SysWOW64\Bfkedibe.exe
  C:\Windows\system32\Bfkedibe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\Bjfaeh32.exe
    C:\Windows\system32\Bjfaeh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\SysWOW64\Bapiabak.exe
      C:\Windows\system32\Bapiabak.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1176
    - - C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
      - C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 228
        30⤵
        Program crash
        
        PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4604 -ip 4604
1⤵
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
63KB

MD5
53af62c5d3731855123446b44b97e599

SHA1
52f18484ed5d33289b6d676dff30f1acb9387b4f

SHA256
8dd6e7f5d7f094bd2ff73a1e897d340763edafbb2101a7dc2c54ea79cbe7a97c

SHA512
36c5944dbb97b291f220223112f867ad3e4c66c41d278681c7c13d5f26e918e54172fc5aea66bb290dcb1775964a1f6e2cef2ede318e03cd5f753c3495e62010

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
63KB

MD5
bc811876862dcedaa371c57c3b2e2c7c

SHA1
6f2f26f80667f65e70c52a42c1cfa05c79c5314b

SHA256
a1392516b56339a299588b0e18d13d15974e6a4baf3deeb1535a43fcd8fa245d

SHA512
e1a514b499adc7cca619ee5e18538cc4bc5c441f8bb3ada42fc6da6074943677db77d2c83f3f9a704f3afa53e50a4f8b928e8dfa163a092f9abe6363ec7a8103

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
63KB

MD5
d8ce9fb629626a022a723f53283aab7d

SHA1
077d69b96282bc396a741e84fc7f68c651949910

SHA256
284c0b0ed8ad6527816ab0ac243d14dfcbc041215ccb6bd531ccb9e52471dece

SHA512
50841b353c42f5fbb722eed811c865c191eddd3d501540b45768103b78921cdfe05b73b492860d6f560f50cdca07035f3915793fe87160beea4879c8a543e4db

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
63KB

MD5
07be4f1a6063ac4a3c0f76e0efc8d3d5

SHA1
d9b25b087cec9c7e9e09e81d35a46c8483013765

SHA256
c5a44c404d89b9d54b49b06e33122bad7e289283877f7b421cd4314b8f42f6d7

SHA512
35ba8b7b4e164eda6d1442da8eccb7f3c83842d716948d9afe2def0a8d4a0eb61d2c68a10bddc9f444fe6bd77a9aa37a6d0c374f6cd332f6fd21d447abce41a7

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
63KB

MD5
d2d1556ac1d1ea367e33f1eb7b2990ce

SHA1
815bca9610a8e4dbea4a8e4ccd8ba0044b5212f5

SHA256
73eecfd52e6ab22cbfe54e6c5430a442881b5532f582649da0b47ddb341e90f3

SHA512
fdee506e6df2fb2e1210e4c89448d4705766adc03b25d004f7767c0d5f939e4c91607ea90a4fc8cf2d8a0623493f42d9d4e1c741a28f2f61be556015d3d3bd5f

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
63KB

MD5
e41a2986ae945b0781c2b2f884967b9a

SHA1
66f633c4cae1a35bd97397cd5d4381d93ca96277

SHA256
213635ff3c7c735cbb5246f89bb4715c7b1a66df3909e1723382381c58e4dfb0

SHA512
a92ed528cda4d7b5cd6bbb858e8abeb10e0f31d53bfe22ce34a37f3552218a4608cebaab16f3114e6ebdb1e22281effec3a9932476c5170f2a9033bf3e134c91

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
63KB

MD5
3fb83eff0b24f2aab6b67940e15ab9b2

SHA1
c58e8b89bb684e87cda98956aa6fb7bb17aa79c7

SHA256
09cc7093df8e2530ef7d5a5e2706bc4a326660bacfb4e5e1405584853a2fb6be

SHA512
d42013c587cc4e979b474e85dd3ddadefc8b75addb60f3a3dc24534ba5eff8b9f8d09e1536b787c31965147ada068985bfb0022a39be3fd74e0e531ff5a6f77d

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
63KB

MD5
8cffe92b1a13c8ff91524fe22df41669

SHA1
742735fdab671b2773753118eb6bc58a5b3270a9

SHA256
70bfeeea61f33cea7b411ba373ef4cff96df852ac08d156cc587481566a3389a

SHA512
9ced160743a063c02ec6a856a898d37e1b7c5ae81e9dac2877c430c76acdc2d8e709561ca00e93ded08fb60d27beb4563e1b4afa6d260f264cda99ce23955751

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
63KB

MD5
b077a764db89dcbe0a86349b9df910bc

SHA1
03ad622bd6afd8219441b0d88e5ac2590c017026

SHA256
3398dd2635dd5334ee7e586fee61b8bd5ba99460ba630688ba77f249c21436e1

SHA512
106773eda364899ec5de563bea76e722d219a22a77d8aa3d3955a2b99c790da20b39284955bc54b90c4abc30183e11a010157dc26e224df0a69a51478dfe7bd4

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
63KB

MD5
42919e8f6e94c9e021fd35bcc622deb9

SHA1
2db53c27df9864a776423f6a8f4fbe96effbd3b1

SHA256
b2d446ba8f49ea8334f2b822edbd1f04ced0225c0c9d8dd48a4246529dcd7273

SHA512
d5a543cc7d2f8cd12340e06b52607600ad6d084309be48f67ffdfaa7263a04b41f8895665ace216f3baf085e4c8ee34c89dd4b412ea255a9ecc3aace2460d288

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
63KB

MD5
e0e375434cf047791dca83dbb23f7cc0

SHA1
c89146c7f6617ad93859feb7cfe0996f5bff6e8b

SHA256
87b883f97c05ea52a3d492f2c4a581734c70bc43a4d7c39951f9d6439d513b95

SHA512
d734db627d0fa76f4f76299f9901ab8215615829b25c24bd19295cf5188de84ea0d110e27d1d89aec8d0109ca95e6b4bb072c6ee3f97c02220f5e131c5033d3e

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
63KB

MD5
cf92f103b0cafa91ff52c1a9137c53d7

SHA1
b9b53daeda5368192e5b33cb94a15576726987db

SHA256
8465096f4e2c4d2c2549252498cea87d0f2204d916879635518ad00934a09b03

SHA512
934106005716ca46fd997b562e9a2d86d9336dc2ae45f3c07605dc82cb292d763867c5797a0dcf65ab92bbafaab2e3435428cb39799edea645d9696bbd2e5c43

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
63KB

MD5
fa7b01b561745214103128060a805094

SHA1
d061a916a261d9282eb8482f574cbbd0005a7a87

SHA256
060b5340d4f812ca34dd023b5f39d5eb2d1b77a7f4bf82ed7c68e493d5b90ef1

SHA512
d30557b3dda2f74bc2328dff71edd2bd9a3d9d55db4e1873ffec6256f9be2d8220a55d2858022bff55c12f9bd711136df87e3bedb925fd447d59e8deefb5feff

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
63KB

MD5
3287b3c682de28b10631c654ee29448e

SHA1
971e762e762e154dbdb0cc15ec8ba92f776b06df

SHA256
b24993ca7582a8229c04655804c403bc1d87b6099e5f15f0c7d278a2beefd9af

SHA512
6afc68e2f4bdd9638aa13737c489f350199c0f3223d41887640ba35fa5e78a089f27a0b52f2a21a2eb5a0ffe00e2142fb7e53d62ff04b60ad9a0c4cf3024d656

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
63KB

MD5
5b7a2a038852cd3b685ccd2826862660

SHA1
8f04c08dade5d0eb57689a5128876d0806623f9c

SHA256
6be07f0ed39a275bea2abc041d84657c0979b893eb117efd1b37073b3cc61ea5

SHA512
3c89a401d17e968387dfc046487b826f31ef91ddf2c746abe3c70655d850dd028f40220bc15a92050e46e66c61491b988a8bf13dc11cbf8d49025bee049d90ab

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
63KB

MD5
d89ac023a00f03008e6d0a9e5736e58b

SHA1
adc9df66956a5f7c1ea338e380090e4ff1161561

SHA256
8af1f9417729fe667edfb868cff3bdfdf6d1ec337979ea6ccce72a230bb11158

SHA512
cbea0fe45292062ae07b2970ffccd03ed9f2501f623b53008e058fea2f440fdb5439ce89a6ddda96b38fd24d2a9353499fc079fce63a28d70265790d895460ee

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
63KB

MD5
e26b172a855236852fe47b646846aec0

SHA1
f9d32f4bbe33404e3e9101d038e1a59c0218064c

SHA256
18a564bea6885fc92ed3a5b2c9937fc3792c55da290dedaf73a1f05c9da34991

SHA512
9010b2ab3aeb76077ec7d65baa5fc7dbfe69cca89b79911100e2f3767d9df425cf07aa0a530de3f79eb3a7fcccc1d44e4117ce240dde82d13e7c48c2d1ad6523

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
63KB

MD5
38d02db5e3d7f937ec3627d171b69d46

SHA1
784d36b6d4f890890a476af85fd444aa7fb332de

SHA256
ccdd8f59749bd90a62ae9119e1bf2943e025551949b82af3cc8346d7c9c2cc92

SHA512
aaac0ab5b6f955c2e3db4683fed4d36378176dde5a2c649a134614624c9dcf0d1de6fa9d195fcda67f712222c2f0ec1c105f919ecf06c0e5086bb098e19c0aa3

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
63KB

MD5
ccda4904dcbc191f93c07e4569c72968

SHA1
ae211bb027330c032c0c6049b4102469e8528ad0

SHA256
73d17a0e832fcbe1aeaa469b2a460dad0baa659c73e78d5f8e5cec149e2a1b5f

SHA512
aa5cb545c8c4c36645b72d67fac5818f5e54e9191874c865d131e5a83aa9d434eafc411e0e20ac10121dbdb839acca17daeaea7148259c7aae50fd28db7c646a

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
63KB

MD5
01309e756a38b25ea2c8ad120940bacd

SHA1
6586fa0dcaea5d889a53c48b0cf8d6c3308587f0

SHA256
3acc63725804c3bd3230f62540ecd4e3cafb38fd45bb0710e289a2469bdd03c9

SHA512
d93a8e7ab27fd0bc46a3b32cfb00c0ae78fd880ecd18c955f8f755fdeda2f3b3e9c662a80f831a206b71271c2fcaa7488a8e1ca6324f4caba6273ba0da2714f8

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
63KB

MD5
8f091f247848b83f446443fcbcc05d4a

SHA1
3d370421d5eb18ff6e7bd1c47b8b5f3571a90192

SHA256
477240ac60074246f4a781062bdf5a27bbc2acdfc934a67fdbfb347ea023e6d6

SHA512
0db8167f17ba2fc45803bc3b6641fb1c1ca140c3aa9837f18eeb3d73711f9b5e001a5bb67d02fd480aa8350262d6cb60363a3f5532d6c816701d9cfee3901c86

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
63KB

MD5
b76d560ac594a427f8ca2f503f205ea1

SHA1
8f31f0024193ba7bb981b04812d024fb10231cbb

SHA256
9f1f38ac51ea0a3f07ec6034937015f8ebbccd985075072ed1c0fef7dc02628f

SHA512
00a12b0f268dae3bfa59705f28f6ffea910fa6a34f773c716d9b6eaf26a1792228a311696cecc999d947c8e9f171ceb00d75b7cd1fb34b4eddec182ba13c4bec

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
63KB

MD5
17d530521e83b9181300e62d85e475a7

SHA1
fa4df602d8877b88bac1f52f5c8e21da937c56fc

SHA256
f004a85bf61982cb243860c3024ff674d94473daded8f74c8e4ee883ad18d689

SHA512
4fd6600e7ecd57e5987c1c9a56c21c6eb36e4649765020b8a7334f7ed23bf786b7e2d86e573c7a78bf71a21704f2a92cf7c34595048d6852bdfc01f05909fac0

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
63KB

MD5
01180d972c86c213c66aa723b67e5926

SHA1
c41907db617171fb5aaaddd91f80fe8b4b91ce0c

SHA256
6fd20a1cbafffba4f1c6b42638d0086c83c4486e91ea728e1c038689833e1094

SHA512
1dba89a5e0f94a9a3f218d0237e4cfeafec50b2efaba6bfdff1df2fe11013f9ab69e95dcfa9d6a23375644509f1a84490f00b5938b81436db9b62d4658e78838

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
63KB

MD5
d9fda89f816a3f0ed5fea6d264deba12

SHA1
2a10527f3dac5ba31ef5f8e6b239e9834f814115

SHA256
a628bf79e240ef0baa978711862f91618154179e6d02a755e32515f6e10b0e4e

SHA512
8b6d5704c5341b51cdb3d6a1d8c1c5c995862350b7a8b86407e43af7fe9da427cd3f06f1d6b625486e888bc7f0cf35b0556f8d5f3550f4cffc5cec6d4ba56777

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
63KB

MD5
c072048b54bb4653ec9ce038ab75f828

SHA1
5f6fe42ae597a01c826e92b7bf685276a6de8603

SHA256
f13e505a44c16f68ae201a54c1ff67f60a46127cbf5f87b9e162f8006c67c7ed

SHA512
e75c3597824940cbbc09892d4cd39aeccdcdd10ea0f626133537caa5067e29944624de0e31dd1677416fbd3cd9fc0a45cab6ab1ec53784da08e365f68c0b1e18

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
63KB

MD5
4e3b1f6f15c63101aca61463f6cd4c82

SHA1
debd78c642b83e905a8df932bcbe26dc08923887

SHA256
424637fa090d0015f54d3afa9086be5a016f1efeb384c69deb050ab687f93ebd

SHA512
5a3f0eadf4e0ab2f0dbc1b48ee3d3e08398d15601fd1029a063f747375de92f50852cae14cf878e5f4a64cbf83c654db551f74acb82f1494a1a0fcea2986f249

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
63KB

MD5
2a18cd0f24b83df4cfe73a3c62fb4c82

SHA1
c3b8451101fb4d7c21ea8132074f22ff5da147ff

SHA256
4de77b5a5a12c8769c5b1b8181fc1dbfe41e0589555d9c4577714f03d227d4ae

SHA512
0c65780a91a23fb6b03d5540cb6e9dce8221f957c4fd230bad0b6e6be423bcf58f54198d46b994ace417a15566c44ddc4f1902e83c01e6a169e4e0eed860e26a

Download Submit
memory/216-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/216-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1176-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1176-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1332-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1332-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1340-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1340-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1392-251-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1392-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1724-234-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1724-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1752-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1752-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1824-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1824-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1952-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1952-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2196-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2196-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2348-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2348-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2792-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2792-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3056-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3056-243-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3180-174-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3244-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3244-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3600-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3600-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3820-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3820-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3920-166-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4404-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4404-265-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4468-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4468-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4604-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4604-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4648-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4648-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4648-1-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/4820-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads