berbew | d4649f832bbdcf7b4f50d9734cb877d6d6b594b84e6b3f7d58d8c87ae1a2d3d9

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4649f832bbdcf7b4f50d9734cb877d6d6b594b84e6b3f7d58d8c87ae1a2d3d9N.exe
Size

64KB
MD5

c28cbb27bfeef36d9c361b665fa548c0
SHA1

cd1b6e2676d7915980724ad89a0f34515ee068b8
SHA256

d4649f832bbdcf7b4f50d9734cb877d6d6b594b84e6b3f7d58d8c87ae1a2d3d9
SHA512

749ff8fb0f88fe8c9dc4dad8b8920355a628a53827e0d4c018941a13d31f34cb0b85fea2ecb73829224497908a0bc3d425c2387d3e1387707f612310afc370a0
SSDEEP

768:iWFBj18VW/jOp/Oi2IpMFzh4JV+u+59ujG1RBvm3OW0U6b/1H5jG6XJ1IwEGp9TY:xF1Op2IQ18Vy1RBvmNzw9TXUwXfzwd

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d4649f832bbdcf7b4f50d9734cb877d6d6b594b84e6b3f7d58d8c87ae1a2d3d9N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d4649f832bbdcf7b4f50d9734cb877d6d6b594b84e6b3f7d58d8c87ae1a2d3d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 42 IoCs

pid	Process
676	Bnpppgdj.exe
2352	Beihma32.exe
2168	Bnbmefbg.exe
4636	Belebq32.exe
4420	Cfmajipb.exe
4828	Cabfga32.exe
1144	Chmndlge.exe
2316	Cmiflbel.exe
1164	Cdcoim32.exe
4676	Cjmgfgdf.exe
2164	Cagobalc.exe
3616	Cdfkolkf.exe
1808	Cfdhkhjj.exe
3444	Cnkplejl.exe
2324	Cajlhqjp.exe
60	Cdhhdlid.exe
4564	Cffdpghg.exe
1996	Cnnlaehj.exe
1916	Cmqmma32.exe
2292	Cegdnopg.exe
4776	Ddjejl32.exe
3920	Djdmffnn.exe
1828	Dmcibama.exe
2784	Danecp32.exe
2916	Ddmaok32.exe
4772	Dfknkg32.exe
4888	Djgjlelk.exe
4924	Daqbip32.exe
5096	Delnin32.exe
4052	Dhkjej32.exe
1172	Dkifae32.exe
1220	Dodbbdbb.exe
3924	Deokon32.exe
3744	Ddakjkqi.exe
3504	Dhmgki32.exe
1576	Dkkcge32.exe
1948	Dogogcpo.exe
2144	Daekdooc.exe
868	Dddhpjof.exe
4712	Dgbdlf32.exe
100	Dknpmdfc.exe
4964	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	d4649f832bbdcf7b4f50d9734cb877d6d6b594b84e6b3f7d58d8c87ae1a2d3d9N.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1892	4964	WerFault.exe	124

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4649f832bbdcf7b4f50d9734cb877d6d6b594b84e6b3f7d58d8c87ae1a2d3d9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d4649f832bbdcf7b4f50d9734cb877d6d6b594b84e6b3f7d58d8c87ae1a2d3d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d4649f832bbdcf7b4f50d9734cb877d6d6b594b84e6b3f7d58d8c87ae1a2d3d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d4649f832bbdcf7b4f50d9734cb877d6d6b594b84e6b3f7d58d8c87ae1a2d3d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 676	3396	d4649f832bbdcf7b4f50d9734cb877d6d6b594b84e6b3f7d58d8c87ae1a2d3d9N.exe	83
PID 3396 wrote to memory of 676	3396	d4649f832bbdcf7b4f50d9734cb877d6d6b594b84e6b3f7d58d8c87ae1a2d3d9N.exe	83
PID 3396 wrote to memory of 676	3396	d4649f832bbdcf7b4f50d9734cb877d6d6b594b84e6b3f7d58d8c87ae1a2d3d9N.exe	83
PID 676 wrote to memory of 2352	676	Bnpppgdj.exe	84
PID 676 wrote to memory of 2352	676	Bnpppgdj.exe	84
PID 676 wrote to memory of 2352	676	Bnpppgdj.exe	84
PID 2352 wrote to memory of 2168	2352	Beihma32.exe	85
PID 2352 wrote to memory of 2168	2352	Beihma32.exe	85
PID 2352 wrote to memory of 2168	2352	Beihma32.exe	85
PID 2168 wrote to memory of 4636	2168	Bnbmefbg.exe	86
PID 2168 wrote to memory of 4636	2168	Bnbmefbg.exe	86
PID 2168 wrote to memory of 4636	2168	Bnbmefbg.exe	86
PID 4636 wrote to memory of 4420	4636	Belebq32.exe	87
PID 4636 wrote to memory of 4420	4636	Belebq32.exe	87
PID 4636 wrote to memory of 4420	4636	Belebq32.exe	87
PID 4420 wrote to memory of 4828	4420	Cfmajipb.exe	88
PID 4420 wrote to memory of 4828	4420	Cfmajipb.exe	88
PID 4420 wrote to memory of 4828	4420	Cfmajipb.exe	88
PID 4828 wrote to memory of 1144	4828	Cabfga32.exe	89
PID 4828 wrote to memory of 1144	4828	Cabfga32.exe	89
PID 4828 wrote to memory of 1144	4828	Cabfga32.exe	89
PID 1144 wrote to memory of 2316	1144	Chmndlge.exe	90
PID 1144 wrote to memory of 2316	1144	Chmndlge.exe	90
PID 1144 wrote to memory of 2316	1144	Chmndlge.exe	90
PID 2316 wrote to memory of 1164	2316	Cmiflbel.exe	91
PID 2316 wrote to memory of 1164	2316	Cmiflbel.exe	91
PID 2316 wrote to memory of 1164	2316	Cmiflbel.exe	91
PID 1164 wrote to memory of 4676	1164	Cdcoim32.exe	92
PID 1164 wrote to memory of 4676	1164	Cdcoim32.exe	92
PID 1164 wrote to memory of 4676	1164	Cdcoim32.exe	92
PID 4676 wrote to memory of 2164	4676	Cjmgfgdf.exe	93
PID 4676 wrote to memory of 2164	4676	Cjmgfgdf.exe	93
PID 4676 wrote to memory of 2164	4676	Cjmgfgdf.exe	93
PID 2164 wrote to memory of 3616	2164	Cagobalc.exe	94
PID 2164 wrote to memory of 3616	2164	Cagobalc.exe	94
PID 2164 wrote to memory of 3616	2164	Cagobalc.exe	94
PID 3616 wrote to memory of 1808	3616	Cdfkolkf.exe	95
PID 3616 wrote to memory of 1808	3616	Cdfkolkf.exe	95
PID 3616 wrote to memory of 1808	3616	Cdfkolkf.exe	95
PID 1808 wrote to memory of 3444	1808	Cfdhkhjj.exe	96
PID 1808 wrote to memory of 3444	1808	Cfdhkhjj.exe	96
PID 1808 wrote to memory of 3444	1808	Cfdhkhjj.exe	96
PID 3444 wrote to memory of 2324	3444	Cnkplejl.exe	97
PID 3444 wrote to memory of 2324	3444	Cnkplejl.exe	97
PID 3444 wrote to memory of 2324	3444	Cnkplejl.exe	97
PID 2324 wrote to memory of 60	2324	Cajlhqjp.exe	98
PID 2324 wrote to memory of 60	2324	Cajlhqjp.exe	98
PID 2324 wrote to memory of 60	2324	Cajlhqjp.exe	98
PID 60 wrote to memory of 4564	60	Cdhhdlid.exe	99
PID 60 wrote to memory of 4564	60	Cdhhdlid.exe	99
PID 60 wrote to memory of 4564	60	Cdhhdlid.exe	99
PID 4564 wrote to memory of 1996	4564	Cffdpghg.exe	100
PID 4564 wrote to memory of 1996	4564	Cffdpghg.exe	100
PID 4564 wrote to memory of 1996	4564	Cffdpghg.exe	100
PID 1996 wrote to memory of 1916	1996	Cnnlaehj.exe	101
PID 1996 wrote to memory of 1916	1996	Cnnlaehj.exe	101
PID 1996 wrote to memory of 1916	1996	Cnnlaehj.exe	101
PID 1916 wrote to memory of 2292	1916	Cmqmma32.exe	102
PID 1916 wrote to memory of 2292	1916	Cmqmma32.exe	102
PID 1916 wrote to memory of 2292	1916	Cmqmma32.exe	102
PID 2292 wrote to memory of 4776	2292	Cegdnopg.exe	103
PID 2292 wrote to memory of 4776	2292	Cegdnopg.exe	103
PID 2292 wrote to memory of 4776	2292	Cegdnopg.exe	103
PID 4776 wrote to memory of 3920	4776	Ddjejl32.exe	104

C:\Users\Admin\AppData\Local\Temp\d4649f832bbdcf7b4f50d9734cb877d6d6b594b84e6b3f7d58d8c87ae1a2d3d9N.exe
"C:\Users\Admin\AppData\Local\Temp\d4649f832bbdcf7b4f50d9734cb877d6d6b594b84e6b3f7d58d8c87ae1a2d3d9N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\SysWOW64\Bnpppgdj.exe
  C:\Windows\system32\Bnpppgdj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\SysWOW64\Beihma32.exe
    C:\Windows\system32\Beihma32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\Bnbmefbg.exe
      C:\Windows\system32\Bnbmefbg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
      - C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:100
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 412
        44⤵
        Program crash
        
        PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4964 -ip 4964
1⤵
PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beihma32.exe

Filesize
64KB

MD5
8f4e02943b768111023d38c2727dd60f

SHA1
01309e3010de7bee4185efe50f702ba2bc5a721c

SHA256
7ec38d97c31b80ee1b2060437435bf095bff445699ae683efeb7887eb70ce981

SHA512
254ca46643248ead147c7769cb05b772756e3a868986570f1227d49f153e5d2b63637ed64e8aa605a0b59c06aa953d99579af9bd7196f2678570ed599d5d3d8f

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
64KB

MD5
0b16af1436cf94af73c667534f24c8e3

SHA1
853ca7c4e6b1d23b486840c8aa82cc20427be4da

SHA256
ad9a11299e568ceb3c19642ea09a0adb4a2ff9fbf41048e1564d124bfe4975ca

SHA512
77f72261d5232b378bf2de5fd3cab28e05700d4c140b8ec989fb216186dcf5e5e826ae511e7403fe15f9a0eb7a5b982b46ede596760edb93413e0d3a68cecd64

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
64KB

MD5
a0c5ea03c5abf3c4338e09e2fad53030

SHA1
01a5c25db45c79212ae50da0fe34fa27228ad81e

SHA256
2f9d8471a87e5279738b73781b0c5a358b5e5d6253eb83ab57657b05b7e39565

SHA512
a0f580881b0eae94532002fd3a97dc110a6709c36a7e9165646921d135aad65e39bf3912ed5276acda63e2df6f20bb929755cca96abddedeb5ee13b49358ea9d

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
64KB

MD5
b188b2830fb0da66f17d2f603e62ca14

SHA1
8b0f8ad21fb6502adecaeae88242d2b22ac05b0a

SHA256
c5d76267399cc7a7ce7b8cea50940ae69af693cd6aa730b4e86851c02b59423a

SHA512
b87874ea23f6cc42538d2c76dd5537a6c7179c34f9fc6ef395d8c176ab5d757ff75d465c44d85ec758b14d1b5e85f77dfc88c49a58a9c757d5e8be1fbf1c6821

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
64KB

MD5
12a77e30c9197d227d4a4cb32edfecd4

SHA1
b3141c52290d0f0887510bed2c6bb390ebdc2fec

SHA256
3a250792d966b9c2d1c27801e4fc7853eb1f5f043fc8046e824d9a7a58f7a079

SHA512
0fc9b1be98eae68aafd631ffcb4ceffe22ca13610ab84bb7f43c63b982408c4e185fac0b66e2e0f0f675cf37b0689fc5c7298f7744ceaec4543ae94cf968acba

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
64KB

MD5
bc9abb8d00c7b6e45439dc6c3b5138f0

SHA1
0dd0d817797ea2badf58750a61b1bb60ab0047eb

SHA256
0a3412348e0657e4ecf3db833b79ca6bee539f8b0372b904dfcc932ff5f9355f

SHA512
302a6c22178224d08b0e90bfb55bc25dfc80fe78ba2d6a2e1a1b1c48cdfe329bd9754b73b4a4b3a0a46c2f20a005a7b86d0f4b277ccb2614015c7c30c1a3de07

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
64KB

MD5
9cda38793a3665219938221ff1c16978

SHA1
18830713cff2a63dd05f3d1ba69035368c6c3e7a

SHA256
e08fc68e90ad198c23a57a4d46823b57fd0ba25daa0287140977327bc8af9b93

SHA512
002c76ac7b71f28af6275b45c7f13feca10ce8207dd7e8947272ff99d9480c3103412efd15ed69267a2fa6737c9ae85bcadc751d14b2e61e2c75ae1c8b48e451

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
64KB

MD5
a0b8b4d2db899516434949b7013cdad6

SHA1
c16d57b66e26513edf851f2eb8d8c130847f0966

SHA256
5e3790ff33a63391c927efd43a2d9119a2ff1f38dcd7086a6cc84552ed653e36

SHA512
3776a3f9045b9052d95fdf0126169a776c28b1ed9276ce8302af0a616afceab69cbaa3883e3cd89d299c57e6aa5ae18f062030badf855a5a06839dcd9ebc1829

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
64KB

MD5
464293b92de6753dc113029b01d61eeb

SHA1
3d718ae19eddcf979810947cd33285b4c304f899

SHA256
6e0f750dea1736e43ad936822acb7422cd9ff15882dab0e4471f4f876351ac10

SHA512
cac87e2d7fc899eb044efdbb2f5825ef602596b850d36435208e9ea30c122ed60dd500e73e47666449246d43c4cd2774470be41ef9b175e0669e3374f57d620b

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
64KB

MD5
cb486452be8c554a8c86b915fea0679f

SHA1
1d11346b375d9136e9cc52a5ae1e2861c4c35f78

SHA256
fb171a102da547f608a314693ff415c7eb5fba6a5499ff00f53b0648eb67da0c

SHA512
ca69afaf00ea0de3689235266921849e632bc1213fcb3063843e9d02a8c4a00b7706e8734896f465724b38a72236c9fd9daa908f485d6bc1517d54ffa2783dc3

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
de8df8c367cc77d98b5e6def681238ec

SHA1
09956221a4f719ded857647c3e089793f2888fa8

SHA256
b1fa19d25ef423a03c33b2991cf57480debe476ee3177f51b6fc5959f70b5a3e

SHA512
1fbeaabb4b333b5195a329bacbfd3e9d9e76a588641cae2c119aabb26ebd99c3a078afb4cf4aba392f80cada5ffb884a097edfcabb9f93bf537002e59b3049b0

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
64KB

MD5
8dcc9969eef90b32f1756bc8389d8d12

SHA1
26d22d97a01e4f0da69184d746d754344afa5106

SHA256
4433fb9c5f200ce7c335cabe696f35bf53663afccf99f103aa5f68ffd2422384

SHA512
a87de44be5e3d07e536e85c521404e23fa46d79d0fa4f564a8266b3bb8c21fb291a00a3163a38bd4541842f441b8d2120fec9e01785ed3f3dd6531fdbcd8ceea

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
64KB

MD5
42e0876c0072e83363c306945be7f8ad

SHA1
1b6ab975a3fafa2969af78729ab42e8bb229ee85

SHA256
48a1a22c8504102767693f63f1df596a39a2b7d19c5ef55d33913fd0b8b749c2

SHA512
0a0e544e12deb38979df7dc202aaf47a0f4a825a42538f7dbf54b842f47b52249778580e2fd450892c6b3e3a946f677d073a59b2dc6373a73c95cc54ba0775f5

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
64KB

MD5
b0ea94f3e5278e7765a2b511f11a8d0f

SHA1
6f8ed861645a08351ada15abf7fb1c8d284f3860

SHA256
5a848a2bc18dc0599b709f2f3671eb34944237fdd2cfe65cee3e27d6982b8031

SHA512
f3fdd636958495b6495dfb9ee42bce140f5e509fba2852c68ea8f1eafbe6e7cf29aff8cc8b1a5fcfbaa927b99bdba1b2e4b0cc27566ce3ca286178bfe1e95fb7

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
64KB

MD5
d9f6e07eb188a327199d4c1c2d4616bc

SHA1
5f17b2c3db7b026c61dacbdf335e00927993493e

SHA256
846a61815dc19910eb11c247405f0e194bf3e25fd4fcf3d688cc38a62175d3dd

SHA512
001069115aa109760b659664eb6b6f047a0c57302bd1151df7198caa1a434bb957dcf311eaa85467fcc8fc71e38dbdda9b3fbc18c6a46b8ff9662b213a7f406f

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
64KB

MD5
e266bd87672161002ce9febab6dd6a05

SHA1
f440f9ab65e16fec682ed0285e1f324683f895fa

SHA256
90c770d45e15520c50266e5c91823b3918213de67ed00ba7ef238f88b21c4b00

SHA512
62ddf9075ad6d82a33d31cb3e1e7d9d2babb93c25f605550dfaa765ecb0f73bf0409311c03e1ca6369d66ded53466e4592f40e2dc274f9a98f666fdffa5516b4

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
64KB

MD5
5dbdbf4394fce3d3328bbd757ec86440

SHA1
bf91df5f36a3f64671810f0f5946a0087146f43e

SHA256
9e36ca4342f338b839b66da97d2254fe1dda33783eedc2e2e5cb3d64ca2bf0f5

SHA512
f12e71db88fe6830fefa752abb7a880576ee9b408af1a95e5cf89b1ab4a9c5a5143bdf83bdb86e391319b546f41249864bfde622e1a5952a19931ba0a77cb1ff

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
64KB

MD5
cf231223f4fafb134cfd61e0429719b0

SHA1
973d3fbf7dffc3332d8ea0e61bc539412a22977f

SHA256
9f4f725a21437c12c7d04c8fa68683889a6b4d739dc6dc7a2f4f2011d4932e2d

SHA512
8fa41d5bb08e4d6fb698dd537660c4bdb5e48907241faac3ed24f91ea18868642267624bc891e7032876fde31bacbab3806e62e3957b10ce26ea4a6c7cf040ab

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
64KB

MD5
1b8cf5d19158bafeab1665e241017366

SHA1
7d40c69aa1e9e20d89c9146c4957959a68edc3a6

SHA256
d3f1e45c7f221f6d69c6fdd9c40d12eff3951b12fda2aeff12d008932ad9c2ba

SHA512
33c29ed85c79517cac369e5eb09f9638286386f694ff06ac1ae541f79eaa4a00229f3e815d09863a69b50b1c1635406ac685650d98b45604ffb773dd0b36996d

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
64KB

MD5
3b66dbefde75b71a78e44f6946061dd0

SHA1
9b0fe365a8205fd89b1cc075f5289a76965bd001

SHA256
9438125408472b9618cff60952c232a4a6295001661b9096560dcc11e1a03851

SHA512
adee099a6c9347fa116bd8b2aeb3237cfbdd81e034921bb695140af1ee410683cc012972cd6dbfeb3de4c022cb3fe2efdc94fb237d1dbffb6e516f0ca0333d0b

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
64KB

MD5
6e485127c91f9bb3e02aba71f1055731

SHA1
7fca4a791884c2ce9170d1a5a9004b26e6aae074

SHA256
31ecc48b6e93eb03dc6aa52bce4ef55afe20bf3ec30e9905b1eccb6d0c5278f4

SHA512
457e5cbaf78244a0a81f896c830a7a05e498f941a1e964b8020dae7e27300a96cbf0d63cb8356f0137bc25e2187693fd4848dffcf170fe841265fd37f9734739

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
64KB

MD5
bd3677c4e49709331d7445581934096e

SHA1
ecdd3bed601e031c17e44135ec78f5ac50a677c6

SHA256
98e751def00ca125fdab5b41facda079dbdbe5c7ca2f22343c4d972f20c10b12

SHA512
e636763d7fac8ec742270d68525274be018bcde8b02ebcea363788398afb67b462d7666347d973b16e11cacbb67ecd6dc8ef3ca0a56d8b8a7b5f0b0ba1ec9ad6

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
64KB

MD5
d5c7c1da2da3693364c9c67f9e1e16cd

SHA1
35e1e4ebc471ba396ad6d9d2f99b3c22e07e793a

SHA256
050b46a4968b6bf7e742600d35e05a13bf51be5fc793b139cb051394f4cdf295

SHA512
c2967b0e0f49040da9caf901211a8d04bfe6ebfb839fb294a7f382c3f490ec507cf346a8d96a27e1d5458176f22d81b033257de6c1afb6fa838cf04ae5b6e1a2

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
e364227048f7e46e95c6b2cbc21e947c

SHA1
192e44a710cb5496c72baf9cef48fa2ddd759be4

SHA256
1163ba2d9e1ffa683dbe9ba12599b9b634c525c30a05a0fabd5fc28a3bbdb821

SHA512
d0adb47515a8b6579f5f45547faa06ece189401e3de846a2a4ef2d185a1ac2e2ae19e769a7f4a22422be55f6fdfecbe79e53ef38c9ff3165b3e9c44d2273ccf1

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
64KB

MD5
da448adc92a0aff3140bc14cbfb72da1

SHA1
312fba2f74db4b6832980f6d1417f566436f4f7a

SHA256
83572630fabfc313109282727f0d1b4cca94c1481c524175ece3e5bfa148e1c3

SHA512
f5718091b8e8ecffe34624c5553a8efef157e6b03b44fa87a91d4477234c82c40d06dc15cc73ef674a6a1e9e713e3422499204ea6f136060197d984d06c07509

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
64KB

MD5
0c580d572222c467a5a2a8925195c6e1

SHA1
14995503d0d16bdceb97df3e0b0a1b78bd20a697

SHA256
40afafb597e60f424de78a356b45bedae323212677a90829c1c2a24f039ac69c

SHA512
6200e6edb063a3dafdb33d7411ef857ff1cf2a128a5aa02cf38e1adbc6e231797fe4d2831bcda46589be4a58c4878bc07fecab30e20f589210b1f91099ef7933

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
71bd30669d992922930bbbeadb40e360

SHA1
ad18cf6ac3354bb4b066b464c9de007186702c91

SHA256
0db477808fa56c68996c38d1bace19aa76091adc225e12f7978836c2b9405a43

SHA512
8fe0d03d7789c8e9ff594c9c0e87b3bf71481b18108dbf056e44460d39ba60e193973a0ba9e4c721bebd91e503431a1e2dfbd23bd38b9d60e6ae618e73c2c0a3

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
64KB

MD5
5fd2173872985e6eb8ddfff5c6285af6

SHA1
0fbbac800e31f4cc924ca772e766dc15c8741207

SHA256
9f0a4e365de58ff36a93860cc72cd90bd9225ed6f3595cd2058b1bdbefad6bf2

SHA512
eb30b65f0a42a73e7394310e6318a1cf8308d2ae0a250f3e3e0d9293e2fa17e27bfb3b1232bde7020a96efc1f7b0bc66852d0262b744fd7a39910084e7df602a

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
64KB

MD5
1f2c9d9df870dd00f679afed3924ea3e

SHA1
5942adff2ce5e5fab376eb549fd689dec481dec0

SHA256
dc9250de11781e8a1b462187b26d304132c493cbf28fddf01f9d2fa258b89aa0

SHA512
352ab4288a4260177e0c38f4433450a1c907e24fef132d8f856f8dc2b4bbdb97be48d7074f12877416d3888d8014c7f68b2f77d917d776b707b326132cc66f57

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
64KB

MD5
db617a7b1489b758e5fc5bff9a37ac5e

SHA1
e04e6f2b6961b89e9c261bbfe7c16d7dbfc68af6

SHA256
682971588c07b979035b7fd78166bc9a5b85335d152935b59282a71c82a2dcb3

SHA512
c6f97a149b7ae45d040784d5a7cdc4187abdd34a823ea76808be35dc43b7fe29906508d6c372bcfb82444033e58dd4a4849859df5cbe372f670f6045be5d6a47

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
64KB

MD5
d44f4924d9fdea791bc5583ff73dac47

SHA1
83a19f457bb9ebe4be8a801420ddeb344a738b83

SHA256
59afc2ce52bf03737280631060c3175be228a6b9ab4588194033777e93fa728e

SHA512
9f3c96e8776bbf450435f338c4c494c44e861cc8e6e090ed92fa58affad8925a747675a3fcba865fd68cb65157db366f1111becea2a35777974250b735e9539a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
38bf97be5fa7189c9b1dc021626da909

SHA1
206cf6d6c2f946bfea1750bdd96a1b79ab27c1ca

SHA256
63c50c363fc216dd37fcaa06286051a972c675e569c3561d488c7418cf6cd09b

SHA512
43f03800f62ca1f99e31a3a6e2e0ce3f2c2f01ad88b9d4ac74fd252af44d6da0c4492330b4b96c6d30010c10a03df59e51ff487105c07178cd870ffbde9c0640

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
64KB

MD5
38a551392e0d871ddc2593826e685e70

SHA1
cf6f1faca6d2be6331000b928d6a1cdd2bd731e1

SHA256
a1858e60bdef51b36b8d31b8c7a3ffa6a528a0d78bf67a9c96bd15cbaee23887

SHA512
a4aabc5cc77926c84bb6ff34e67ab715a6f9730f25d3359e13cf048cc39b9f9e9f256a6b8d037a0f4d7974149bba281050eae6914fd5656fc099f3c6b0cc4017

Download Submit
memory/60-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/60-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/100-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/100-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/676-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/676-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-384-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1576-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1576-330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1996-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1996-366-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-396-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2784-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2784-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3396-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3396-402-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3504-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3504-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3744-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3744-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-336-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-342-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4712-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4712-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4772-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4772-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4828-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4828-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4888-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4888-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4964-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4964-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads