berbew | 29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe
Size

74KB
MD5

e925d331a8881aa3878ab1e8370ac277
SHA1

9dabb46ff1ab57a2ad20c22ef628d4acf3965c61
SHA256

29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8
SHA512

82d2013bfff448b2fd8ef9cb0099fc018cf04ab2fbe2e271674207b179aad27ac18e23741298b8cd6c95b801a6ccebc8d991ce05d6cc14d3581b57a5702175ab
SSDEEP

768:+MOOa2hydKaevzj7Gyr3rw5HdsgE/l0zV6mK9Qs1/RqRdFiLgj2U7HVZKehGlGaQ:Vh75jsHXq3Lq2ohGlnG93BQteoW

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
4872	Cndikf32.exe
1632	Cabfga32.exe
4980	Cenahpha.exe
3380	Cfpnph32.exe
4072	Cnffqf32.exe
2108	Ceqnmpfo.exe
4032	Cfbkeh32.exe
3252	Cmlcbbcj.exe
540	Ceckcp32.exe
2292	Cdfkolkf.exe
772	Cjpckf32.exe
1492	Ceehho32.exe
2080	Chcddk32.exe
2328	Cnnlaehj.exe
4444	Calhnpgn.exe
2684	Djdmffnn.exe
3764	Ddmaok32.exe
4848	Djgjlelk.exe
1640	Daqbip32.exe
1820	Ddonekbl.exe
2564	Dkifae32.exe
2624	Daconoae.exe
4740	Dhmgki32.exe
1940	Dkkcge32.exe
1352	Dmjocp32.exe
3104	Dddhpjof.exe
1980	Dknpmdfc.exe
2372	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1480	2372	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 4872	1124	29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe	82
PID 1124 wrote to memory of 4872	1124	29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe	82
PID 1124 wrote to memory of 4872	1124	29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe	82
PID 4872 wrote to memory of 1632	4872	Cndikf32.exe	83
PID 4872 wrote to memory of 1632	4872	Cndikf32.exe	83
PID 4872 wrote to memory of 1632	4872	Cndikf32.exe	83
PID 1632 wrote to memory of 4980	1632	Cabfga32.exe	84
PID 1632 wrote to memory of 4980	1632	Cabfga32.exe	84
PID 1632 wrote to memory of 4980	1632	Cabfga32.exe	84
PID 4980 wrote to memory of 3380	4980	Cenahpha.exe	85
PID 4980 wrote to memory of 3380	4980	Cenahpha.exe	85
PID 4980 wrote to memory of 3380	4980	Cenahpha.exe	85
PID 3380 wrote to memory of 4072	3380	Cfpnph32.exe	86
PID 3380 wrote to memory of 4072	3380	Cfpnph32.exe	86
PID 3380 wrote to memory of 4072	3380	Cfpnph32.exe	86
PID 4072 wrote to memory of 2108	4072	Cnffqf32.exe	87
PID 4072 wrote to memory of 2108	4072	Cnffqf32.exe	87
PID 4072 wrote to memory of 2108	4072	Cnffqf32.exe	87
PID 2108 wrote to memory of 4032	2108	Ceqnmpfo.exe	88
PID 2108 wrote to memory of 4032	2108	Ceqnmpfo.exe	88
PID 2108 wrote to memory of 4032	2108	Ceqnmpfo.exe	88
PID 4032 wrote to memory of 3252	4032	Cfbkeh32.exe	89
PID 4032 wrote to memory of 3252	4032	Cfbkeh32.exe	89
PID 4032 wrote to memory of 3252	4032	Cfbkeh32.exe	89
PID 3252 wrote to memory of 540	3252	Cmlcbbcj.exe	90
PID 3252 wrote to memory of 540	3252	Cmlcbbcj.exe	90
PID 3252 wrote to memory of 540	3252	Cmlcbbcj.exe	90
PID 540 wrote to memory of 2292	540	Ceckcp32.exe	91
PID 540 wrote to memory of 2292	540	Ceckcp32.exe	91
PID 540 wrote to memory of 2292	540	Ceckcp32.exe	91
PID 2292 wrote to memory of 772	2292	Cdfkolkf.exe	92
PID 2292 wrote to memory of 772	2292	Cdfkolkf.exe	92
PID 2292 wrote to memory of 772	2292	Cdfkolkf.exe	92
PID 772 wrote to memory of 1492	772	Cjpckf32.exe	93
PID 772 wrote to memory of 1492	772	Cjpckf32.exe	93
PID 772 wrote to memory of 1492	772	Cjpckf32.exe	93
PID 1492 wrote to memory of 2080	1492	Ceehho32.exe	94
PID 1492 wrote to memory of 2080	1492	Ceehho32.exe	94
PID 1492 wrote to memory of 2080	1492	Ceehho32.exe	94
PID 2080 wrote to memory of 2328	2080	Chcddk32.exe	95
PID 2080 wrote to memory of 2328	2080	Chcddk32.exe	95
PID 2080 wrote to memory of 2328	2080	Chcddk32.exe	95
PID 2328 wrote to memory of 4444	2328	Cnnlaehj.exe	96
PID 2328 wrote to memory of 4444	2328	Cnnlaehj.exe	96
PID 2328 wrote to memory of 4444	2328	Cnnlaehj.exe	96
PID 4444 wrote to memory of 2684	4444	Calhnpgn.exe	97
PID 4444 wrote to memory of 2684	4444	Calhnpgn.exe	97
PID 4444 wrote to memory of 2684	4444	Calhnpgn.exe	97
PID 2684 wrote to memory of 3764	2684	Djdmffnn.exe	98
PID 2684 wrote to memory of 3764	2684	Djdmffnn.exe	98
PID 2684 wrote to memory of 3764	2684	Djdmffnn.exe	98
PID 3764 wrote to memory of 4848	3764	Ddmaok32.exe	99
PID 3764 wrote to memory of 4848	3764	Ddmaok32.exe	99
PID 3764 wrote to memory of 4848	3764	Ddmaok32.exe	99
PID 4848 wrote to memory of 1640	4848	Djgjlelk.exe	100
PID 4848 wrote to memory of 1640	4848	Djgjlelk.exe	100
PID 4848 wrote to memory of 1640	4848	Djgjlelk.exe	100
PID 1640 wrote to memory of 1820	1640	Daqbip32.exe	101
PID 1640 wrote to memory of 1820	1640	Daqbip32.exe	101
PID 1640 wrote to memory of 1820	1640	Daqbip32.exe	101
PID 1820 wrote to memory of 2564	1820	Ddonekbl.exe	102
PID 1820 wrote to memory of 2564	1820	Ddonekbl.exe	102
PID 1820 wrote to memory of 2564	1820	Ddonekbl.exe	102
PID 2564 wrote to memory of 2624	2564	Dkifae32.exe	103

C:\Users\Admin\AppData\Local\Temp\29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe
"C:\Users\Admin\AppData\Local\Temp\29fc2c9663b0c129d7c1e5017cfee2951a091e95f953e254b4c563be12c20bb8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\SysWOW64\Cndikf32.exe
  C:\Windows\system32\Cndikf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\Cabfga32.exe
    C:\Windows\system32\Cabfga32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\Cenahpha.exe
      C:\Windows\system32\Cenahpha.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
      - C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 432
        30⤵
        Program crash
        
        PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2372 -ip 2372
1⤵
PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cabfga32.exe

Filesize
74KB

MD5
3ef0d13dec92a89d2e4f2ebf1956e81d

SHA1
9685eb82186825f48c47e695e54a4c42ad67fca2

SHA256
b3990233a193997472e9fe575b0cd5b78d6a6393029426070b0fda01c542f9bc

SHA512
909a7bd343a7b3f8846e396076de5acde30f4759eea73e03d94dd8ab59a1ca8764fea070b10986c6a095625a36580d64da21ceb2d692c32a08a423ddf7d71f36

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
74KB

MD5
8fb708f7a3b02be6d748c6df3bf26212

SHA1
d57e10fe893db1026ede25aab8e415647ccff0ff

SHA256
9d7098827c6a8f4db888ab7606a10bfe770b1bcafba00a210af1c673917a43d7

SHA512
8872814fc643a47678e4a278f11deaec3d4cc210d9f7e286db05ba4c40627867a356ce36347e952a86f924162c60176b18e168f37478fdf63c56f51bd88f8fbb

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
74KB

MD5
adb084aa4b4208572126112ee5b7d8e8

SHA1
8976043831375f461082b72f916ce4db47650e0f

SHA256
def53da5605b0a05fd3b3e46c3e8c7d8812ec3a1dbd21d58cada360a83ee4052

SHA512
065307ccc569ef70c361f8d289ceac6af50f91cbf6f72168d1d38a7a18dbebc1be150fc9e14525d463cc2ecd200ef58a771a8b3a9e6b2a646644bf7129ea5a79

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
74KB

MD5
0d72afe04fe90fdb4e2f9eb64e84bf85

SHA1
fb1fdae7e5ed42c5acd27f955cf3b56ae6ee873a

SHA256
284574e82fd5c6b46ae8ef707f35a8508c8899971463b314d27f683a1722fd82

SHA512
dd2705e7cee32b4257258d4a09437ce23f59493ee20b1cf5bd3a0bd0e4a6573f2ae89b373d9fe9030142c94eb1e2727762caef0a99cd0691fa951be475ee7335

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
74KB

MD5
51ca50b3c62cf7a0843b4e3230794016

SHA1
71ad2d2fe9ca3dadbe095589173fd6233b044035

SHA256
ed7779f7454cbbb7c9d02acbe046c81f64f0e7fa3d0bffec34e87b89c9acfa21

SHA512
c639175c11fe7647caa442b376ccce264627e44d70cf22e86c538cbe7b7949f5175121139f9e22782b3f6844eedc58166a09e34bcbd8495b2dd3912fd7f7e41f

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
74KB

MD5
215be3fc4cfbea28dadc5fd6c97eb2a4

SHA1
3eb0e83bb0c1cdc23631740ec88aa97256412a07

SHA256
b7a3ee52c40df9624b6ba5ad5f8d782981e5adfca176993dd1a0b33bd3938f34

SHA512
478f39bdfae688083a7a441f2395570e9a6fa40da0560e1e81b8a1c170d23be7d50c242a1a073dafdb26c636a33afc2ad13fbbf751bb2fede9e157945334e281

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
74KB

MD5
59e1a0d97c610275f554d5d316c978f5

SHA1
14b1cdc33a6fb64bd731b769aacb86947f89928e

SHA256
3e101e1f817ec4a8b295758c876833cdc48ec58763fedff58468ce7c42bb76e9

SHA512
31206d95555e70f6db29672db8bd9074140b9e87057c79424445d9511486eccf82ba526cf251800a8e077f5350454ae14a789fc0ef0d792f6c08aad2ced777e5

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
74KB

MD5
7097ccb68b10e4cfce9932108bf92278

SHA1
4eadacff75c183809c55d0eaf0ecc821ca14922d

SHA256
518eb92fa02b733c5bd4143e217f01dcda8846a019550a06ee1c6b0ae11ccb6e

SHA512
0fa67f962316db88c54997ef75edc5bb719e08faa20d6b13b2c8e4a617b45fffd27081354d3c1d319108736183e5a18e7e856279ab1232ddcaf30b4ec7d1d3d1

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
74KB

MD5
1e5dfe3cc97ec263ebcb1ac4bb7c5131

SHA1
65b9476dae467f695f1c4044b22e84dc5e37af13

SHA256
95a25e60bd03fd0f95d2a8e07633d93e15237b43147fd11c1721e0710de9e4d0

SHA512
a40322c84a9c922dc722668fb6ab98ac054c98442c97ff5ed30e3ca6a464ab3fd223bff0212a05f0ad1d99bb6b4ab73f511697299acec875c1ec722ce588a904

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
74KB

MD5
0fa1511818a830bcb4c565adb98e48dc

SHA1
2cb12f9ccfc3b8cc05fdd74dee11fe2d5a1ae3fa

SHA256
f96612999e272daecdf06a8a3035dce02916c845898354d719477f478be008a0

SHA512
fd9fe4891e7ef96a0e593ec6522240a18afc483a8987d46acdc4152e19a6f5a2a1a776672a197408ed368b7b9ceb66f9d4023dfa7353de58ca044fe5a46c4ffd

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
74KB

MD5
5db72c469ae23c88ec70a07674a83625

SHA1
5f08418e6a8d9dafd788d1ae580f55c4394d99ed

SHA256
09cc7eae475242c7255c7f47bfaa9c0a4e83310b7c809ad8944cd907bd5dcae9

SHA512
90b424f8dc06cabb86e5a1d79105fcfa01fbc9551ff99a0ac6e940e53b2b7acf2695498429f69fca61194a24c6d39b51c3e8d6b3c6117fc722ea57b4b3c41921

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
74KB

MD5
ec30350504a53575a041235d5bf37109

SHA1
b9ef84d59dba9050ada977024192176ee15b4078

SHA256
a040c48a6c9606460b1d9e575689d26434c2453a2659c1ac1f12e6b69599e0e8

SHA512
16725e657ac701f8f6c25414c187302a0ff129b6cfc730d877df117e8031d4efc1b398caafbdae56951ee1f1787590c37412c32c2829383946a315afbf76240b

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
74KB

MD5
9362532bbacaeeec387af332e1869015

SHA1
d4dea9732e213eedf4dfa5dac6912a15cc231589

SHA256
ee62f26191798de6fdbbea72c28f120f42b99a7f9321174b24b180744c2ac8be

SHA512
490f79e5b46d415f48b97f415a251ec34b1e4ff8e3c914f4198a52fce803d033a29ab7440a2815a380ef5161866b78daf3463a3ede45d0eff937c111f7559d04

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
74KB

MD5
b0ac113444087606ba55db664b236e77

SHA1
e2397221e082a8f163f47dd0addde009f0eaf878

SHA256
92a13c32d5c4e39d88ff692353b3b155c671d69f5f9b145566ae15c348765046

SHA512
7e7cafc4e1dd9bc9275cb998b73b169f1a4bb3997c25fa27c0b840dcaefc4d285a5f56ee0a80c6defc041ca47cb78b33b6666345864d3a5ac073168ca2ac946e

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
74KB

MD5
df20c9039bb4ff5a6b4a7b9becb414cb

SHA1
e4a66a8f8aeccdeb6f02c3c9cf1536f0fa48bf9a

SHA256
bf65c532a719cef43aaabbd552d910b63afaf4a9263897af18b200cdf5464b07

SHA512
ce0b30957434a99a37cbfc4e9a4097f7a094f976afb4299239ef39c7e1455ccaafd728107d4aab6e656c0ee96a920a57b20e1c2cc773db812155248f910ddf7b

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
74KB

MD5
a589f8209fc80591745e78a85a78b1ea

SHA1
f4f1f166357693ec9b492cb5bc77c932e2e47070

SHA256
c5b63abd6bd9ddfff5323d8de69e9dff253de8c7ffa26b9bd90eec03718ba803

SHA512
6d691653d36edb4f611ae76f36779623f222eff13be7d6fad416a83000f0f32e7beed11dfa109383f9ef41d10c85786e968d2e149b429e63f77201a81a5b2824

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
74KB

MD5
8a5ad079863eecb02e97e8b86b8ba5c2

SHA1
5283cb029026345a3ec6ccbba215b1052196d316

SHA256
7550cbe7123f2a01eccb9b002630ecdc712194de11cb4d80b1acc1c4e21858c1

SHA512
78210e0e1a8213dee2f04241462ddcbdce1f28fcd60150a68589352fb06bdae7b35249a3eb6327cfe01fcc2e0a6264262956b1f9f1f875efafc5893080d9b508

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
74KB

MD5
bcc7c8f2cad08dca045e89876542b255

SHA1
02754a864829c3314dcb61aa2cf6250fb3c293f1

SHA256
82577a321d2d0ce644e8768070be31ec84777114ac14501b6d12e94d5b0b8ec2

SHA512
c5c7687c4f9a7cb0f77e65782381a289ce0a6543bbb93912751517db1928867d3a9f8c75c2bc34a5a5fc8b57fcbefed81c0377047987c21798aed099d07e2ab1

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
74KB

MD5
ad5aa937b3d9abecbfecef2a59fdab77

SHA1
dbd023104c8cf9f2be647f82465f79a7feedb186

SHA256
bd8320b8d1f4344c4b49f6ca48ac94335f851687f33778bd505425a2622814de

SHA512
cef29e7350923ccd2399adbb029b1bc2c9000ab2f0b6e19d96dffc4e72722a99fe2ecf27dd4747afe632332d4bc3fba6218c72c24e17ace115f30b486670868b

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
74KB

MD5
46c2e17fb7ed2c8654be943a8ac5aec0

SHA1
5a47b3add9122d339264934aab97b362c457514d

SHA256
9e7d0082caa4cf49f4b0c48f6a9e199b3dc273165ce377d3aaa2545334865164

SHA512
0727a2a4c4e30d160eb1958d91973abf58f4b784e7984761cbea249d7cc3608c0c61397b75329a303c296e757297ea5ff5cc8210a318a87012d3d6a9a1ea5342

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
74KB

MD5
b1daf6a70b9266bebfbdae4a6ab64f78

SHA1
2604eca117a90656683eeafa8b752de9fe3bd3d3

SHA256
20cbd2582fbda2cc7127a00cf4b8faaf94ce5fb710c6c7f207b0f0efb6893aa6

SHA512
1e0f9101762424727e15efb038b1fcf457f6291bd80cb56773043e2b090dd5dee7fe02712da952f7949d1bfa6e39276d6afe5bc85d2fa223a1d003b6cec33428

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
74KB

MD5
5ab46846fbfac17c092a00e80179df62

SHA1
a0b09b1a676d08a8eb8af66167943b194d111394

SHA256
13fae336d2542a52cd35c3b8d980cbfce98cd5dcd918049fe6ec981b4d9ec43e

SHA512
09bc38c76f81e4b955f70807d87d32caa7ba85dc8e5e9ad0b7201a3319aa756c4c79d770421e5a381e103cd0ec09781144420abbae397a30a5d7730b19749664

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
74KB

MD5
7deab024a91086fcb296b25b851cb6c9

SHA1
37bcced4a76d1648e89a728d54051c41ed0b7a92

SHA256
f4ed91d2ae05d44ec88cd9f1f21abbc05ab719c5bc0afe84616dd9c3c7f2dc56

SHA512
505183405ea5dd6b23b35d746200e076c0b1416a2017bf7d9b8548e14290f4103c0e002db183846a90fbc09a98e085c42c85ab7e5dbaa289941e410071458e85

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
74KB

MD5
8114f59d599108d6a968ddd5ccec5868

SHA1
cb6aab26062f93585365fdebcdbad6d22d9df461

SHA256
5fc4be761049d760dbc0291da54bfbb702370020fe3e1e99d45eef9b1eb0d838

SHA512
bc8e6b0765947eb1f44b0415150d4b5af7513088a5a552d2c50aa5569bb8ea7faeca32b35b144dab43c357f85cdbcb852f73442cee09582a26ab22823f49c292

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
74KB

MD5
0db4b940a3aa57faaee04dad59733c3e

SHA1
686c5e0b0ff82dc57a54f886623c2def2d2b620a

SHA256
821e532eb58081d3d4f6ad3ef2a7a8fff58cf45141a3bb74f0a9fc58c85684c0

SHA512
cb070083c59061db80e2cf407412ec40ed9bab64cb602aabec61cde4f87a48c88dd167ef352774ee7b7106567b3110dbee755b26e79830d3cd91437460142ff3

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
74KB

MD5
3f7f426fad505d017b424e7f10410584

SHA1
ae039fe6682cb1e2676fd4d74d0d58842b9964a2

SHA256
8800dd579b4f3e45631e4fe38deb660ae25da5dec1f9f27dafdd681cfee0a78b

SHA512
6596a51ae9029d3c3111d8b924ff6ce91bcf55b5dd57840eafb64e0ae78b63d3f9750c829878d6508cc5988c12d5a7e7ccdcf6369c776df5e76d98023287f322

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
74KB

MD5
340cb3de0bdc131f1bdc0c6c5cf9188c

SHA1
d075d2f171e6d2f0e257192fb0a74668825f1eb4

SHA256
2cb8100e1412bd929a1f82b808d62cc84be0b957f2930f7fab9f2b5bb6ca8141

SHA512
70008629af727f38775edaac96644a7b7ee221412d2a4baff8303744adb341c969bec7743ca6f66846f7ce6f5e0770f006620ef8776a41a59cd0cffe3f881bc4

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
74KB

MD5
fb81b0ea2900dfa707f2937b1e757b13

SHA1
7f5722cd3272e6dfdb6b956b7b6c806854dcd283

SHA256
7dcbe1650ad0cb6bde417fddb8a0804404ff22474bc4d515ea73c387585edab0

SHA512
7ad3c25f63e5cd5164e8f4bd75dab7d7c7842b62035f8c1c152d7ce453ed5440f0ed3f9cabb5b673c1653932f427d1587335ce0137b21c6a6e07fe565d216e20

Download Submit
C:\Windows\SysWOW64\Lfjhbihm.dll

Filesize
7KB

MD5
3ac43c6f57168ee77f2c8262ed76f198

SHA1
667b4fb823054df6575373239df99918c486c5e4

SHA256
80b4d53bd4a7a667a8056125a45926c60a6e2998ae11bfb18461e92629c83d1c

SHA512
de2a51d281d362d4e5bbb76348f96281c09dbb65702310016e4febfde4fdbba981263e9483a375aaf443827ee87ecac3cf5f4dae7b02ec1c5c0de2665837e1ec

Download Submit
memory/540-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/540-243-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/772-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/772-241-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1124-251-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1124-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1352-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1352-228-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1492-240-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1492-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1632-20-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1640-252-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1640-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1820-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1820-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1940-191-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1940-229-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1980-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1980-226-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2080-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2080-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2108-246-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2108-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2292-242-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2292-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2328-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2328-238-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2372-225-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2372-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2564-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2564-233-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2624-231-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2624-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2684-236-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2684-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3104-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3104-227-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3252-244-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3252-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3380-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3380-248-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3764-235-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3764-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4032-56-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4032-245-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4072-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4072-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4444-237-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4444-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4740-230-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4740-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4848-234-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4848-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4872-250-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4872-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4980-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4980-249-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads