berbew | 2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042N.exe
Size

95KB
MD5

ba8cc3d6177b883b4ce0587fdc95a920
SHA1

a54f9f44b68eba7dd719fd3297b8942bfb513e26
SHA256

2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042
SHA512

b90ef31b107834fceefd5ed17a454d25153482f76cc3e3113b4101a9e1120e1759986af8e4ad1d82f40468e9a79509efdc17bfbbf3384739f86eb8e67a07b77a
SSDEEP

1536:2jpgv7ebOMK7+dRcLb2ejD1n2hsaqnNU5ZDYWGb6lzsRQrTRVRoRch1dROrwpOua:2aDUOv7+uRjD12mlyZkzb6lzseXTWM18

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 31 IoCs

pid	Process
5032	Bmemac32.exe
3252	Belebq32.exe
1120	Cfmajipb.exe
3496	Cmgjgcgo.exe
2264	Cenahpha.exe
1276	Cfpnph32.exe
4720	Cnffqf32.exe
4544	Ceqnmpfo.exe
4760	Chokikeb.exe
2528	Cnicfe32.exe
3544	Cmlcbbcj.exe
1368	Cagobalc.exe
3504	Cdfkolkf.exe
2712	Chagok32.exe
3240	Cfdhkhjj.exe
3312	Cnkplejl.exe
1956	Cjbpaf32.exe
1500	Ddjejl32.exe
3808	Dmcibama.exe
2024	Ddmaok32.exe
2488	Djgjlelk.exe
4924	Daqbip32.exe
4876	Dfnjafap.exe
4552	Dmgbnq32.exe
4036	Deokon32.exe
3664	Dfpgffpm.exe
1432	Dogogcpo.exe
3572	Deagdn32.exe
3584	Dhocqigp.exe
2192	Dknpmdfc.exe
4288	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042N.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042N.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4332	4288	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnffqf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 5032	5060	2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042N.exe	84
PID 5060 wrote to memory of 5032	5060	2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042N.exe	84
PID 5060 wrote to memory of 5032	5060	2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042N.exe	84
PID 5032 wrote to memory of 3252	5032	Bmemac32.exe	85
PID 5032 wrote to memory of 3252	5032	Bmemac32.exe	85
PID 5032 wrote to memory of 3252	5032	Bmemac32.exe	85
PID 3252 wrote to memory of 1120	3252	Belebq32.exe	86
PID 3252 wrote to memory of 1120	3252	Belebq32.exe	86
PID 3252 wrote to memory of 1120	3252	Belebq32.exe	86
PID 1120 wrote to memory of 3496	1120	Cfmajipb.exe	87
PID 1120 wrote to memory of 3496	1120	Cfmajipb.exe	87
PID 1120 wrote to memory of 3496	1120	Cfmajipb.exe	87
PID 3496 wrote to memory of 2264	3496	Cmgjgcgo.exe	88
PID 3496 wrote to memory of 2264	3496	Cmgjgcgo.exe	88
PID 3496 wrote to memory of 2264	3496	Cmgjgcgo.exe	88
PID 2264 wrote to memory of 1276	2264	Cenahpha.exe	89
PID 2264 wrote to memory of 1276	2264	Cenahpha.exe	89
PID 2264 wrote to memory of 1276	2264	Cenahpha.exe	89
PID 1276 wrote to memory of 4720	1276	Cfpnph32.exe	90
PID 1276 wrote to memory of 4720	1276	Cfpnph32.exe	90
PID 1276 wrote to memory of 4720	1276	Cfpnph32.exe	90
PID 4720 wrote to memory of 4544	4720	Cnffqf32.exe	91
PID 4720 wrote to memory of 4544	4720	Cnffqf32.exe	91
PID 4720 wrote to memory of 4544	4720	Cnffqf32.exe	91
PID 4544 wrote to memory of 4760	4544	Ceqnmpfo.exe	92
PID 4544 wrote to memory of 4760	4544	Ceqnmpfo.exe	92
PID 4544 wrote to memory of 4760	4544	Ceqnmpfo.exe	92
PID 4760 wrote to memory of 2528	4760	Chokikeb.exe	93
PID 4760 wrote to memory of 2528	4760	Chokikeb.exe	93
PID 4760 wrote to memory of 2528	4760	Chokikeb.exe	93
PID 2528 wrote to memory of 3544	2528	Cnicfe32.exe	94
PID 2528 wrote to memory of 3544	2528	Cnicfe32.exe	94
PID 2528 wrote to memory of 3544	2528	Cnicfe32.exe	94
PID 3544 wrote to memory of 1368	3544	Cmlcbbcj.exe	95
PID 3544 wrote to memory of 1368	3544	Cmlcbbcj.exe	95
PID 3544 wrote to memory of 1368	3544	Cmlcbbcj.exe	95
PID 1368 wrote to memory of 3504	1368	Cagobalc.exe	96
PID 1368 wrote to memory of 3504	1368	Cagobalc.exe	96
PID 1368 wrote to memory of 3504	1368	Cagobalc.exe	96
PID 3504 wrote to memory of 2712	3504	Cdfkolkf.exe	97
PID 3504 wrote to memory of 2712	3504	Cdfkolkf.exe	97
PID 3504 wrote to memory of 2712	3504	Cdfkolkf.exe	97
PID 2712 wrote to memory of 3240	2712	Chagok32.exe	98
PID 2712 wrote to memory of 3240	2712	Chagok32.exe	98
PID 2712 wrote to memory of 3240	2712	Chagok32.exe	98
PID 3240 wrote to memory of 3312	3240	Cfdhkhjj.exe	99
PID 3240 wrote to memory of 3312	3240	Cfdhkhjj.exe	99
PID 3240 wrote to memory of 3312	3240	Cfdhkhjj.exe	99
PID 3312 wrote to memory of 1956	3312	Cnkplejl.exe	100
PID 3312 wrote to memory of 1956	3312	Cnkplejl.exe	100
PID 3312 wrote to memory of 1956	3312	Cnkplejl.exe	100
PID 1956 wrote to memory of 1500	1956	Cjbpaf32.exe	101
PID 1956 wrote to memory of 1500	1956	Cjbpaf32.exe	101
PID 1956 wrote to memory of 1500	1956	Cjbpaf32.exe	101
PID 1500 wrote to memory of 3808	1500	Ddjejl32.exe	102
PID 1500 wrote to memory of 3808	1500	Ddjejl32.exe	102
PID 1500 wrote to memory of 3808	1500	Ddjejl32.exe	102
PID 3808 wrote to memory of 2024	3808	Dmcibama.exe	103
PID 3808 wrote to memory of 2024	3808	Dmcibama.exe	103
PID 3808 wrote to memory of 2024	3808	Dmcibama.exe	103
PID 2024 wrote to memory of 2488	2024	Ddmaok32.exe	104
PID 2024 wrote to memory of 2488	2024	Ddmaok32.exe	104
PID 2024 wrote to memory of 2488	2024	Ddmaok32.exe	104
PID 2488 wrote to memory of 4924	2488	Djgjlelk.exe	105

C:\Users\Admin\AppData\Local\Temp\2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042N.exe
"C:\Users\Admin\AppData\Local\Temp\2480c315020e7bd653d7e892e793afb7e34e07e3843eb709c8343f216786b042N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\SysWOW64\Bmemac32.exe
  C:\Windows\system32\Bmemac32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\SysWOW64\Belebq32.exe
    C:\Windows\system32\Belebq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Windows\SysWOW64\Cfmajipb.exe
      C:\Windows\system32\Cfmajipb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
      - C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 416
        33⤵
        Program crash
        
        PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4288 -ip 4288
1⤵
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Belebq32.exe

Filesize
95KB

MD5
82fba672a15a316962837b2b8c0cec03

SHA1
cbb70d8357ede7ed144f0a0ce043177107db226b

SHA256
c441c3d81de2739b671ca0c294bf91e6f4e5b4c96e8392178d03ce564e0f8ef9

SHA512
1bca94e561a0f545c606665c2366f242c80c764726ae00041222281698729891743733306d64a9c8909179c13a83fd3576e07c2219b770ab0cb9dd42cc6ec022

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
95KB

MD5
2d4805f41f3d112dee92f19603d3b973

SHA1
e9480e0387cb9a91d27f134f14570f73f7557db1

SHA256
5e82a94096c518a3f786f34c00fb3d1ddf2678fdaf042ba9765212e1a7c6b202

SHA512
0d192a8cbfd03335a8b007b4070ce481950235b800c6b0c09473a72c74a1f6e78f130880b146a22b39f6fb0e21883929566793f92f22cc696441e75e7a0db78c

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
95KB

MD5
6d9b3bb030fef198cde47867aa0628c6

SHA1
53f13a172369c16e0ea2f24d599e5044bc7287af

SHA256
a902a670f546e3cb457b33d2194a2f2564bce3c5d8a8aca8ded38d9c30d5b74b

SHA512
f160c003d5cc9a632c215362baed78cdca986456e365e95fe153028208c654750f958e51b8060cb91788947a26ac455a66d1941dad372504cdcb6f06f7f05919

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
95KB

MD5
116fe01d18cd9010a6b45bbbfee1082b

SHA1
c39eb8cfd4158c8dd45fa7cd9ddb4c6cd50fc4a8

SHA256
d63281b206ec6d19c63097317cb2058b00d63c6527cd642e5ee2fabc50d1cb99

SHA512
d96aecb75fa07f3b11e07861514404339358b66531d549a34b7b202b74006d861cf8dd4e328a8b20705db682db603a9211d6a29d01b5d072d39818dfe7becb00

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
95KB

MD5
55cb3406d418fddd74c93672533efc2a

SHA1
258b0af0509855e2633c310a1f4fe6c419ab877e

SHA256
ce57fcd25d4ddddb0dcfc9895ed629ef59d472c4d9a0635cbfc6252c68d9d57f

SHA512
4f9c03c23b1d1eeb743bb4fd169e8b6fda79bbef86678705571d9c349d4d97330f77f691c4e33404e54264c202b5ce67b6d86a4cdae164ee0c8391abd2d08765

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
95KB

MD5
d9223a4d2d2ecdaaeb9348d60d066c62

SHA1
46963fd604c1d43a50f21b6e24b0060741490388

SHA256
78ca2a8b39b34af8412af3569920b52b78f85011ad423688c3e4078a018f8bd5

SHA512
8141c24f334a6b0215d621a98f66cd5c747a124e87a596c389a814ff5973b757bc964be8ac3a45c1b2fe8f9e39e3501b7c07e432df027160061cc457a10d05ef

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
95KB

MD5
0c23e8bce6dffe5a8a459b988ba5185d

SHA1
4c04c2278f6e632b887390abe6203da3566427de

SHA256
a8fd5e6baa77351e2df9b808878226a7c3992ac999f1b977ea5426e24112268e

SHA512
2cafb8c7b6bfd53ea6373cb8f1826033534c59166a2c7af5f86f7e31df05a4593bc6bfa0b16f1cfc89e217bff1d10349f035c434d03615ae49bc35645961c544

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
95KB

MD5
13e6fbd82e14344ec21ef56976a7c6cd

SHA1
d3caaf7ee1c2b14d187805ac7f10c3bed4a37fbb

SHA256
ec77af6a6c2edc28455b187536dc8ca9c58b8ca42c027962a4743866bdfab2b2

SHA512
c6365bc5de1735c554b5bdda539e9ac28fa3d57a917ef48c8ca5787e168aa4e63b66b7a0ced0cc5f9cf9869b2ae81e3d51103dcce6059e3c3465db5ede8c9ba9

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
95KB

MD5
e52862e8ff48fc7f9d3e3e9aa77c01a9

SHA1
c8ccac3345fa45f004897aa766b99bfec8cf2e03

SHA256
f8fe1b765d10963d43347e8a74c836b9c8d1d8d311047af1cb754bcbb77f42dc

SHA512
9cbec0ea29fbd982859785074073fca78811212f992a2e210fdb8f1607a146dcc946624a1b785232a0b506780195edb3c1a080691d5da582ff131b80824bb191

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
95KB

MD5
486c58b56cce7d49078817760707cb31

SHA1
8665aa312eede2c47ee590977f857a113a1e7b52

SHA256
bccf2b535ece772a70f045cd3d06f9cb3d377e3825152169712abc7418ccda9f

SHA512
5df7ca88e8e17c3172833192d53f3fafd492d1be1d8c3cd7ae72ee58a0f081b4e3900af805dd702c68ae0ee223aa4ac85432d7f68099b84f96f5b62de937d7ec

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
95KB

MD5
e199f98acaa4a95e8d9141b7b9aecfaf

SHA1
266908ba0375496ee23875fa54dd8b2f43457d55

SHA256
6c00bd1a472e5aa0d64e93d4668a62cd5061ebbfc6d5df4d47b6f9b8ecaf3166

SHA512
3079a0446faf896568dbd0428259440122b5bd673a7bc40ea8645b280f9415eb5e29634c839da1d5582121d679c4cb871ee56b8dc56349db7f54f019120aa789

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
95KB

MD5
0b05dce7ddcfd2685255c2dc68ba5085

SHA1
db5a5646db809e2dfadd53f60d894ddf98480645

SHA256
1caa6c7f76059e9e19587101f6f5dca9f3f291a7296cfe103a4f6c5a577dfac8

SHA512
0a98a6c4ebdcc62d1fd60a5d2fbc6ca5e5b89bcf590b2fd11faa22ba5abfc44f514c58b56e3ec032ff57ee60344458ac9b27153de4e88c2954c23098ecec70da

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
95KB

MD5
ab17bba5d7eaeb771f495bd13eb8d7d5

SHA1
33c84f37b8ef486512270eb68624929226169a22

SHA256
76a7c57b61e68c71b45af05b7dead9f027bfa46e914d4109b666db71da3dcebc

SHA512
23a18c9ea6c7a3508dbf2565da06f78eac7379ec36c8d08a070f16a55ca33348b684e6b41faa479247874ab9d96c00ba4a4a6e907cc9c2b4ffce853318ec9c1c

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
95KB

MD5
277422c205b2f279ec02ca4dff725e95

SHA1
f6dd0b7630c16905faa36e6c4109de0bac3df18b

SHA256
946afcc5bb5cc92f51394c9d3b5e6295597277adb98b6122e545c9fbe85c8cea

SHA512
83d983638b972eb715df945b6995cfa70bd36fb347984d0001c11b9b4dc6311a2bdedae1adc72053cbdf2cdd9eeccb668ddaad3d356d7e2b51517b113698a93d

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
95KB

MD5
60bf48a3c52db0f730adaae1cd3c3bb1

SHA1
7b4ba2a7457288e0bab76cfd7997db569bddff3b

SHA256
fac4047cd77e181d8363abfd1b4534627843631569d68eca198cb622724b8adf

SHA512
87a6692f5f65ffc5a4e677d8df3a152ad4d5c127829da8ff37abdd8a3686bf63e10289097f5daa1f51e81255f9874a74e45d7d29c2926f227ac4c499465e4ebc

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
95KB

MD5
fffadb659f5349bc9f17b9e8d15fdc88

SHA1
e643fd448482948ced22031cbac89161985aa573

SHA256
3fb9b7ca5518e85a5118f1ac584015af311d91bf0caf3dfc2e2f7391fa980720

SHA512
a64b6528a81f7bf9a5ac73565da9af618ed4a4c9405d8e97be979ec75b46fb39022b8dfcbdc59ad4bfc69634ee8b61aa2ddb2f66f0f9cf14f3cdd481b4d1c4e2

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
95KB

MD5
c088615c3a3cdc71ab6bf6c4626c8de7

SHA1
22b40229183e8f3784eb55036298d9a79a717db4

SHA256
bdd093698c8153cc55a754f0eac01b616862f6a5094e7b66ad8eda9b29563fe7

SHA512
8681b4433b329f328c57846a8f22beff12d87816ea494654fa9e193fe2d5357a0b421cef80040a5e1934b8c920005e20f89e74117cb428795190ad042288f4ad

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
95KB

MD5
e66a9199ebcae65649c7a899cde5a088

SHA1
c46151886dee20a77cf5e6253af7d9e4828be155

SHA256
60aae59a2452a9849d39c787b7f7f51cb3ce9723025275fd8d372001cd290bf8

SHA512
577d87c64eb627aa591c5c17ad255098ebb5bc7a0e31e1adb529ed76b984ed5f0f410528b7ef6802920e8adfd19dd88dc106edfc06b467c3eb6a7c3041960608

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
95KB

MD5
82b4ee59ed61144888c19308271d2d1a

SHA1
369f4c3d2f98b7fd22f186eac96f6d77c8f1592d

SHA256
28e6a180e771a7a6d2148b2cbc4c45ca242b6d7274213e420018584f60f165ca

SHA512
dd3f1e51240fc825dd74171d07299ba39b960b1da1a170dbd9bd285539cc5234212d2df5a002043dfeb99b34b88a54d9fdf6e30c0568ae33b1d93f9affc7b4d9

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
95KB

MD5
7fa3c71f85fc0f7c06f4236b71fb24f5

SHA1
28db3d6b0caef8672987e20f7181a9be0c081faa

SHA256
36a4f5ef0734166cf84d2747b98cce5a0777a5449de0f1d05d47e779cf933330

SHA512
044021a01cc1d4720e9f6f90634ed49ad44c5f52b4feec4b8d6163f6061d23b368b76d89d0f45796f5993689dff8cc8f1de387bddd709f3a9dee2a8dfff73a7f

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
95KB

MD5
09696c5895b0b5390191effa4ba7bd01

SHA1
d5d2b5bc678270da3265266cd0b31cd6ef8f6d69

SHA256
17ee7008a9f0c558f8aae6ab49d48e1ce55b1784487bf443349916635a888413

SHA512
329ce72002c7b22a0f9ee2dec6f7fcc65b3e485bf2d216b797e82c05ced679867bcbf33cb3231ed8b7772db2f694aefab1de4e2f88d8d1e07e2d00852421269c

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
95KB

MD5
af809d779da60a1591a63377a075a4af

SHA1
5cb10192adb0fe6ea13f4c1af7478c2e70bcc947

SHA256
6ffc8bfd981c4d4395966bd0775dfd064b207d99b8607fd8a9764a78e8d8d95b

SHA512
c5815c14786ddce7ea33fe6e8aef5809b6e92cca70e2a6bc68dbe2805ecfb912bc99ced550b01aa8f8e1cab8892f70d28f1187a583818755c3450e8427d520bf

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
95KB

MD5
0e5e9cd6e190d2e2f03e6c9f8d09b286

SHA1
6b7915565b718f42d07569449db38c5067442a4e

SHA256
d99495f94715e9afeffabf0020b42ab997e3d17d15b8a82cf9d00b128b739c90

SHA512
0fa450c7e974b81bc51d25b3f4bf294473f38ac70d4e4b2cd0560771f5f3d981db80d274510c5aa01a4b6c33b322390cef6e2df9d6873f852c5d886e257c361b

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
95KB

MD5
7932132c19e699570f4a9599fedea7cf

SHA1
992e15714c9ee26b5d3e9d27e745001be6510439

SHA256
bd0bbae0518e6dc666e4724b8440dc3beac88fbd8aab94b035ac6e2e5bc29606

SHA512
1284b9d32416703bab794936d3c3992e8025d30f825c8ff325f4201f3fd2522125ea597655675c7bc9e3cff9696b3a0346c91795aa8da00a8ffaab1112c93422

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
95KB

MD5
260e00573dff05cb8dfd16c33eb25299

SHA1
80ec893d008226df549beb66c3a8e1455abe53cd

SHA256
edfa225c092cbb8aefc71508e0f9b77c85e40d3052b8881dade8343b9945bbef

SHA512
ebf4e0db829d1aa812ade4646db47a6747081a5886ea7a9c365431ee15ea932aa06429b31559fad69f6e52d65872907529cb03f1d0165c09c37bbac96533b53f

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
95KB

MD5
154585b01f33206133c109ab2501e667

SHA1
01c215cdaee1f894c8285c8608dab9ef09abd799

SHA256
aef77a75779c8fd9b14b358492b3e4ff128cf1ba1641e847a8c3c0c59915ab00

SHA512
500da526b2c3d70dcc7deab57f8ccebf752681f45cb37a4f20f1fbf97aff95afce8efd2b86af14b81a0424f7f5468a431c71f487d19a034f1412d0db3519e0cf

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
95KB

MD5
96dff00a756b599233715e77a1fb6b94

SHA1
a2723e529484ea0b3830966dfe245e96a6c807d9

SHA256
ca9a13860982fd2465837455cb39b4d8d530cd705e11a3c135ae04d733a8e75f

SHA512
a47cc228bc32802a38e0bf78332c3d9591ca40fabdeaf15312ac7724c4ff6cfb099ab963614d8a78690b2c3e34f2ca0218b053ef955d7ead08fa7e23930682df

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
95KB

MD5
584d50e68882421ef95f275e73ef4a5a

SHA1
1b0a150da762d6985e9d0f8c4a0cdbd7810c4e00

SHA256
f88afc31dbd5266faa4bae174c74f491d1cfc1c3697cc5386667f79fefe2f1b3

SHA512
581564d3d817c1533c09215050e4ab820e0d91279a90db4573cf56aecd52e69bc0a8f60b1c9dee1523f91e817693722303c8bf5b1b85553810799f8f90899790

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
95KB

MD5
b3a03bc78274cca08c80ce0ec0fbf58d

SHA1
c86e356424dc7685d0c455599de480a2641ccdd5

SHA256
146668f1620e034a2358bd15c4d26693aac18a99a1d9d7167504922ef45d56da

SHA512
78dd01e31ce962db4436bca2e889e6b212621a3340331548949e7c4a8288db06af14ea8fa61e217d4c1cc43250655a53b7d8ca5a759921dcca64b4ef0384c6a2

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
95KB

MD5
57c32fd67023f2658f3c8a7510cb0e56

SHA1
e67eee33ff07a118b2f5a99e5e7327aeac9fb639

SHA256
25c84492b15305da912df49d30ef4b4110ecc3f8143593bf7ce1e9eb6d2e6392

SHA512
fdc147a8ae38303ce7de6c85660ac22e4de5c637db2efcca20f0b1c1affa03690d9ba1bc81ec4358bf7526d467c0ce86630ce5e47b7a877bcc51e26081f31281

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
95KB

MD5
e14b216ed26239fab70b21de510ea55c

SHA1
7f94b2c591064fb162088dc046e2ccef98eff60f

SHA256
48bfc80662f0eae2ae36d300e4bdc996549cfc26e11f7573a378eca993ad51b5

SHA512
ed16b15d63a7d0725b6e59b951ae4fbf59ef3e55db198b2a9204b250a349b9d0e1ce4e0f84c3fe045e6cb44359765ea2005f162480f6b5fbbb8c1f8f78e75206

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
95KB

MD5
3a87c9ce921896f0e909f3836da887e4

SHA1
e7aa753b860f5bfd5be628c669b4b75963494133

SHA256
c648a8a0a49d3b5d46072cd3e99289da8947a7b60d8de3ec943faaac6898facc

SHA512
127fac0828b73f606e29f0c7b10d2ec6dbf258b1905315c7ab480adf361a14b95730542a9fbb013a719d340e00ecc7d3db144647b6c653e085f311d026b9c370

Download Submit
C:\Windows\SysWOW64\Mkijij32.dll

Filesize
7KB

MD5
a77034592f05b46df864bfb9665f44fd

SHA1
f0ab9e15aca05b02a9a107d2853a082ad6fee9a2

SHA256
22d73302c392d2327042b0155a072425a837a99d79b569318944b0bdf62431c9

SHA512
ee28a4dace76d2c2e92814c6a1e498736c8de808e23658497c337dbf04a8860fe52d38e56958eeaf34acb9dbf5bd26d18cbb859e6aeb1b60bfdbaf3e5b9f7401

Download Submit
memory/1120-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1120-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1276-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1276-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1368-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1368-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1956-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1956-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2264-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2264-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2488-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2488-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3252-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3252-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3312-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3312-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3504-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3504-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3544-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3808-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3808-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4760-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4760-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-93-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads