berbew | 29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe
Size

240KB
MD5

10e36265898e08bbd5966e296453ec9d
SHA1

e96eaa21da877c7428b8f8f0c3bd88d4fb4c5259
SHA256

29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa
SHA512

067e427c9ae269e234171b210eae2f4c406c7a23b3c836b43cd5acd7cb68078825f95fa04e3cfe1c1bcb62c3c87e081ba4e2d04594cfe83673dc4078474715a9
SSDEEP

6144:8G0uxJcoRonGyZ6YugQdjGG1wsKm6eBgdQbkoKTBEAO:d0YcoRiGyXu1jGG1wsGeBgRTGAO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
4804	Bnkgeg32.exe
4968	Bchomn32.exe
1272	Bjagjhnc.exe
1976	Bmpcfdmg.exe
4416	Bgehcmmm.exe
2816	Bmbplc32.exe
2528	Bhhdil32.exe
3612	Bmemac32.exe
2780	Bcoenmao.exe
2240	Cfmajipb.exe
1968	Cndikf32.exe
5008	Cenahpha.exe
1036	Cfpnph32.exe
4472	Caebma32.exe
1172	Cnkplejl.exe
3488	Chcddk32.exe
1676	Cmqmma32.exe
3944	Dhfajjoj.exe
4664	Dopigd32.exe
3608	Ddmaok32.exe
3588	Djgjlelk.exe
1720	Delnin32.exe
3600	Dkifae32.exe
3884	Deokon32.exe
2988	Dfpgffpm.exe
2372	Daekdooc.exe
4448	Dgbdlf32.exe
3860	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
632	3860	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4804	2872	29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe	82
PID 2872 wrote to memory of 4804	2872	29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe	82
PID 2872 wrote to memory of 4804	2872	29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe	82
PID 4804 wrote to memory of 4968	4804	Bnkgeg32.exe	83
PID 4804 wrote to memory of 4968	4804	Bnkgeg32.exe	83
PID 4804 wrote to memory of 4968	4804	Bnkgeg32.exe	83
PID 4968 wrote to memory of 1272	4968	Bchomn32.exe	84
PID 4968 wrote to memory of 1272	4968	Bchomn32.exe	84
PID 4968 wrote to memory of 1272	4968	Bchomn32.exe	84
PID 1272 wrote to memory of 1976	1272	Bjagjhnc.exe	85
PID 1272 wrote to memory of 1976	1272	Bjagjhnc.exe	85
PID 1272 wrote to memory of 1976	1272	Bjagjhnc.exe	85
PID 1976 wrote to memory of 4416	1976	Bmpcfdmg.exe	86
PID 1976 wrote to memory of 4416	1976	Bmpcfdmg.exe	86
PID 1976 wrote to memory of 4416	1976	Bmpcfdmg.exe	86
PID 4416 wrote to memory of 2816	4416	Bgehcmmm.exe	87
PID 4416 wrote to memory of 2816	4416	Bgehcmmm.exe	87
PID 4416 wrote to memory of 2816	4416	Bgehcmmm.exe	87
PID 2816 wrote to memory of 2528	2816	Bmbplc32.exe	88
PID 2816 wrote to memory of 2528	2816	Bmbplc32.exe	88
PID 2816 wrote to memory of 2528	2816	Bmbplc32.exe	88
PID 2528 wrote to memory of 3612	2528	Bhhdil32.exe	89
PID 2528 wrote to memory of 3612	2528	Bhhdil32.exe	89
PID 2528 wrote to memory of 3612	2528	Bhhdil32.exe	89
PID 3612 wrote to memory of 2780	3612	Bmemac32.exe	90
PID 3612 wrote to memory of 2780	3612	Bmemac32.exe	90
PID 3612 wrote to memory of 2780	3612	Bmemac32.exe	90
PID 2780 wrote to memory of 2240	2780	Bcoenmao.exe	91
PID 2780 wrote to memory of 2240	2780	Bcoenmao.exe	91
PID 2780 wrote to memory of 2240	2780	Bcoenmao.exe	91
PID 2240 wrote to memory of 1968	2240	Cfmajipb.exe	92
PID 2240 wrote to memory of 1968	2240	Cfmajipb.exe	92
PID 2240 wrote to memory of 1968	2240	Cfmajipb.exe	92
PID 1968 wrote to memory of 5008	1968	Cndikf32.exe	93
PID 1968 wrote to memory of 5008	1968	Cndikf32.exe	93
PID 1968 wrote to memory of 5008	1968	Cndikf32.exe	93
PID 5008 wrote to memory of 1036	5008	Cenahpha.exe	94
PID 5008 wrote to memory of 1036	5008	Cenahpha.exe	94
PID 5008 wrote to memory of 1036	5008	Cenahpha.exe	94
PID 1036 wrote to memory of 4472	1036	Cfpnph32.exe	95
PID 1036 wrote to memory of 4472	1036	Cfpnph32.exe	95
PID 1036 wrote to memory of 4472	1036	Cfpnph32.exe	95
PID 4472 wrote to memory of 1172	4472	Caebma32.exe	96
PID 4472 wrote to memory of 1172	4472	Caebma32.exe	96
PID 4472 wrote to memory of 1172	4472	Caebma32.exe	96
PID 1172 wrote to memory of 3488	1172	Cnkplejl.exe	97
PID 1172 wrote to memory of 3488	1172	Cnkplejl.exe	97
PID 1172 wrote to memory of 3488	1172	Cnkplejl.exe	97
PID 3488 wrote to memory of 1676	3488	Chcddk32.exe	98
PID 3488 wrote to memory of 1676	3488	Chcddk32.exe	98
PID 3488 wrote to memory of 1676	3488	Chcddk32.exe	98
PID 1676 wrote to memory of 3944	1676	Cmqmma32.exe	99
PID 1676 wrote to memory of 3944	1676	Cmqmma32.exe	99
PID 1676 wrote to memory of 3944	1676	Cmqmma32.exe	99
PID 3944 wrote to memory of 4664	3944	Dhfajjoj.exe	100
PID 3944 wrote to memory of 4664	3944	Dhfajjoj.exe	100
PID 3944 wrote to memory of 4664	3944	Dhfajjoj.exe	100
PID 4664 wrote to memory of 3608	4664	Dopigd32.exe	101
PID 4664 wrote to memory of 3608	4664	Dopigd32.exe	101
PID 4664 wrote to memory of 3608	4664	Dopigd32.exe	101
PID 3608 wrote to memory of 3588	3608	Ddmaok32.exe	102
PID 3608 wrote to memory of 3588	3608	Ddmaok32.exe	102
PID 3608 wrote to memory of 3588	3608	Ddmaok32.exe	102
PID 3588 wrote to memory of 1720	3588	Djgjlelk.exe	103

C:\Users\Admin\AppData\Local\Temp\29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe
"C:\Users\Admin\AppData\Local\Temp\29f6d5fee6adab0b5f67e0440f2883522ee8a6297129baed0c75640fd78603aa.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\Bnkgeg32.exe
  C:\Windows\system32\Bnkgeg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\SysWOW64\Bchomn32.exe
    C:\Windows\system32\Bchomn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\SysWOW64\Bjagjhnc.exe
      C:\Windows\system32\Bjagjhnc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 220
        30⤵
        Program crash
        
        PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3860 -ip 3860
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bchomn32.exe

Filesize
240KB

MD5
5f17add430a4faa47b188272f90b0a19

SHA1
b1008f6c434d2336c0915c2f9e26307debe261cc

SHA256
88d4e06646e6373d900ff4b07f7931e278f041afc689df920288e7852f80d954

SHA512
c88bcc4acb8ee022adfa1a15fa8ab4c43b597877b63c93a120f194842644bab99aa9eb60a22b2151b72bbc520b12514bc8f8fa7e95bca809bda22800218c2926

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
240KB

MD5
3656df03bf09def4f5e7adc05816652c

SHA1
74f623d1df5e48cfcf9835188c15bcb2d3b983f5

SHA256
d170045f4899917388ccb6ed5f16229567489599209229aebf1740326e8082e3

SHA512
4cb5e8f94046477522000cbc0bf7f51a3a031ec2b7bbafc301c435233e0d4326ebaca64325caed29093ff2a64844fef4e3ca8bc46e2d8138f8c93c4d91695a6a

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
240KB

MD5
9dc4552ce2e305923dcc7784b7015678

SHA1
ca158088ceb06f5ad8affe308d9b3b14599cceac

SHA256
041037ac1a840c7c8f78769db112ac91befa1eb3392d09d011357df3a460ae73

SHA512
54ad3c02fdb088c18209854bbd50211cb72437f121602aeebf6ca14eaeff1a403fb9eca241ed0481b23a191ddeebb51d854aae0a9ddb89ed8657750097da2d90

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
240KB

MD5
a694fc01d530affe66ef761b8cb2659e

SHA1
af4da65b9dbc6fd5a5e9fac6ee51910128e47658

SHA256
70477cb631eab4b02d84835bcc8c93615b0149a05291d4ddbef8d7f551eab596

SHA512
5165930e89ea0b7e668e729d4d856faa60801995c0c33a8841f2809cdbdfa52d36e4783a9e503432676accbe8096602bdba27fd7b2fdbeadb872c564e2c02d77

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
240KB

MD5
3ed8df87e700fbc15c9cfb08da087d03

SHA1
14cf1fd3d4f2878631a8d777a5d049cad2fbd1b7

SHA256
bb44424e637d19074cd3bac7d7bdcdb82f81cd15415d8c578db94be2c4f41455

SHA512
125f0e7bdc967a8e9da5b5da334f544255046a691de4f8c72c341fc9fa6706aac6a3bab2de514c05c7057cfeabdcaa639144c9600aef3272dc08793a26f68db7

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
240KB

MD5
eaa1b0677878ee2599ae67707ba61de7

SHA1
c793e43d6698b333ce6d676b5b8a53aad8be8bdd

SHA256
2e96ce04070d91860dddedf3755b0e292aad7249d4c5abcfc203d3cfde86924e

SHA512
3580a0a6cb097e59a1ec85c398d56a1f26a07ec030020252f67c268a59b7cc758da8da5eeea371c48cd01ce827a46f799ce42920282db158d873f05df12fdfc7

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
240KB

MD5
efba9adaddd63f0b6bdb9e488025ec64

SHA1
3c7cc9e8d9328af502b50c7f287e9eee86f2d3be

SHA256
c47843965eedfc18dd014a7dcc0ae451b55b36bd708122154209596fb078d010

SHA512
a4526b0ed76f416cc58524f062853ea7b541c92e0fec2e8f4f1cacec8a4ae190e6834d7c90efe35157e4ae5175e9bd4d301ddb912043dff59b351643445a0268

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
240KB

MD5
2225ec025f2e7719778c828faa2dcd50

SHA1
2c19bd79529236c701457ae18ac6fd0090066a27

SHA256
53f066ae0fae3eca59ddf8142fda8f2b67fda1fb56358a7bb6fd9e02c5c18f5e

SHA512
c950f9e8d59611844785f0439939b970164aff2c8da21c42dc7fb0430595ae81e80f460f3a55211a7caae75a559b75b6c7c34b7874c3172d78fbc3a8a2f2c52d

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
240KB

MD5
2512bdc6d88225936db3d2c803713c18

SHA1
2a67d4929bfcd3a820d573146aef6d06b3200e93

SHA256
c9294df68c6842f654729a6689729f878aa84693564dfad37582e9f935742ee7

SHA512
b6dddebba4e532ddb3eee5fb3fe6d2fa38ab200948cc769ffeef325b635cd038c0df32aee5dcdfc474d47e813a4bf8c081fd426a2da5b1377f2d441e734dea2a

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
240KB

MD5
fd9fb2dfbfcdade81f6e07687023c267

SHA1
9fae6858c15af7c150c72a66a5cf61da479cff8c

SHA256
7dbb13761c594a0eaaa6d92c1684cea715027442e9e5bfa12afba26fe3a109d7

SHA512
a3ba358ac9eea9591ce92cb0d15e5bc521cbbed1450846b5ab2f8503a0a5caf51845df80ba6a3c28dac0b97317f1ce8d92d7f04bdbcfe4a8eb74b9fa685e0fdb

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
240KB

MD5
9e5045c54aa276b9478fd67774716229

SHA1
1b76b5dd53398dc27a4936813164396b92c884a6

SHA256
43fcc9c2e140c03d8846c02110bb3b06c858fbeb4d1f620b1c6d6088769f92b7

SHA512
a439d5cad69b904c9668eb4e17356d3dfb7d58d75d827e7f12f7b1242320695c31f8cff7fca71f3e507a9c6382ae54a46a54528950cbc19255a0814dfe536a51

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
240KB

MD5
98816ffe4d4cf30f610e34421626289a

SHA1
2db0b1614b2e340aa5998f79b6ef46ea8ad4395a

SHA256
c5edec238e0706940ee0ba0a9ad49a562306f710fa58aa09486fa136c4db6853

SHA512
44e0174ffdde56ec2eaac249ded92ca6b813294a0a6e24771c24d7c13231f6ba4b1a28bd538f32c9018608ee2e3d7063e172dbb86faba10db90f96bb4a910b29

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
240KB

MD5
a85bfcc1009bc960443c6abdaef643fa

SHA1
36d7d367e093fca3a77bafc9187f30041d0927fc

SHA256
f3a042713d57addc31cd8a2feaeac1b6a74ce57d132872e6c94d286cd52702ac

SHA512
51d8f674e5cc2a106be4ec31604af84eb2a022d80c49150699f519af98340ba8c82958b349c1fd66cd34ec8594f54a19f7cb3534121a16724cde104b13833b22

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
240KB

MD5
205e1619544de305d9a6381019902745

SHA1
5153ca951d59881657c5683e114197de54d6f16e

SHA256
9a91287abf19a9dca7cdea967016973999796c2a545ba8f4e66f30abea82e194

SHA512
1131ea998c96ab477aa650233dbe2d513b6e582bfa9de77b0bebae4337c8873e9b878f4d8ce63e2f3904c3989f33a1983262732f079296acd3c76061baf8aa93

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
240KB

MD5
5e20e3e04d2ef6727514d2e47fa20e99

SHA1
378a4ec4fdcbc96ab9927cc7f7ba641431b8cb9f

SHA256
fa499d557c96ed9ad781924c20940be7cf8bc9dd090db2ea62cf3a412823bb3e

SHA512
b975ed135e3c4c997e78f31580c57b9f159f94d948c28436301eb0ebf148ad1fb995b8c2af999839617eb6ace5929992d5dfad32763701a164b2cccda3f3de7f

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
240KB

MD5
7d5890d2e7d4c4c8f8a1ec3d1989ea5f

SHA1
15b2909d6ecf90bef982e72201c1bff68f057915

SHA256
4fe5412bdad0e674b3b25bc6a7d8bff95b1cf535da53ac0bdbe239e458f70d45

SHA512
34aa637751f9b5b534150c74b8fe2c487bebae10a2dbed8e33a44b0a7434941342317a495585ed76c2474ceef4c25167d7d921a4680dc7382ebfb5ef1ef5e0eb

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
240KB

MD5
4dca52f0a6c4b27232da5fbb52ef5531

SHA1
5205eced15057c38c5eb2254d4e293a927abb918

SHA256
54c1a8deae2727bf1d008ad353435bb85c488bfb4fb903c1317757cb73792308

SHA512
c7326c007b1172b46a75cca856eb00419002ce4e28f6d504b9f79f69cb5afad03c83bb6f1795a26ebbdb419a4111e412e10a385139dd04157c716614c578856d

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
240KB

MD5
4c661a59de7ad252dd98463ad1b4fb30

SHA1
074453029cdc069afdaaf97ab625b3a90956b9c6

SHA256
f6aff52ea0f8014f2ae9893668669a825c8388650ef9ad2699609dc491d584b5

SHA512
f383c4ec1418aa044aa62424fb59bf8f3087c83a9305d44a38d790eafc070b0d8f0a4e575f6990fe1c944bcddf1256d702e321c1c73f16eb7182e118c623697c

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
240KB

MD5
72b6b0df4d4b29eeb58126c16317f4e3

SHA1
229968b0d0dacce9eaf3df7a7ee7ee24bb25aadd

SHA256
d2c7cd427b7d29f81c28c379c3f61c0e5ef329856685aba6788c557c97aa8b85

SHA512
611f2daa66280a2c0d8015dbf5009fcbdc9af1e58ab260660aba24baa8ed169678dc775322c2503f98e54262ae752b6f7c7c8b272c2a01f5e4635105c9329d27

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
240KB

MD5
f21ad3bd7d554363040f4de9e710c3a1

SHA1
1a3e30aa0f001e865e63a7540cae1afcdd4be434

SHA256
0761105864c90fb15740c14f87f419f0583742841e0726d5c5502009022f1aa9

SHA512
17ce858c435ba9e8090cb302797f5e5fe3983cc38985d53fbc544a109317488f293697a54ee98302c0a71047cb395cf1b061c1411604eed601be04624e11ceed

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
240KB

MD5
4dbff50cd662da131f78fd5430ccc257

SHA1
08fa85fa3fc9f037cc173ea989a90ce5fef198dd

SHA256
6383411c9c4380015c4fc65e0d72f0c1e25a4b86e73923c530187a096810cc02

SHA512
e2cf6b70fcd36e906156692ddc9be79497223f524793cc003850cb28fda96fc9cd81bd0200c392e2e7f8bc7e7753372d62147a4184830022eaf73e80edae1847

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
240KB

MD5
949f7aa38b530e1bfb7cb6a5ddfd0739

SHA1
3963f38e03523a06b8602d5e33931caf9144e0b4

SHA256
18a13b7bb8989598709209e68eb49efad5537756924dcfe0d36df5f47e0550d8

SHA512
1c1d90052837482e5590b18158de065504e5eb14ea6f3c00445615b0974148aa5e05fbf97de15f4ec422826be2b984defec2e48d5b0580f86d51bd1e23f1aa42

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
240KB

MD5
b36835e4fe150a10df2ea3ea5a1f3e03

SHA1
d56905c4d54a79798974676a22c486a6138eeb18

SHA256
30a0b96a7e874363d9eef8938dd15f827d6f698692814ba04cc029a4958ae628

SHA512
39e06eece65cf58c4af01b3b2465303dfae57b03c3086016d1a85cf5a25639e51e7d5a93a022cc3452312ab49145d1cb58fb7fcb938b6b3c852f3776c367a65e

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
240KB

MD5
32cddf7dea106310ad7b658b2e0d138d

SHA1
c3de7c31173682237172832a23c289da64bfea38

SHA256
99dbdd7c11220ebb5779cdc3f638a7fe2dbb69e14a0cc0358942bf4c5fbc94ad

SHA512
3d4013bf6eb6cf79213d549283112374511da72645f6c584ab70fea25b928a171ccf2e0024451985f7d8fbe5e875ab29e791009a188ba1912b6e43bd4cbc1e8e

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
240KB

MD5
335be007f73db4bc48e6fd12818ffbf0

SHA1
4ad2082cd8959e024d32318ee7d21a8c064c190c

SHA256
fe99fe5c5b0dbe3bf9adab0b29ab63d04a86347fc302ee964962c388e692d692

SHA512
9ef5bb8bf791e229a583d36b3cb82e5a7220ce45094523a2b1f3f4646bb689721694def018d66d26552df585c705e087ad05eca98cb2e247a20881cf2d65053a

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
240KB

MD5
fcf92d95c155e055929db4cdc8c58c9f

SHA1
dab847dac35094e0a712c4f0e10aff5a141b118d

SHA256
22c1135cd80a3b0182a07d6954bf787c588673d0032f0573db9ccfdbe0e5410a

SHA512
3351f8d4efe91554439fb2f9c7cdf9449e2dac73025f238c12df9f5efd18fd0f4dd95be7136ae1002f9305b6852fe50a79d5e7343d03fac00d6b36730e395826

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
240KB

MD5
be29ce65670bf2dd59804872542a11be

SHA1
156d355a1feacd8213ad9887befbb3ce4df7e0a2

SHA256
3bd0ff894ae89c75540541750f467239f63518f82d619a187078101b2234e559

SHA512
064f34d320321f48a20d74f86b7848104b7742a08f213802bba7893ff4090481f00961a3009d6f63e19e28b03f6909e71c2d27cdf6f521aced4e3bc6b53f7dd1

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
240KB

MD5
4b4804fe5b8126075112be69256cf391

SHA1
0598fd5aa9bb30a8e9882d8fd9b194888d1704f5

SHA256
125be60984a2d4068f297bd76cca35b63def958bcb27e00e9fc557247912a7ee

SHA512
a3718d266c2e1a08bdccad516a6f218c68f8de8f44ecf31cbb76f4380f4e10c0201112fdf97553e03ad624dfc63465ec33fffa940edd5f72e285a40067727239

Download Submit
C:\Windows\SysWOW64\Ebdijfii.dll

Filesize
7KB

MD5
2b850602592498017a2e73a133f13d18

SHA1
2237f4c73b67f21bf5fecbdc031fc4ec6ae3357f

SHA256
a182797cbe63e4c9b22bf22abdc6b0d4b0343459fefb34c1d704dfc6978bffa5

SHA512
139e1b91a1dcbd9c6e70ad11495fbd251d89f3c383732226bb3c4fa42c7dfa67774a6fa0d409ae16f606e058ba2ffa1fab2e80778c1184d4325a17a70ef6679b

Download Submit
memory/1036-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1272-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1272-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3488-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3488-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3612-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3612-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3860-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3860-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4664-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4664-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads