berbew | 12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce

Analysis

max time kernel
96s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe
Size

337KB
MD5

e9028b0f2407ca130e4f92ac57a8dfdd
SHA1

51cc60257929be0cef53debf9fd53a20249a9d16
SHA256

12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce
SHA512

8a57abc2d73c51676cd20262e2959d618f99e8e3913fac28d06a3d92e479a973548033022ca9e764c2b6a4727a64e532766de580de9d6d6f51484476ef174007
SSDEEP

3072:i2zyX1tsp1ZLkBwWqgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:3zyl21ZTWq1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 27 IoCs

pid	Process
1596	Beihma32.exe
1084	Bfkedibe.exe
1152	Cndikf32.exe
2068	Cjkjpgfi.exe
5068	Chokikeb.exe
1900	Cdfkolkf.exe
1440	Cfdhkhjj.exe
2316	Cffdpghg.exe
4112	Cnnlaehj.exe
4648	Dopigd32.exe
1912	Danecp32.exe
3772	Dobfld32.exe
1628	Daqbip32.exe
2056	Ddonekbl.exe
2956	Dkifae32.exe
3636	Dodbbdbb.exe
2092	Dmgbnq32.exe
3472	Deokon32.exe
4944	Dhmgki32.exe
2848	Dfpgffpm.exe
4776	Dkkcge32.exe
3920	Dmjocp32.exe
1828	Daekdooc.exe
2784	Dddhpjof.exe
4908	Dhocqigp.exe
4440	Dknpmdfc.exe
4888	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cjkjpgfi.exe

Program crash 1 IoCs

pid	pid_target	Process
4624	4888	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 1596	3204	12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe	83
PID 3204 wrote to memory of 1596	3204	12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe	83
PID 3204 wrote to memory of 1596	3204	12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe	83
PID 1596 wrote to memory of 1084	1596	Beihma32.exe	84
PID 1596 wrote to memory of 1084	1596	Beihma32.exe	84
PID 1596 wrote to memory of 1084	1596	Beihma32.exe	84
PID 1084 wrote to memory of 1152	1084	Bfkedibe.exe	85
PID 1084 wrote to memory of 1152	1084	Bfkedibe.exe	85
PID 1084 wrote to memory of 1152	1084	Bfkedibe.exe	85
PID 1152 wrote to memory of 2068	1152	Cndikf32.exe	86
PID 1152 wrote to memory of 2068	1152	Cndikf32.exe	86
PID 1152 wrote to memory of 2068	1152	Cndikf32.exe	86
PID 2068 wrote to memory of 5068	2068	Cjkjpgfi.exe	87
PID 2068 wrote to memory of 5068	2068	Cjkjpgfi.exe	87
PID 2068 wrote to memory of 5068	2068	Cjkjpgfi.exe	87
PID 5068 wrote to memory of 1900	5068	Chokikeb.exe	88
PID 5068 wrote to memory of 1900	5068	Chokikeb.exe	88
PID 5068 wrote to memory of 1900	5068	Chokikeb.exe	88
PID 1900 wrote to memory of 1440	1900	Cdfkolkf.exe	89
PID 1900 wrote to memory of 1440	1900	Cdfkolkf.exe	89
PID 1900 wrote to memory of 1440	1900	Cdfkolkf.exe	89
PID 1440 wrote to memory of 2316	1440	Cfdhkhjj.exe	90
PID 1440 wrote to memory of 2316	1440	Cfdhkhjj.exe	90
PID 1440 wrote to memory of 2316	1440	Cfdhkhjj.exe	90
PID 2316 wrote to memory of 4112	2316	Cffdpghg.exe	91
PID 2316 wrote to memory of 4112	2316	Cffdpghg.exe	91
PID 2316 wrote to memory of 4112	2316	Cffdpghg.exe	91
PID 4112 wrote to memory of 4648	4112	Cnnlaehj.exe	92
PID 4112 wrote to memory of 4648	4112	Cnnlaehj.exe	92
PID 4112 wrote to memory of 4648	4112	Cnnlaehj.exe	92
PID 4648 wrote to memory of 1912	4648	Dopigd32.exe	93
PID 4648 wrote to memory of 1912	4648	Dopigd32.exe	93
PID 4648 wrote to memory of 1912	4648	Dopigd32.exe	93
PID 1912 wrote to memory of 3772	1912	Danecp32.exe	94
PID 1912 wrote to memory of 3772	1912	Danecp32.exe	94
PID 1912 wrote to memory of 3772	1912	Danecp32.exe	94
PID 3772 wrote to memory of 1628	3772	Dobfld32.exe	95
PID 3772 wrote to memory of 1628	3772	Dobfld32.exe	95
PID 3772 wrote to memory of 1628	3772	Dobfld32.exe	95
PID 1628 wrote to memory of 2056	1628	Daqbip32.exe	96
PID 1628 wrote to memory of 2056	1628	Daqbip32.exe	96
PID 1628 wrote to memory of 2056	1628	Daqbip32.exe	96
PID 2056 wrote to memory of 2956	2056	Ddonekbl.exe	97
PID 2056 wrote to memory of 2956	2056	Ddonekbl.exe	97
PID 2056 wrote to memory of 2956	2056	Ddonekbl.exe	97
PID 2956 wrote to memory of 3636	2956	Dkifae32.exe	98
PID 2956 wrote to memory of 3636	2956	Dkifae32.exe	98
PID 2956 wrote to memory of 3636	2956	Dkifae32.exe	98
PID 3636 wrote to memory of 2092	3636	Dodbbdbb.exe	99
PID 3636 wrote to memory of 2092	3636	Dodbbdbb.exe	99
PID 3636 wrote to memory of 2092	3636	Dodbbdbb.exe	99
PID 2092 wrote to memory of 3472	2092	Dmgbnq32.exe	100
PID 2092 wrote to memory of 3472	2092	Dmgbnq32.exe	100
PID 2092 wrote to memory of 3472	2092	Dmgbnq32.exe	100
PID 3472 wrote to memory of 4944	3472	Deokon32.exe	101
PID 3472 wrote to memory of 4944	3472	Deokon32.exe	101
PID 3472 wrote to memory of 4944	3472	Deokon32.exe	101
PID 4944 wrote to memory of 2848	4944	Dhmgki32.exe	102
PID 4944 wrote to memory of 2848	4944	Dhmgki32.exe	102
PID 4944 wrote to memory of 2848	4944	Dhmgki32.exe	102
PID 2848 wrote to memory of 4776	2848	Dfpgffpm.exe	103
PID 2848 wrote to memory of 4776	2848	Dfpgffpm.exe	103
PID 2848 wrote to memory of 4776	2848	Dfpgffpm.exe	103
PID 4776 wrote to memory of 3920	4776	Dkkcge32.exe	104

C:\Users\Admin\AppData\Local\Temp\12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe
"C:\Users\Admin\AppData\Local\Temp\12ea454e005a15a0afae0ad969c60c514f1a9842027324a5ce982ae75ddec3ce.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\SysWOW64\Beihma32.exe
  C:\Windows\system32\Beihma32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\Bfkedibe.exe
    C:\Windows\system32\Bfkedibe.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\SysWOW64\Cndikf32.exe
      C:\Windows\system32\Cndikf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 396
        29⤵
        Program crash
        
        PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4888 -ip 4888
1⤵
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beihma32.exe

Filesize
337KB

MD5
aed280eb120f5c57e757c0bcc760947e

SHA1
4193f2239a9eea68a111aaac301a41ea7b6f013d

SHA256
f3ac93354073e5da3741d24546c0e0db54e3aa85952f06b03ac95d8f652cbbc9

SHA512
8afde06db56af71026f38970509bf6d5e8a887fa3dc704003a6344b39cc89d853f7b3c63804ac6d960ab39056b0e63ab6f32377c100317a284b390e860d757b0

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
337KB

MD5
e5dd173dde6ea4f7313a230560b9f290

SHA1
4999899c11b476f8f010218907029eaa709a7685

SHA256
a7c453efcfb9b17f7d32395db5eae0ebf41aeeda6121f7b57886d8c3f02f0b0c

SHA512
68ccfb892328c24b92be93d781e6e03a7a89de1d448ec12d583a8bfa537e6612e6bc80f1bb117037f7f5818fcac6d59728505645933a3c74d1460331ef5f19d2

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
337KB

MD5
f7fc078b42632299d8fdd1a80f6426ce

SHA1
03f28cc9ad1596efc45a565df7ad7471bb926137

SHA256
8d87010c180d4e4c559fdb556aad9747559019c512bda9f2ee9609ba7788d857

SHA512
31c3f730041f6f2cf9407bf16b823c82929a30f118c409e945e59ceeb4d770056e14e599d7e0e51638cf0aaec49651384664cff11a8884422c097fe0699b5fcc

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
337KB

MD5
43b441e143a144416e574c744b458f9f

SHA1
5af4d728afa0bcad7f01d4ce949b166e0e518bca

SHA256
e8be27533d4b28c84fb23492b16578285b666d1979102a454bb5e448d40bc6b6

SHA512
65ae8edff9af5d7efab75dd824e8f58bcfdf30b50cda9e6234317dad4eb4fb5025930ac182f6295713162010bbde25f59ae55f485e9090a23324561935e7b78b

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
337KB

MD5
de60ba67e3e1fa673761b3dac32872cd

SHA1
7995e37dc8f9a909756104746b454201ea073e35

SHA256
d179d5b3a0505721d8e73e2a219ea2907fcafe8f094d0c0e2c1949612dad822b

SHA512
b6fea557dd47ebd75a59482d5a10046d4021615b5fa3c504bfba775ee18916fcf7b84e3041abecd2dbff2b3452b340db07b00e3e0d8c41d2703d51dc1da32d59

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
337KB

MD5
b8d64bd4c48e10935b4448a9e2ea0f0f

SHA1
446694997cb039d87c00091e90fd0a59a249114d

SHA256
359c331751afd81ca2fd4644eaa2c2eafbeda9c508d4b0619845eb1a9a0f8222

SHA512
8a05117c3c5cac37abd1c612ddd25056e7dd312d4c132dd88428add2638a0c4490b5eaebff87aea5f07ebf21e04e0e5e4d9cd35b77452870d637e9d6988908a2

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
337KB

MD5
298034185c8c3fc0acac7e546450d447

SHA1
33be755a7602eb48bb81c6bd4ec45bef15f3b634

SHA256
c3036b4f3e22e2abe6beab3c74fdd37e22b1c691d24b11d2baede360a13ffa4e

SHA512
c6029427c7526747d4e6be290efc56b1fe46748679ce7c476016e6c784b066b941f1e6cf3075e1f62a4cd55dbf4aaa6fa8d31e1b9979a136bade51a1a8de9528

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
337KB

MD5
0e7f05721c1e7fa4b37040c790d9226d

SHA1
c0fc351df136b4dc61a09541220c0c2670edc67c

SHA256
00e74f5808b40056b27ae8fe4072df0a2f506899c77a252b3b7f3dc70b6b953e

SHA512
70aa3b47826d465c1d94d82da27ce61531f6f03dcd58d74cf4143c981cf91727dd92f8409dd84878f2275367ec64e9bbd00ecde1803e2da443fd819b51f1e3dc

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
337KB

MD5
90dac82c8f9525e11b6e8d73436975b7

SHA1
7160b0c265611869304e3416965ebbb872c3f280

SHA256
55a5cda8a49333848a73fbada264b17dce35e88eee7c3b45e496cd15c1748d45

SHA512
5c551fae02c5e94bc67b970b3d8f345c69c4347e23fbe4db88112fadc4cf51a2a6a0799564c19521b735b57487f59d98a36b168e9c46e0e37f481ff3b99a863e

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
337KB

MD5
0f4e596f3d2dea23fe2859ae3012515c

SHA1
38b46adb7d74616502f6348ee14a33b313770357

SHA256
3a43e8fcb610aefdda4982c07998947e30312411030acdd0ec0da62589708f0b

SHA512
3cfa478ba7ecc266b9542e40d1a0287bc6385ff2ce5f90afd05e598d9b6c17e1973548dd76a9cd090339c0e55c274f3a2b97663d48e8db59888164151e33d57e

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
337KB

MD5
7cb9d585b56ac15b9fa6214f4bc680df

SHA1
ff04e9543b760f060377a071ebe150835b37a120

SHA256
17e75e3c487fab801a81f2860f922d50dda6fce3b397354ffd49b40593c7b4d0

SHA512
30929e5575270c4a2928d6ac0993bbf60f25a5b25341b70bf747d427b427244b31ab64d57932f8d656409eb4261cd42e5c79a15970da0fd887150d7922ec7fdd

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
337KB

MD5
0a8f14d57b00a12383e798b543702355

SHA1
fd973eac6900809584927df8afb6bb1e0633e74c

SHA256
37cb4696842b76e8be62880b67d02c56370e3d344c0bc917bb78797feb28c608

SHA512
436e99232e116e76fecc7589f98984b60fd74944ea7d5a84ce402adecfa8ee927aa1a35436c8bff9ee0c11458e685a06a7ac979a45bd2509af6a7004e3016314

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
337KB

MD5
f5df732860d25184dbc33e78e79eab6a

SHA1
5a187417d00da5b7ff11cd1cbc6c03cde502b9ff

SHA256
882ca793b95492d301f8d4a9890ee2ce3cb34e776c6624f950e7f6a45b99e77d

SHA512
bf02e6d69373dd92df53e4d19308891d583f2d93b77d1b998547791d4923039b7535fff5fe564fdf9636bba6495bea407c9e92088625be9d07f27f023f51a9e1

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
337KB

MD5
5b952717c092cad6c95a577ec53312d6

SHA1
09a2e0595d7fb48989950b1fe2079b8e3a290a19

SHA256
0e66fe289e8177898d648eea8f25128c3f6829bf03940d933b1adae9e66f9c6f

SHA512
2e7f272c6655a2d3a1f6f328127b28e55f0ca787835310bb4c696744e85e8b88eaf625a4247740fb211264e0cbcb91f3db9953dbd0bb24def7cf68b3e330abde

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
337KB

MD5
684dcd2f0f6d6d7528bc3829b404542f

SHA1
f46010f669ce96e748f186a30a223a506e335920

SHA256
f7c16a51bb1c687dd5c2413de28369eefbf089d3d14c9d79fbc41864cfad48c6

SHA512
744476ce949fa4fe71f44ffd1b20f619fb398b0a895dcbd848c7d9ee4fc6be4bb1e06ecb8c8fb958e18625a8c7a9dbe66af2bf589753615c9a93111eae2aedec

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
337KB

MD5
b1a6a7f0761a254e3da08d8397c7c122

SHA1
c009b2c102a6b857c1e4eeb4d9f2d19168ab356e

SHA256
abab1587ea790bf8b145959270333454a7514fd4d003956d224cd18586ba4fa0

SHA512
5ba83b47e7eeb8936c3832d12be6c42ab8c5fa1cc5f5e06490bbe7524494772e0c81f200527b11ed022ca44dcde2b5f747170b3ae3f3faccc69205e6fb9726f7

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
337KB

MD5
9ead9610d3f72f5607b900cb60e3c964

SHA1
2ce47c796d27699fbbcb4fb1923bbd5abb32cbc4

SHA256
ede0c388778a22a7a2f1d15f9c9eef47d045d5b904ad88d44c764b1f5157e0a3

SHA512
e3cfae228f628a9238dbb2f5687854ebb337cd97543414d4dfd7e822781ac1a5acf03be0e36ff250c19019bab94f41ddb40ee0b0a04b50b045a10ae5d290c88e

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
337KB

MD5
ebb33b15f6d7b794a81442e7741a5802

SHA1
8e231cf6c322c8b43b3e90fbe97e8ff875bd8d14

SHA256
8f3d785b0b0038a43dd47f357d04b851500745a308a1838f3badb9fa5cc1e63c

SHA512
7a449fb545e3bdbd37e9fdb10b0e10b37dd864fc3cfa7ec5cc749fc6abb200cd72b89180769dfb96d4bbc3a2bd9b4a305d4d7d78953895dbfa2cf19d79c14b7f

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
337KB

MD5
40bf3df8b504111fbf0f4c4fe6493a22

SHA1
f602ccae8f25d232e9acd6cdea974652ff17232f

SHA256
779708fa3ca3b0d176fc68d89f0480d36d84d832ca998602af4fc2a982856a28

SHA512
568d17e641bcb81e1ccaf6bb62327e834b37b0bb3a10a7130df4b2401ca5ad9f48e9bacebece873c530520dd3043ec49b625e1c5b90c6193e95a9a9a6b74705d

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
337KB

MD5
8ae255ba69931d4208a82cd4b906b62b

SHA1
78f31a68be0586c3cb4c20280268ae5edfd0add4

SHA256
20b88c7d538bf4f3378e80938ca0dd1df2878abeb73b97d571b5a96a33fea689

SHA512
0c3ad483fb12ad026a05c858aede5df7f86f03f4d32ee7c5c18a21e4cd6471ae75f981a8e7d294eac6aecf2b822df39ad8d8d20a886af59919b5a3ee3c9fad9b

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
337KB

MD5
1f39dd4d20268c715bfc7728b9dab0ba

SHA1
30fdea29cc5b7776d9b82b17f81e6716948be289

SHA256
9afb6a3ce05bb821a427439a7dd6efea5b756d5d462ac96f9082905b14008cfa

SHA512
011b8746ba1a6213b3770f39b84c7ed27fb509f7043c5544841b72b0f2369c2a809456917404a74008ccfddf53ce73a7f21c19d8787cb15077cd39d8dd551897

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
337KB

MD5
d43e989a989f610ceefe72b17ad2378e

SHA1
edd2b3674e7cc590da404177db5456cf2228c3a8

SHA256
7529fde6ea2298d0289f3a60c9421ffcaa82524bfbb9df13aee4ab954ac3ae16

SHA512
735c59ff43da14043eb12b9581d717f8f62b5654f88558f1c2fb523c4891b59e84a0f16f3ee8fc0481ed827fb88f3a70d055a006ff05692380636b56b8bef74b

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
337KB

MD5
3885e198d2d78dc74eebf50b6ca39b77

SHA1
d8cee24d12ea205dcecf12fb6df5f777f1640d6b

SHA256
a3293bf40f501f7bb2bec8148f005115001a7f0e1d1a8e1278881bf69b18a4b1

SHA512
d71a03bc09d6f261f9366e5e8155fa8894b4cd039c1b73e14845ee54699aba3dd546a12c8a2e40d29d3ae8f997c5dda22428c83d9a1e26913dfe5dcb835a30ed

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
337KB

MD5
ae1147583e9f6543e9b66d25e879ff8e

SHA1
b13744653e2b1758bdeee8ea77f39d28ebd94db8

SHA256
5c5c443fce9bc9d1a1aa5c89c6166fb43c6d95db6cb855081627f2db91341e10

SHA512
57ff9b8d742ead3cba06d11d252f4317e3f8b9cb202374613513970825741e889773e10c7362bc5b4bfa454f9ea5058d71876cfb4c7fdf985c86ee896d6fc519

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
337KB

MD5
e573369244e3d67d81887d2594d7530b

SHA1
9b6c5c663bcf0d57e4fa7eac30fe4e6f030010df

SHA256
3c470659ac617105862395088da373846c20954d3fecc847e5f251d786166b0b

SHA512
e510a65978389debeb0581d50808b3bf711cf72e6d4276c8dcfcb66689e57344e19e152c0f467e3798fa6239f43023fa88a220921f31e1dd65bac8fa5c895e25

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
337KB

MD5
02201e13f64d837fff7086c984770e81

SHA1
cae0dfbc645ff0fbbf961ce436cf267342f437af

SHA256
4c69028b7c1b0bfadefe3ef3caa2558f8daf4d0947692692e02cea887b7a2de7

SHA512
d0ecffcd4b3d8e6894c359c1be91283924953af90771ad8f57b26b42e9e6ab9fadb4a20682e7ce1fa09a53a1e6eff13eebccaf25987adad1d8d31416a907cceb

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
337KB

MD5
c676abf05b774d0531e15e29b70a3be4

SHA1
58a7ea8f542606957a098f83692a1f1d016e6b0e

SHA256
325666dd8b832443a5de00ea99bd034346158488b5eb2c07ff3e81afe850573d

SHA512
8a01fe540b51de8b194bf149fec2d228f64e4fbe0dac7de154ff46ef937cbc35c41bace5fc653e8d1d06add7b4a9de415b1ab05529037070a0572cd2ff496a80

Download Submit
memory/1084-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3204-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads