berbew | c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3a

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3aN.exe
Size

245KB
MD5

0ebfd6db917e83ed20bb5abec130ced0
SHA1

1334501b662dedf1c8f6b251027a8972ba2bc029
SHA256

c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3a
SHA512

ea2762ffdc7fee8f5dd470b0f1502b07f2732fc77d3e103036518c95824b220d2cf2bd4979d38d5d470a3e60e3f83e6feb4cb6fc02dee0af6452a061b9f78ec2
SSDEEP

1536:bdOyeVDbEnH5RIxh2vj8BbQj0gZB/4cXeXvubKrFEwMEwKhbArEwKhQL4cXeXvuy:b8yIbEnHnIxhmibQwIBwago+bAr+Qka

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3aN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3aN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 30 IoCs

pid	Process
4992	Cjpckf32.exe
4340	Cmnpgb32.exe
1744	Cajlhqjp.exe
3936	Cdhhdlid.exe
1212	Dhfajjoj.exe
4976	Dfiafg32.exe
1608	Djdmffnn.exe
2548	Dmcibama.exe
996	Danecp32.exe
2928	Dhhnpjmh.exe
2140	Dfknkg32.exe
1532	Dobfld32.exe
3940	Delnin32.exe
2180	Dfnjafap.exe
1784	Dkifae32.exe
4200	Dmgbnq32.exe
4424	Daconoae.exe
5056	Deokon32.exe
3116	Ddakjkqi.exe
708	Dhmgki32.exe
3680	Dkkcge32.exe
4512	Dogogcpo.exe
3860	Daekdooc.exe
2164	Deagdn32.exe
4292	Dddhpjof.exe
2288	Dhocqigp.exe
1276	Dgbdlf32.exe
4276	Dknpmdfc.exe
1624	Doilmc32.exe
3648	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3aN.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe

Program crash 1 IoCs

pid	pid_target	Process
4088	3648	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 4992	400	c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3aN.exe	82
PID 400 wrote to memory of 4992	400	c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3aN.exe	82
PID 400 wrote to memory of 4992	400	c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3aN.exe	82
PID 4992 wrote to memory of 4340	4992	Cjpckf32.exe	83
PID 4992 wrote to memory of 4340	4992	Cjpckf32.exe	83
PID 4992 wrote to memory of 4340	4992	Cjpckf32.exe	83
PID 4340 wrote to memory of 1744	4340	Cmnpgb32.exe	84
PID 4340 wrote to memory of 1744	4340	Cmnpgb32.exe	84
PID 4340 wrote to memory of 1744	4340	Cmnpgb32.exe	84
PID 1744 wrote to memory of 3936	1744	Cajlhqjp.exe	85
PID 1744 wrote to memory of 3936	1744	Cajlhqjp.exe	85
PID 1744 wrote to memory of 3936	1744	Cajlhqjp.exe	85
PID 3936 wrote to memory of 1212	3936	Cdhhdlid.exe	86
PID 3936 wrote to memory of 1212	3936	Cdhhdlid.exe	86
PID 3936 wrote to memory of 1212	3936	Cdhhdlid.exe	86
PID 1212 wrote to memory of 4976	1212	Dhfajjoj.exe	87
PID 1212 wrote to memory of 4976	1212	Dhfajjoj.exe	87
PID 1212 wrote to memory of 4976	1212	Dhfajjoj.exe	87
PID 4976 wrote to memory of 1608	4976	Dfiafg32.exe	88
PID 4976 wrote to memory of 1608	4976	Dfiafg32.exe	88
PID 4976 wrote to memory of 1608	4976	Dfiafg32.exe	88
PID 1608 wrote to memory of 2548	1608	Djdmffnn.exe	89
PID 1608 wrote to memory of 2548	1608	Djdmffnn.exe	89
PID 1608 wrote to memory of 2548	1608	Djdmffnn.exe	89
PID 2548 wrote to memory of 996	2548	Dmcibama.exe	90
PID 2548 wrote to memory of 996	2548	Dmcibama.exe	90
PID 2548 wrote to memory of 996	2548	Dmcibama.exe	90
PID 996 wrote to memory of 2928	996	Danecp32.exe	91
PID 996 wrote to memory of 2928	996	Danecp32.exe	91
PID 996 wrote to memory of 2928	996	Danecp32.exe	91
PID 2928 wrote to memory of 2140	2928	Dhhnpjmh.exe	92
PID 2928 wrote to memory of 2140	2928	Dhhnpjmh.exe	92
PID 2928 wrote to memory of 2140	2928	Dhhnpjmh.exe	92
PID 2140 wrote to memory of 1532	2140	Dfknkg32.exe	93
PID 2140 wrote to memory of 1532	2140	Dfknkg32.exe	93
PID 2140 wrote to memory of 1532	2140	Dfknkg32.exe	93
PID 1532 wrote to memory of 3940	1532	Dobfld32.exe	94
PID 1532 wrote to memory of 3940	1532	Dobfld32.exe	94
PID 1532 wrote to memory of 3940	1532	Dobfld32.exe	94
PID 3940 wrote to memory of 2180	3940	Delnin32.exe	95
PID 3940 wrote to memory of 2180	3940	Delnin32.exe	95
PID 3940 wrote to memory of 2180	3940	Delnin32.exe	95
PID 2180 wrote to memory of 1784	2180	Dfnjafap.exe	96
PID 2180 wrote to memory of 1784	2180	Dfnjafap.exe	96
PID 2180 wrote to memory of 1784	2180	Dfnjafap.exe	96
PID 1784 wrote to memory of 4200	1784	Dkifae32.exe	97
PID 1784 wrote to memory of 4200	1784	Dkifae32.exe	97
PID 1784 wrote to memory of 4200	1784	Dkifae32.exe	97
PID 4200 wrote to memory of 4424	4200	Dmgbnq32.exe	98
PID 4200 wrote to memory of 4424	4200	Dmgbnq32.exe	98
PID 4200 wrote to memory of 4424	4200	Dmgbnq32.exe	98
PID 4424 wrote to memory of 5056	4424	Daconoae.exe	99
PID 4424 wrote to memory of 5056	4424	Daconoae.exe	99
PID 4424 wrote to memory of 5056	4424	Daconoae.exe	99
PID 5056 wrote to memory of 3116	5056	Deokon32.exe	100
PID 5056 wrote to memory of 3116	5056	Deokon32.exe	100
PID 5056 wrote to memory of 3116	5056	Deokon32.exe	100
PID 3116 wrote to memory of 708	3116	Ddakjkqi.exe	101
PID 3116 wrote to memory of 708	3116	Ddakjkqi.exe	101
PID 3116 wrote to memory of 708	3116	Ddakjkqi.exe	101
PID 708 wrote to memory of 3680	708	Dhmgki32.exe	102
PID 708 wrote to memory of 3680	708	Dhmgki32.exe	102
PID 708 wrote to memory of 3680	708	Dhmgki32.exe	102
PID 3680 wrote to memory of 4512	3680	Dkkcge32.exe	103

C:\Users\Admin\AppData\Local\Temp\c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3aN.exe
"C:\Users\Admin\AppData\Local\Temp\c04333a66fdce2e335730907c4f19453a408bbf59d8cc9363d07fe037f3f3f3aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\SysWOW64\Cjpckf32.exe
  C:\Windows\system32\Cjpckf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\Cmnpgb32.exe
    C:\Windows\system32\Cmnpgb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\SysWOW64\Cajlhqjp.exe
      C:\Windows\system32\Cajlhqjp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
      - C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 396
        32⤵
        Program crash
        
        PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3648 -ip 3648
1⤵
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
245KB

MD5
91153d09cba313182a229dabe7e0b66e

SHA1
ee18f0f5905e7469ae59f4d3478d36f320815533

SHA256
cdb441347ea61af1df9e3f2018277fbf372197e49c88827f9c7f8ed331029d39

SHA512
da27ec525829849da6716d02b2665fc33fadcfbe39108da5da24e366a3a1424902ccd8380e64c945c3d88de88b203701140b5c41db22b9b7348800d95a305bbe

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
245KB

MD5
6412aab21f83f83c851b49ecc61ed727

SHA1
e51e5b47f7a3c3a70868baa8960ca8099bcf4806

SHA256
b773cbd75d5c91138025a3491342dc99d8e926109521c20101078f9f34130750

SHA512
fac5435e6612418a2dfe108c2d7b1d95ebaca83ee58c6de77391b85678c75606aa04f696cf5fddad12b681e7a5341c74890ef07f11d92d86ce7e104ca5534f42

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
245KB

MD5
2447efdba7a900c03375305e8dd9e343

SHA1
789e520b0abfca688e1cd6a3a410e20cf4a5a9d3

SHA256
15a50e0dda7fde39b68f4daf9a2b7804274f6586e93c47a94392b2db4d29ed4c

SHA512
e5961fae0940b1c99b0dd9aad7669379b4f3afc9558c7bf3e00a709830324c5d10ca9b253a4fc4df295fb9d8a03bf998278ef5a1382f0253fd38c4bb06c58b88

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
245KB

MD5
38f8123d6bda6b65ac2739a5c9d50ee7

SHA1
054234907fb700e953caadfb291e3bfe5d2d4e28

SHA256
e0e12c7d1e5c31b6000d6413d2a45f7d338ba81dd74c9b5e308eba310657e990

SHA512
393a5b3d2ec455d2b3f6a6325caedf443445da42d0a065ca0fe2283fd72efeb24ce21271d8dd77abf876ad28e834f90d90618147921f0c8cb90e47ac22e36684

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
245KB

MD5
b66df24490f5992ffa56e647a5cd4da6

SHA1
a01273e489e8ff32fe7527b6e2c3052c2475a212

SHA256
d62b72bbe6982bff58d77d3808978bed6d52b716ab15113f189769e1b4b3f219

SHA512
566034a7ef876926d28d87adb5e93050ed8a9e89ffee8d93064a7984d9d35d8c7be209a940fac54a2dbcc39fd898e757601644c5088cd194a6bc076736fc7140

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
245KB

MD5
e4463aec0f8664612c13d3a13ae5ca98

SHA1
8957a494f52bc789222f6730e3cfee99394b5db4

SHA256
24b04847ffc01c485292a81711ab13a485788124bcb8945244dd48de2329f6ed

SHA512
d35ef0e5494d050c882c7d1cc4346b0acf25cefc1c86e7519370d91c33f2a7ceb47b2c05ebce4e2cef34315cb3bfbee1ea79bf151ea9291440e69effdf669b83

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
245KB

MD5
65587239550f0f9dcdb82e26c1badc75

SHA1
f7d2fbb8572124e4381f39fd97b2638dbc93866e

SHA256
311f5c3a15a1981b54a001baff12268ffaf1967c9b1bcf0b563475157c801299

SHA512
86e5dca6a8a12523ef730113b1d285c128b780b93d71eff3ee3f6465144ec9c41b19476b07fe2fdaa4e3a48ce0d0c23b501c4a757c2b2630dae67654a5e1a536

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
245KB

MD5
eec97f65719350522cf19707ce21fd19

SHA1
5295170889efafa9b1601e3a849fbbf131f89664

SHA256
b59e88bb70e76200489aacef8d8d110fd39e1df18e81a0c95b3b028aefd45ce6

SHA512
88749dce9fceaff38b70812a3809ec9e8858251ec23e66fe08d1c306c3634642bec63bbaa5a9751c96a60bb5f1c556b4e596dc932e06b442cd8ddf920c6df02b

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
245KB

MD5
e974d2d4fce599b53b05ef74488425dd

SHA1
c3177774ca559c40c5f0810e3d268765932ef9e8

SHA256
b46d8c8424b5ced20736b77d98410d01a8660e995de4e29f780e92bb2be88201

SHA512
3398f7e798d929194a5003f00811dfdc2e83cf284495f7d07112c81becc240db1d9bda91efea450020161809898cbbd4b40eac9131f0114de35baa7efe6c9f15

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
245KB

MD5
469ce223c3a003e403b7a5b8b4be43d8

SHA1
8cf7b9cff8485943660f18e773a891288b1e139f

SHA256
c692f82a24758aa9c639dcce39bb5188949a53e33724769e255c86a7b6edb491

SHA512
68e67643535bffad6b362927551becc6dd7ae5deba241861e1d5e4814fd9aa01a530da1707384f96a18162871a210e07a384788cdf18ab026cee32f4080a788e

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
245KB

MD5
4bc1de92ddcb4d2bf1f6a831ffba814a

SHA1
4f6761d28945660c2bc910994aaacce58ea5769f

SHA256
08b8812d508147030829523084c0c0dec330eaf6e0a649685a34249e8cb1f376

SHA512
aa5ebea705fc396db388be5769edefc0213e176153ae32429f078d62f0ed2033411292563ef6225f810ed0176b9d8b5b7913bd80af0f81c83d5fe6483bc4bb63

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
245KB

MD5
f26eff1911c4bde95301660890df7cfd

SHA1
6d75dbc4c360695a9cc9dc93e665cf97e07fe4b8

SHA256
334a9a623e578a2d4a9e791fb245b495dfc06f3d90aa0ddbe321fdb211728fca

SHA512
8f66c1cef69b0af1c5bf8c0226fcfa366b3975eef7de91b622d374d7e1c2004ef985ead4a695f2ad49d39a57d357f3697f060e8ba418bed240f71463bf823719

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
245KB

MD5
0b2ff6c2770a1d6a127d9b26e20c760b

SHA1
3d992ba35ee54aabfa99dc651defeb02aaccc85f

SHA256
05f8c260b89224adccbda01471389c1942f2c81266bc1e8f7c01e9d41421ac07

SHA512
d064cd8f0d6429fd617622854ba032035b7a97a585d9c94c00dabf57597bc1d7abfb30e569066ccb93c6f4fd1106f24ffe1937661dee886494844e31d0daf044

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
245KB

MD5
9ca2a8f7ea2a23d7c13d0f32672be6c3

SHA1
bf538dbc6ae079546d472163e8bcdaf844776181

SHA256
2f9507a14511e32c414a33893dbcf022d1fce09a6cc2adda43324eeae5e7ae53

SHA512
f2a0a1df8fdc80cddd43006f72e938b47d15f9e69c6a8e6688e8f367065b888bbcd32fee27ae993da2d74bfa3f4e6c9a295860f788d939fa00a605dc874536e8

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
245KB

MD5
b26342fc935631afa4488daa0ff5b275

SHA1
d3e689580f041a29ec20ba40b9035310b06f9535

SHA256
eb6f8aca579bd1a166a1899db89a099007cc700f42e3d225552e29f0f9766dcc

SHA512
d4d068e576c92add215926e61dca8f045e012ce60c5af46c1abdf91dc91989ec10c1862a854fc0585be5b247874b09df7a3f8860a04ff961c50fef0bb75d221f

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
245KB

MD5
01abb50bfaef53f052f3d7511402564d

SHA1
3e66134abf19455eef0b21fb58e687f66ad20057

SHA256
a5d799f4e3c89de55e2e67908e82af7dba91f61ce1f650ded380c7ce293f2408

SHA512
c8a35eae0dc92cedf51b87de35b7e532a47b5f178de1c801a1493ed24f19ac1def6e425d84ac8a63121319b74a7682803ba21954d61292c93a82381bd9f8a4b4

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
245KB

MD5
84798fc33cd432d0717298fb1b90ecc0

SHA1
5e7192d6a1f44f00dd4668d5a304467043cd496b

SHA256
8a2950cd77d5c7a576e17580eaa84cd791630bb684a3022bdf80880694cd97cb

SHA512
096474945d92311d0faded5f9b11a8eda06d59ac4ac19bab737b3f344be789e3d30ab7b89fc0a2d9a270772a2b4b81e09b54251b6b0aac6c50b240bc504e6e50

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
245KB

MD5
c317c5d51dc9b7ac35d12c3258163a7d

SHA1
ac6c60e2144740c4edb79598a08ef33b97784fdb

SHA256
567feb6df8571a42761f1b2d3b2dda1da6234a1278fed491ce97e145044c6bef

SHA512
f60008f78a3487cfca85674675e68ca061ae65c238db3710619c569f3ebbaa499faeea004b14ae2790802626ad4c9ff5269bd8395ce666112c0f6e1ee2af2541

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
245KB

MD5
387eeaba8c04371b0ff4f7e0e3c102dc

SHA1
b5fd24feaa7febd24dd38f68f6aa76cc24ba9d25

SHA256
ec1f2390602dbde482ffa0703e569fbb77c36fb14526eae39d491f0413cbac41

SHA512
866102d336ec09aba2af1368a067aeaa5c48028548b824e2954ae63c026efad87c28932d5a83c2b419068b44c0078951217a351303ea01c7624068859372159b

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
245KB

MD5
ddd46b32ba54568425a85473d0415c96

SHA1
2ce2e113a8d8d7a787db0f8cfdd9fea98dae12b4

SHA256
4daad8e6cd5ff96dba7c799abbcfce843730d27362f9daa298eb834eac93b69a

SHA512
6d78deb77631a6f0dee8419872edd918791a21de137ea7133af6a58d0570246d43f834204446a318e12bbc629c0c198de904ac60983992cbc805398aec214575

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
245KB

MD5
030a2f8355b88f2a952dabb847ad9e61

SHA1
7eb91b266d57591636e95b7550b90cb783d63b2a

SHA256
26f969981066a69345cf4c21939a27291bb0ffc3548e012093aca1c4ef3707eb

SHA512
fda281013d7de7c8ea41dad146c8e5922770ab02995f619a3574e5b88b5e891826d86fa72121645349693da362b79d8581111350df276f90930cf41eb30b5284

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
245KB

MD5
5254f02ed5af48586a5ba5e581f01f76

SHA1
d36365827e9ca6d2049c0b5358d8d587bfdeeb7e

SHA256
e174975adb2285a09c356b7d2944b2b5af7449f157c000bbdd1b66de25625ec5

SHA512
7603c84969dfb09ab6e2c50fc920b27677c537dbd4554fc1e6a79586433ca794cb6c2dcfdd3e63e3f59c4c9f7000929fa0ff793f4c1bc0a6a9f2994db56a1375

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
245KB

MD5
a271152077cccf53ad11170b6f9d95bf

SHA1
dcd53287ca3ee95751f9993ddb9ab6daa6cfaef3

SHA256
9de94cb1cc233e745e282adac116b0184391e1d907e7c7e32b24ca1849f8cae9

SHA512
603b11fb362c4d8943b7267cf8df544d4876e438071ce8c1832bd4340429ec42847f83251c16b41be28f670b47befb5b55658f4269f45436c2fcb715aa0ac516

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
245KB

MD5
6f9171ffb0ffaec118bdd6c52c9303e4

SHA1
cda08b84f2117c2e85c12d49b639dcf16a544cf4

SHA256
104d8635001b374f2b011fe4eed613cd39146e81148988ae13dd4ed2af3a02b4

SHA512
f2bd6b3fcb958b9e6727b5d51427c33bb551244cd764012380042e4d8f7229fb838d6d91083e6d4251116a03a526a51717f84d1f58f8228d12866676c0303aa9

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
245KB

MD5
32b0123464c662756d742b43e7b9daa8

SHA1
f95ff609ba3b1b01234b319498ca4ca9dca570cd

SHA256
d20997d4f2b6b85b411ae2ede1f8efc063da8d70b2f32ca40a571697d1b54922

SHA512
22d94c06d1b63c1b0cb1d6f0bce488fa775c5846af8773a9a420f714c10942ea4a36ba5ef0a7b5ff0194fc1c902a78dbaffb79abc4a5e02e1f344072705518cf

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
245KB

MD5
62aa1901d24780be9c312b622b92396c

SHA1
2498e212297c10a7b160f1c6e48680bea90d2b60

SHA256
afe914000038a593904c6e0831d7392e9d6ed5e170e49e44f25d3fed8eea0d03

SHA512
83a1a5e664f69937c452e7dd22844ad721893e6c4327164fe37961247a29003935ccc21cb8b46658f164e2729e20eae8d623e5e24767ae50efca712464134146

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
245KB

MD5
cbd24c718ad2380ab4b90c08be103c3c

SHA1
16eb8108568678312da3febc8909cfcae1acf7e2

SHA256
4563edeca085e8c1b642d86a65f9b43de1f0b8191860d0a0e5271198a04f5a94

SHA512
ea737864fdb9e6b8fe3c9374efb632e794deb27e4d4b1283103c148703210002b7be8c43fd2be46aeff1c24e217fbee0c903b0703ca17597d5290e4550243608

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
245KB

MD5
f90ce5d8c1b2f2428b15ff3780d5aa87

SHA1
66f5c8b907bdadaeeac3d2a614c2374458a3876e

SHA256
7263afa0f4e50516dc60f86f168cc053887087c69acd48783936139e0aea1fc2

SHA512
c4b811898790724c3ba7b0006470fb27762694220b0b6e90519fe5791808f9892fb48ec11ef8d2e1f99eefbb775695288ffcdf8bf30d0cd84ca01b4784ad8043

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
245KB

MD5
a1c90adf22c3a44a556b91c6dc4504a3

SHA1
92570095e40d8587d22a6da769066221f645e7a7

SHA256
4fa86342134c15d59a6cbb081d923ee2842ad5e648eb387fdc0cb935ac8f8a88

SHA512
5774cb784d8431ebc6dcb8c51118878286621eb0ab429e68381c21747eded81e253db2b4a80c7beb627e9791f8d23201ee4584626516bb1a9354b71d92ed18da

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
245KB

MD5
0918540446e71dfe6493d46ab26a259a

SHA1
0e1cec1d58603be17b74fcb3515ddf70257908ef

SHA256
3c3d3a5edfa0ec5bd8ae23da78d230ed0f482bdabe2a2384b4c81d09b240e7c6

SHA512
459304df1a9c050e0dc24ff4f2e67eb22688cbaa43d11d5c06bbdbc66c2c1735ce7dc09f8997a2e7baab72ee3924a2fbc4b19d732345e21b77b5b7dccda9299b

Download Submit
memory/400-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/400-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/400-301-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/708-165-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/708-264-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/996-283-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/996-72-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/996-282-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1212-40-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1212-303-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1276-237-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1276-247-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1276-249-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1532-285-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1532-96-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1608-56-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1608-289-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1624-245-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1624-239-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1744-295-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1744-24-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1784-273-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1784-125-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2140-280-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2140-88-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2164-234-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2164-255-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2180-117-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2180-275-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2288-251-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2288-236-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2548-64-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2548-287-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2928-80-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2928-284-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3116-266-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3116-157-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3648-240-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3648-244-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3680-261-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3680-173-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3860-241-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3860-257-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3936-33-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3936-293-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3940-104-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3940-277-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4200-133-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4200-271-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4276-238-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4276-248-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4276-246-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4292-253-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4292-235-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4340-17-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4340-297-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4424-269-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4424-141-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4512-259-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4512-181-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4976-291-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4976-48-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4992-8-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4992-299-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5056-267-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5056-149-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads