berbew | f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd

Analysis

max time kernel
93s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd.exe
Size

2.5MB
MD5

4603eeb15bde3a25bf78fdb01a06ea85
SHA1

2da78ea385aea1ea07e81a034fc541cc68b99a81
SHA256

f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd
SHA512

cbb7f11c36b26aaf1bc835e3d94daa388644304241ddb5fc9ac7504c93000489414a6f00cd4d375a8ce309f13d50be7ab9844fd12cd13f50564662fb8c4fbb7f
SSDEEP

12288:xu5kY660JVaw0HBHOehl0oDL/eToo5Li2:xu5gdVaw0HBFhWof/0o8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 30 IoCs

pid	Process
1408	Onjegled.exe
3976	Pdfjifjo.exe
1724	Pfjcgn32.exe
3628	Pqpgdfnp.exe
4872	Qgqeappe.exe
2076	Qnjnnj32.exe
2444	Qcgffqei.exe
4976	Anmjcieo.exe
4948	Bnmcjg32.exe
3512	Beglgani.exe
2272	Bnpppgdj.exe
1888	Bhhdil32.exe
4612	Cfbkeh32.exe
4836	Cdfkolkf.exe
1568	Cnkplejl.exe
2432	Cdhhdlid.exe
3724	Cjbpaf32.exe
2080	Cegdnopg.exe
3504	Danecp32.exe
428	Dhhnpjmh.exe
2664	Djgjlelk.exe
2784	Daqbip32.exe
2480	Ddonekbl.exe
3728	Dkifae32.exe
3900	Ddakjkqi.exe
4196	Dfpgffpm.exe
4160	Dmjocp32.exe
5032	Dddhpjof.exe
2972	Dgbdlf32.exe
736	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe

Program crash 1 IoCs

pid	pid_target	Process
4428	736	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 1408	4552	f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd.exe	83
PID 4552 wrote to memory of 1408	4552	f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd.exe	83
PID 4552 wrote to memory of 1408	4552	f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd.exe	83
PID 1408 wrote to memory of 3976	1408	Onjegled.exe	84
PID 1408 wrote to memory of 3976	1408	Onjegled.exe	84
PID 1408 wrote to memory of 3976	1408	Onjegled.exe	84
PID 3976 wrote to memory of 1724	3976	Pdfjifjo.exe	85
PID 3976 wrote to memory of 1724	3976	Pdfjifjo.exe	85
PID 3976 wrote to memory of 1724	3976	Pdfjifjo.exe	85
PID 1724 wrote to memory of 3628	1724	Pfjcgn32.exe	86
PID 1724 wrote to memory of 3628	1724	Pfjcgn32.exe	86
PID 1724 wrote to memory of 3628	1724	Pfjcgn32.exe	86
PID 3628 wrote to memory of 4872	3628	Pqpgdfnp.exe	87
PID 3628 wrote to memory of 4872	3628	Pqpgdfnp.exe	87
PID 3628 wrote to memory of 4872	3628	Pqpgdfnp.exe	87
PID 4872 wrote to memory of 2076	4872	Qgqeappe.exe	88
PID 4872 wrote to memory of 2076	4872	Qgqeappe.exe	88
PID 4872 wrote to memory of 2076	4872	Qgqeappe.exe	88
PID 2076 wrote to memory of 2444	2076	Qnjnnj32.exe	89
PID 2076 wrote to memory of 2444	2076	Qnjnnj32.exe	89
PID 2076 wrote to memory of 2444	2076	Qnjnnj32.exe	89
PID 2444 wrote to memory of 4976	2444	Qcgffqei.exe	90
PID 2444 wrote to memory of 4976	2444	Qcgffqei.exe	90
PID 2444 wrote to memory of 4976	2444	Qcgffqei.exe	90
PID 4976 wrote to memory of 4948	4976	Anmjcieo.exe	91
PID 4976 wrote to memory of 4948	4976	Anmjcieo.exe	91
PID 4976 wrote to memory of 4948	4976	Anmjcieo.exe	91
PID 4948 wrote to memory of 3512	4948	Bnmcjg32.exe	92
PID 4948 wrote to memory of 3512	4948	Bnmcjg32.exe	92
PID 4948 wrote to memory of 3512	4948	Bnmcjg32.exe	92
PID 3512 wrote to memory of 2272	3512	Beglgani.exe	93
PID 3512 wrote to memory of 2272	3512	Beglgani.exe	93
PID 3512 wrote to memory of 2272	3512	Beglgani.exe	93
PID 2272 wrote to memory of 1888	2272	Bnpppgdj.exe	94
PID 2272 wrote to memory of 1888	2272	Bnpppgdj.exe	94
PID 2272 wrote to memory of 1888	2272	Bnpppgdj.exe	94
PID 1888 wrote to memory of 4612	1888	Bhhdil32.exe	95
PID 1888 wrote to memory of 4612	1888	Bhhdil32.exe	95
PID 1888 wrote to memory of 4612	1888	Bhhdil32.exe	95
PID 4612 wrote to memory of 4836	4612	Cfbkeh32.exe	96
PID 4612 wrote to memory of 4836	4612	Cfbkeh32.exe	96
PID 4612 wrote to memory of 4836	4612	Cfbkeh32.exe	96
PID 4836 wrote to memory of 1568	4836	Cdfkolkf.exe	97
PID 4836 wrote to memory of 1568	4836	Cdfkolkf.exe	97
PID 4836 wrote to memory of 1568	4836	Cdfkolkf.exe	97
PID 1568 wrote to memory of 2432	1568	Cnkplejl.exe	98
PID 1568 wrote to memory of 2432	1568	Cnkplejl.exe	98
PID 1568 wrote to memory of 2432	1568	Cnkplejl.exe	98
PID 2432 wrote to memory of 3724	2432	Cdhhdlid.exe	99
PID 2432 wrote to memory of 3724	2432	Cdhhdlid.exe	99
PID 2432 wrote to memory of 3724	2432	Cdhhdlid.exe	99
PID 3724 wrote to memory of 2080	3724	Cjbpaf32.exe	100
PID 3724 wrote to memory of 2080	3724	Cjbpaf32.exe	100
PID 3724 wrote to memory of 2080	3724	Cjbpaf32.exe	100
PID 2080 wrote to memory of 3504	2080	Cegdnopg.exe	130
PID 2080 wrote to memory of 3504	2080	Cegdnopg.exe	130
PID 2080 wrote to memory of 3504	2080	Cegdnopg.exe	130
PID 3504 wrote to memory of 428	3504	Danecp32.exe	102
PID 3504 wrote to memory of 428	3504	Danecp32.exe	102
PID 3504 wrote to memory of 428	3504	Danecp32.exe	102
PID 428 wrote to memory of 2664	428	Dhhnpjmh.exe	103
PID 428 wrote to memory of 2664	428	Dhhnpjmh.exe	103
PID 428 wrote to memory of 2664	428	Dhhnpjmh.exe	103
PID 2664 wrote to memory of 2784	2664	Djgjlelk.exe	129

C:\Users\Admin\AppData\Local\Temp\f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd.exe
"C:\Users\Admin\AppData\Local\Temp\f870f8f5c403349e4eec42051cfdbfa791b73a7d61e1c21a4ddf20ab62e28ddd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\SysWOW64\Onjegled.exe
  C:\Windows\system32\Onjegled.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\Pdfjifjo.exe
    C:\Windows\system32\Pdfjifjo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\SysWOW64\Pfjcgn32.exe
      C:\Windows\system32\Pfjcgn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
      - C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 408
        32⤵
        Program crash
        
        PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 736 -ip 736
1⤵
PID:4472

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv yb6qD9LvOUaZHpBZrc9WTg.0.2
1⤵
PID:2784

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
2.5MB

MD5
6af9949ca1698d6ee38676bd30425987

SHA1
02fcf2e26bd493e762a247a1e1ffa015f881a59e

SHA256
4bc61fa568be319c58088be955f52ecc0b3235471b3604cffcf1697fd60c8ed7

SHA512
5e1a910ad2b1ba8ad69054a329af04da53c59e70629221177e1009e0501a5ab4c477a633986fb0de29a0069f5c2f6d392fc5bd54bdf62d1826486e3635240afe

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
2.5MB

MD5
78c61f1bf50b95223bc94dfc406efcec

SHA1
6a58efdc3b1c4dc6e5c22444e5d558b4e27b1ce2

SHA256
6a7ce130d3b841e39851689f82ad40ea35c8d0a2b04a849440c130620f6d5d8d

SHA512
1bab8ed8bf9770fda32febe0ae9cf064708a88e5b06690db821bc4261c913f739097a2137504a3ad628b463254889a603f367770fae7619b0b985451d7a20256

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
2.5MB

MD5
282d93cdbd19c3687ee2e37c73ee1219

SHA1
de356583638a8eda8c556c32d42267b3812cefdc

SHA256
2001bbb6e092eacfc1ea417a5901875019cdaf356d11129d940487432edcd855

SHA512
575b070de82aa3c81492155e336675ee4450d962bd1038ceb4659d92ebe6d4d58adf502ec9e8d9aa4018b876181e90d6f7de5370ab2a1dd1f44527a84e87851a

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
2.5MB

MD5
95c1933b14e3a2bcc30f621a5ee262ff

SHA1
0762332680f22d42eb88ba194c2c4cc366783d69

SHA256
db8ee660a2a52f1c58544071b83e0e1ad7dd8585f04223e312d9b6082f6d59b5

SHA512
4eb95eebdc43f96a4e194b923f940b1a9b453275fcebef42db8a2ee835c3e2003c80303e876539f007cb427ea7bb913c1e64e77dad29fe680245b5f9514bfda8

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
2.5MB

MD5
a6ca8e5d2ec4e0f45db3b72402ad7b7d

SHA1
1d3e7c3cad95fc9e4f8df32fbdbcff60d2f208e9

SHA256
dd5985820ec21e9d2e5f1cc32cb096d65d461390dfb0edd6028a5ff69dcb0883

SHA512
1e90196fa1ca9a8ab624ef0ecd1f94fb5aa03d6d66636d2558d912f5ac4dac50f0c461c94422c26e0c9c5905f23630bd089b95f4e04eb7d6cbf3be61a97d1d87

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
2.5MB

MD5
d1836eafeebc0ab6edbc8818946d4e98

SHA1
f5e501dfe603e5f074b56b7f6659ebe806644c03

SHA256
34b626153ae6f166ab9d42112b052281de00ae7542c9379899af1ee1aaafe8cc

SHA512
3cf9e347545412279e8f234780483d5f1926d6fedbe6a9cf5cc23f0d87704b5d0afaae5843d70690846b34d4d11583615560a8c6e1b3b52d176d233f049648b1

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
2.5MB

MD5
5cdf730bf9f3415962774815bf1ffc39

SHA1
53933994a4b25c88150626fc73ce65b4bb235a55

SHA256
39be19f18c03888acab3e8bda03b50f114bb40e9dac663de428320f97983e2f1

SHA512
3218a48e31696e07f4538796b8e5bde73a54bfbca2fe1f0fbf4acc00929551eeff64b4503c54ec05609be039a2ced81cb6cffba88a66793a5c32de8942d0177e

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
2.5MB

MD5
1d503f6c256f29ff7c54965d93458f8f

SHA1
890f8f9a80cadf85d8b44fbe1f3700ad17ecdcf2

SHA256
b5d0bb32873372f7827bf61049681e5c254b0add4c81f6ffec34f1d9f4079790

SHA512
228f7426586057236ba934d6a09a0a4f663e3b4ff68f762842a4950b7b19859ec56bc42341bc8b290316e4a6da8e6086d211abfd666ab6f66f86240d66e85d90

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
2.5MB

MD5
e444d588f8fc7c99301903f2c6ba3d98

SHA1
5b00d9f066eb664b28a04693b872a316b92a3852

SHA256
1b0b19ffb2aaf5bfdc5db3ff4b5ccd024a10f3eb927f73b48a35c46f4773d6b9

SHA512
fb1c0530e985a97bfa326805eac48ab011670ba994b939eed83dcbae3592573e13d1a928a5c4a3893d7c5e5cb3ab7d46025635800cef2b2864da7c4ca3307922

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
2.5MB

MD5
281b8d8215b34219f99de3ad9e3c13b0

SHA1
b8484e9e192cff22cfcf9abaa5ef9595dc915e3f

SHA256
64b4d8ab1c91ef3c3885946c0f2c912e5a9a945b1b6cfd9bcca593010c976999

SHA512
d2f6031ded126b9716da19ccfb6ca09e7512aa68dcff80f851f745f5ead9e9df3f0cc34e087a8231b00ff7dd9df23b62b4bfde0d2231fa5b79c6d71f2d5c9d45

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
2.5MB

MD5
c0610d28d2b86de1bb2a45b670d8595d

SHA1
adf6192119e21b7bd5dbc67cb805418a043d9601

SHA256
5e3e9b73dd4997963ffe67baed8494546d6792eb1afab18e85d1916048f81e16

SHA512
6c1bc2da6c8a96f036a0bf952144c28c0795a042fc3c417c9d78461fd04a55b326d2e7316894c218f8835c132d09678f865a693d4df3fc656152765d2874c234

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
2.5MB

MD5
cce850e4a58753d837683effe54d479b

SHA1
75c4d411d93643255123af980ef150f192cd2414

SHA256
4b8efbb34f64bd6af3d6258589ddee9c7c0c7a33951c1a86941a0af5d01e2c34

SHA512
1796c9bdc04d18e2e577f9d51c1679892b16437ba0a7e224ee4c017b807440db5f82a9e7f14a76cf7e28bb9fc2966a3ecd953af8900163ec101f372cb2d68b42

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
2.5MB

MD5
f2e71233ef18a3187c650ae37b19d3f8

SHA1
7459d025979196aa3794f901a20751c346a62bac

SHA256
491494365929b7f2a2e8baf01fdeee9c9b48fd41f8e5f8060be67629c999abf9

SHA512
5f9e160a8c77d555ba5dc603f0f034a540b5e207cfceb0e8ab81eee76b0d1b57a3fba17273ee793ca9f9b4d8758eaabfef1bd7e9cc8b1b6d817e9b177a36a333

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
2.5MB

MD5
4e25b78f2a3a475d29d9f1df3c699cd8

SHA1
dad226f2e16fa47747fb1de6d5265ff41a8c63c3

SHA256
ba8f8b8983ae7458214f1c257ce37e41f7e87973dd1c6f95275c123aaa0c3fc7

SHA512
5f6d5741f8212c7697b16dc786dcf5f0e8481bac3a5c5c2ac72288c0f720024dcf8d22af2de0f14320f81ec3a8f22801f093f3c0589010b120ab4168462b3b88

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
2.5MB

MD5
8efaa1db65c707aeb11a5d414cbd9bde

SHA1
877a36ab23b3646259b49217b80ddb00eae44e76

SHA256
8be43706d11a2aa7dd4400a36623fb11dc3540a913459d8ebd499475fc47e7c6

SHA512
17cae6a69e11a323c84fd7f1d1497137b9132852cf92218d2bd75f3a1cf7b1a905588caf847561d545a6d07f8b004c6fc6794587b1ba36e40ef0e6e91588bad5

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
2.5MB

MD5
455980c6d9dca954ca70a53f081bfd49

SHA1
2c3a2cfbbd263c3accc242ee2339148223f6c442

SHA256
c0e99b1d08b85cd69ab83a6fcb4fca64f104031383f347fafe229cd9be1ccf48

SHA512
a1d20c4994677e6c8587b525fcff6802ff12803eee50b3f605fddb66b09dc6b369aacc25e84c2f7783984d5d4c4d8c27734118d37a47b401b1b525b90d4d02cd

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
2.5MB

MD5
8c4f7a7aa5d7f0bbece47a7bc02b791f

SHA1
fe36c7a8b1db517de007c3eaa26119191a94095b

SHA256
20702f5be0b902f39806af82363a86db6b89fb83d6a06e45ba1a39af6330ce40

SHA512
638d9fc69ada779c75bb95a343a425eb67c649b9181d2ea0a0f10026f44a5d489df42723ec9eb2ed234982d9daa7294a389cd42b6535c07f85adaf25dd2e636f

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
2.5MB

MD5
9b3b0fc420b0838610944871f70b7852

SHA1
7f4ea1010d83fcd3bc2b3fc445d51b8ae0c3dd08

SHA256
32497cbd759b86552159a9eb44ca5307f0f4837caeb66d906eb4a2721eaf852c

SHA512
c7bf507715b4b1bee78e38c67fa912aa91b0ef4a8d0996bc4ca2312d8d900ecdc2cc1ac031e11c4451cfb7f69f8ba3eef5d92e4a555e80e3de1a7c137a7fa4c1

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
2.5MB

MD5
f3907e4d86329660933dbf94ea5cb344

SHA1
5c8df00026842f9acdae888eb53dcd519a67dbe0

SHA256
8aeba999ceb13f19533a0660ae963650fcc8a59f610c45e14b2b507d3e420d8f

SHA512
fcb61519815dd0bcf6ee2660742de400bc0f4745220a287c60ab9fe3702a410ab63be75db09c9820367a6d6f6e034e44f9e6f3567321038f3275d37487f9eb8a

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
2.5MB

MD5
457f2bf7728c3b5107c76debdb11269a

SHA1
662a4082c28fbfd7f92098634db2883b6cf79220

SHA256
2afec7eb244b2577eadce343156ff62b7fe45f8d1c2d3f8edbd0c22ef854c50c

SHA512
42bfde272c585ef86885bb0035aa1405212def9b27b41bd07b630e33f2f80f5dad0705e020c93284db01b862128e91623be90a41c19d1a0853a2149b920f32ba

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
2.5MB

MD5
d8b006e035b12e7b9a2fba3fe7c77ea1

SHA1
6ea8c9a3b7da49e956efaaa357ea509ca628fe8c

SHA256
83662beaf2c3bc699dc4fdc879ac372905f3a40280ea232654b76692d5437b40

SHA512
a8f622161a67f37591d56db8fef5cc30872731a7e00316af654911f37c8f95a868f5a8046cf1e197cb5d9898970c903c81bef9112f9eb997176beb511993acef

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
2.5MB

MD5
059dbb7f155d43237ff91ce10d2e08d6

SHA1
bf63a7b9b2fc59e456d3997670a1dc7d6cc076f7

SHA256
22e031eb93f4f49ca64f882570e7d370b06657bb47b823908b31f6c294cc964c

SHA512
84eeecd26b32aa3568310aaf3d6dfd38f1594db2e8b3b0836fb6526cd3981b9c9dc2830f9d52b82c5d94a9e0e061b692bbb1d32db2400ebb0bdfa51068c89c53

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
2.5MB

MD5
9e80f6906b103807ba4461ab94db7167

SHA1
d05ad0b17ebecac276ad9d18f70afe45da6f8303

SHA256
e139432f8c4141309453936596f3e7b5ed1f49a6b7bed107f6a91b34f73586f3

SHA512
f5e64742c15a2bdae0aca4db09696607e879e5990d4c4062f22fd9f2d7726e0c8eaee1043f166036297cbb3e7b7e1b7f09c1e6ba7b4bc24ce1838120f8cfcebd

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
2.5MB

MD5
8568b3dbc03eebdec7a4e97e75cba6be

SHA1
386415ae71c4aaef55cacc118683b35ef405f56a

SHA256
bdbef1badb7d0d3eab9faaf9666383ace9fa09df539c7baff3b287f159cef01e

SHA512
cdfb522aec23847f94a315a5551a1c34f18b91908de8f2440f2cb7c573bbab9472b2fe1f559cd4cdebf3bc674f5cc37d6d342165389b28c262d5364dd59c8624

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
2.5MB

MD5
466369950007ef7303764542d7c831bf

SHA1
eaa9acbc16d890cb72310844a5599f10974965a3

SHA256
8ba3050fedf10c9c6bf506b5900efa2229c3b3c8cf16d2cff21ec7a888f30d10

SHA512
b29d9631fbfe3bc3f83f24f27dcaec3330608887c0a7057febcb8ab30926eb7eac288da534be6ad8a8372052aaa26ea7ab772882041893992a3a843fa2df294a

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
2.5MB

MD5
3519bce5b7eb356f353bfc257be65ba4

SHA1
dd03b36f0c9b184280a342f19cac6dd1ce803862

SHA256
1608dcaa8eaee109dbd1e5b8bf913031e695c4fab878f8bc166722ba4003fa0d

SHA512
667d1f92efe6647e517e74507b992d4a931b60fb4eced03d7712ea031ac9444d6fdce88a4c8e8b947025c27dc988ba98d52acb95ac3e385f177ce4bd980c2e94

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
2.5MB

MD5
df6d95e12246c18bc2a3816b5157f097

SHA1
93178c268576702a8b4291389bbdf1feda6e340b

SHA256
7d6f74249962786439b5c05b1b1c79457a653dede824dc120992df0a3b2a1243

SHA512
dee76a23e1e7a45faf241b096aa1d10e49d0b959d006acad78e2f1cb3bd1b327ef6ea2c07fbb0e33997b5e54902c7c8ed8ca4f201069becdf50c2eaa0126f1c7

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
2.5MB

MD5
4c8e4ee159e78a8add075b5cc96c3b60

SHA1
7c7445c24d9eee00221d6c7c5c70b02d3ceadefb

SHA256
f17b699015dc319d43aea64452ffad51aeda88b8553da576ddccc7442021749c

SHA512
b1acc0de1425473fcf1cf4dc37e79031409a91a055e217eec7cc0fe4545551212bac57b7a64f4b3ce7cb17d729dccb2aee384cf780ed73fc516e0686cf78981a

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
2.5MB

MD5
c13d4638637b758fcb05cdcf48463aef

SHA1
76420222ffa73f2caeebfc9fd3c98518d1c115ac

SHA256
e0efdc6c07560b173e5348959c566ea52b62d95bc1bf44b28c5777ed4d4594cc

SHA512
6d655131dddd829f068fcb40230372877589c20f9ddaa1b56251880c13af984121bea8b11559b74cec8041f5d400801196e1a15993d3d5982b3873e72d51a8e5

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
2.5MB

MD5
af3967773961ca7eccfff581b2b8b51b

SHA1
6abc610061e84c495324c7a269279ad080b88b0c

SHA256
211c6a676f959e2e8a1e08c0222071dcde24fcaf694cc8591d8cf8e1d4df6151

SHA512
60ae3e5b277e3a5be6d0f40fba6c037b39f371171113a367c6008678b79d6ed603ed3490325eb8dbe228f8a6d2d9432384826fc19ec5267a2027d79c47cb9044

Download Submit
C:\Windows\SysWOW64\Qciaajej.dll

Filesize
7KB

MD5
37ef1514fa156a1289db16f0a45e6342

SHA1
60a64c61f44c1d262b510e3e1c72cff0d7ca2073

SHA256
aa6720fc72f995abd13962d6fbe22b26addd0f996a8d76c716c99664b71777da

SHA512
ec2cb1cf2e62dbd71ff3bea86beb6acc3ed3f8630f9e5c83804dd8c4173e1d00e33584e3830564658f19b174bb74397d28c3c4e004f8aa54483e0e6bd2995f3e

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
2.5MB

MD5
1549bebe7e56fb3b89c026c3cd01ae34

SHA1
16be3aa9fcb8f9b5dad96d9d4f37a91c3ca70f37

SHA256
9fbc35dd7dccc466e9bc02e70923c57bae4cebdddbc8e7452d4178635506f00b

SHA512
257b3e02ac3f95ffffc56e4e7ec2ed869a59f0c93c03d2e814cd876c5714b71ba89464b6f373139503c82a435e11f6b1611f9636ba40efaa36a8fbded50f86d3

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
2.5MB

MD5
ade7b980bcf21b815b0fb8a1de46330e

SHA1
c3af05fdff203dcf3935c6e58515d8dc4df92784

SHA256
470a37291d0bca5fc3f8e2440185bae7eee9d7fbc4a2b89a213ab11781594b29

SHA512
b2b1c25fabd0ed9a42a2233c9afddb4cba7e429a2c2d43a13657af63cfcaf2f552f2d2fcc2eb1a17e99d46daead79aebcc6b477599997f5c9356da4b3da2a020

Download Submit
memory/428-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/736-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3976-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3976-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads