berbew | 0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726.exe
Size

72KB
MD5

d5fbc5db5a10791ecc29f1263b12f95d
SHA1

7e0a2b02247406655ed87698a2cc22f7aa392e13
SHA256

0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726
SHA512

97d623e6551dcf6e485472d531e5ba8c973d92dcd6343875b03fbff96462528e748ba0aea98f8ff3a02f49c34261741f3b9eeb964a1eb94cec6645595f27573d
SSDEEP

1536:6wKW7ZA4j6b1VVULp1l4mTStRQXDbEyRCRRRoR4Rk4:RK2Zd6RDOSmOtevEy032ya4

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 35 IoCs

pid	Process
3800	Balpgb32.exe
3968	Bgehcmmm.exe
408	Bjddphlq.exe
4448	Bmbplc32.exe
3856	Banllbdn.exe
4976	Bclhhnca.exe
780	Bhhdil32.exe
1680	Bapiabak.exe
2224	Chjaol32.exe
4576	Cjinkg32.exe
1452	Cabfga32.exe
4440	Cdabcm32.exe
444	Cfpnph32.exe
396	Cmiflbel.exe
3096	Chokikeb.exe
4368	Cnicfe32.exe
2356	Ceckcp32.exe
2764	Chagok32.exe
2084	Cnkplejl.exe
3248	Ceehho32.exe
2308	Cffdpghg.exe
4348	Cnnlaehj.exe
4684	Ddjejl32.exe
4364	Dfiafg32.exe
1824	Dmcibama.exe
212	Dejacond.exe
4776	Dobfld32.exe
4512	Daqbip32.exe
2176	Dfnjafap.exe
600	Ddakjkqi.exe
3184	Dkkcge32.exe
2156	Deagdn32.exe
2036	Dhocqigp.exe
5044	Doilmc32.exe
2220	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3092	2220	WerFault.exe	120

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 3800	680	0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726.exe	83
PID 680 wrote to memory of 3800	680	0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726.exe	83
PID 680 wrote to memory of 3800	680	0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726.exe	83
PID 3800 wrote to memory of 3968	3800	Balpgb32.exe	84
PID 3800 wrote to memory of 3968	3800	Balpgb32.exe	84
PID 3800 wrote to memory of 3968	3800	Balpgb32.exe	84
PID 3968 wrote to memory of 408	3968	Bgehcmmm.exe	85
PID 3968 wrote to memory of 408	3968	Bgehcmmm.exe	85
PID 3968 wrote to memory of 408	3968	Bgehcmmm.exe	85
PID 408 wrote to memory of 4448	408	Bjddphlq.exe	86
PID 408 wrote to memory of 4448	408	Bjddphlq.exe	86
PID 408 wrote to memory of 4448	408	Bjddphlq.exe	86
PID 4448 wrote to memory of 3856	4448	Bmbplc32.exe	88
PID 4448 wrote to memory of 3856	4448	Bmbplc32.exe	88
PID 4448 wrote to memory of 3856	4448	Bmbplc32.exe	88
PID 3856 wrote to memory of 4976	3856	Banllbdn.exe	89
PID 3856 wrote to memory of 4976	3856	Banllbdn.exe	89
PID 3856 wrote to memory of 4976	3856	Banllbdn.exe	89
PID 4976 wrote to memory of 780	4976	Bclhhnca.exe	90
PID 4976 wrote to memory of 780	4976	Bclhhnca.exe	90
PID 4976 wrote to memory of 780	4976	Bclhhnca.exe	90
PID 780 wrote to memory of 1680	780	Bhhdil32.exe	91
PID 780 wrote to memory of 1680	780	Bhhdil32.exe	91
PID 780 wrote to memory of 1680	780	Bhhdil32.exe	91
PID 1680 wrote to memory of 2224	1680	Bapiabak.exe	93
PID 1680 wrote to memory of 2224	1680	Bapiabak.exe	93
PID 1680 wrote to memory of 2224	1680	Bapiabak.exe	93
PID 2224 wrote to memory of 4576	2224	Chjaol32.exe	94
PID 2224 wrote to memory of 4576	2224	Chjaol32.exe	94
PID 2224 wrote to memory of 4576	2224	Chjaol32.exe	94
PID 4576 wrote to memory of 1452	4576	Cjinkg32.exe	95
PID 4576 wrote to memory of 1452	4576	Cjinkg32.exe	95
PID 4576 wrote to memory of 1452	4576	Cjinkg32.exe	95
PID 1452 wrote to memory of 4440	1452	Cabfga32.exe	97
PID 1452 wrote to memory of 4440	1452	Cabfga32.exe	97
PID 1452 wrote to memory of 4440	1452	Cabfga32.exe	97
PID 4440 wrote to memory of 444	4440	Cdabcm32.exe	98
PID 4440 wrote to memory of 444	4440	Cdabcm32.exe	98
PID 4440 wrote to memory of 444	4440	Cdabcm32.exe	98
PID 444 wrote to memory of 396	444	Cfpnph32.exe	99
PID 444 wrote to memory of 396	444	Cfpnph32.exe	99
PID 444 wrote to memory of 396	444	Cfpnph32.exe	99
PID 396 wrote to memory of 3096	396	Cmiflbel.exe	100
PID 396 wrote to memory of 3096	396	Cmiflbel.exe	100
PID 396 wrote to memory of 3096	396	Cmiflbel.exe	100
PID 3096 wrote to memory of 4368	3096	Chokikeb.exe	101
PID 3096 wrote to memory of 4368	3096	Chokikeb.exe	101
PID 3096 wrote to memory of 4368	3096	Chokikeb.exe	101
PID 4368 wrote to memory of 2356	4368	Cnicfe32.exe	102
PID 4368 wrote to memory of 2356	4368	Cnicfe32.exe	102
PID 4368 wrote to memory of 2356	4368	Cnicfe32.exe	102
PID 2356 wrote to memory of 2764	2356	Ceckcp32.exe	103
PID 2356 wrote to memory of 2764	2356	Ceckcp32.exe	103
PID 2356 wrote to memory of 2764	2356	Ceckcp32.exe	103
PID 2764 wrote to memory of 2084	2764	Chagok32.exe	104
PID 2764 wrote to memory of 2084	2764	Chagok32.exe	104
PID 2764 wrote to memory of 2084	2764	Chagok32.exe	104
PID 2084 wrote to memory of 3248	2084	Cnkplejl.exe	105
PID 2084 wrote to memory of 3248	2084	Cnkplejl.exe	105
PID 2084 wrote to memory of 3248	2084	Cnkplejl.exe	105
PID 3248 wrote to memory of 2308	3248	Ceehho32.exe	106
PID 3248 wrote to memory of 2308	3248	Ceehho32.exe	106
PID 3248 wrote to memory of 2308	3248	Ceehho32.exe	106
PID 2308 wrote to memory of 4348	2308	Cffdpghg.exe	107

C:\Users\Admin\AppData\Local\Temp\0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726.exe
"C:\Users\Admin\AppData\Local\Temp\0d9c8e46a1c571fd16ab6339b947229a103b039838a0e10c178dea5b1977a726.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:680
- C:\Windows\SysWOW64\Balpgb32.exe
  C:\Windows\system32\Balpgb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\SysWOW64\Bgehcmmm.exe
    C:\Windows\system32\Bgehcmmm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\SysWOW64\Bjddphlq.exe
      C:\Windows\system32\Bjddphlq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:408
    - - C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:600
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 408
        37⤵
        Program crash
        
        PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2220 -ip 2220
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Balpgb32.exe

Filesize
72KB

MD5
c798f1c4508809210e007c3445d076af

SHA1
5f5cc0bd70c0409b973c5eef0d7ecac3194629dc

SHA256
52124f16e66223aa383063d28b0deb1b2277df964d5f95322c33b05637d2e8a7

SHA512
4c60683b048cfc82d10f03e6e0b0d5f71b7cb55f3949bf84f69b3aaf133a9f2d09a9030d9fc4d6072e815b7203d227ce8f7530f40f347eaaf1855c6245291dce

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
72KB

MD5
cd3441629a0bd75e2437bc3f1a55dcbc

SHA1
412624e2641d2cb8906685a6907de35b93c399a5

SHA256
4be5c37b1100e15860be84d8ace64987ec0f83e1073fc94eb543147a138f498a

SHA512
31a70593b5e1296e768f0bbb52e36823ac618ae2f867b9911790a964624607b40ac047828b17b27e9b24c613758fff374d081ef1045f7f9187a10a5e36fed798

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
72KB

MD5
2222ad71fb2d6bbdbf6447c9712b72d2

SHA1
26fa2cd783377eb3b36e58336255added78259d1

SHA256
4cbd5085beaaae910b324323aa13d26210618f1068b65076144766531a6e5c40

SHA512
bf6b15165592f5a6d6efcba317d5ea4ef014ced34493f4c95c8d9b51748e8e080f5e316565359631640537b129f715eb5d6832e1084cd5a82e550d2b6872f3b2

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
72KB

MD5
b82db94116052cfe6ba0f69aaf1d3781

SHA1
b24c34b14f85ca844e8db37395aec68809060616

SHA256
e2421eae832a0e11608646007d4636102dd3c7e790ffb6fda446d3a95f7d0ebd

SHA512
cc620c910a53b2bad961428719e644621a5ca631c43ce5b739bad1efac2b9916156ca78b1aec5374d2faf224ab0275c25af7505b8f303076c637c2aacda6e54d

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
72KB

MD5
6dfeafbaf4444a6613e7812e1f84a5b1

SHA1
d37d58d5dda956e34a8443b7df9b14cb4282cc87

SHA256
f780404d759c67682e4c33f3ccacb6df4513a4aac8ec8c988a41a399749e4cee

SHA512
c616cc1e96fa44dbc4a807f30d897a8b65e09458ddc97d8cae1328e4928cdb269eee4e184829908d45d563f48b4a6cf9ccff2d38c029ee683715d6508a18aa3a

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
72KB

MD5
1a7c57beb4d4fe1d574024f113860374

SHA1
feffb5b61eb141e34ad4a2caae44a4a703cba909

SHA256
5070b834b6df7314c57bcdc25f5933b9655a29eebc400da7d74952a7c467955f

SHA512
00932df98b630666ea74ac6d79c047bbfb2832d5f5fb4a99c2bc749a99c1c8d031ce29df356c68f2e6b4880e6463af590c6a1d6cc8787e1bededf382dff0ffe1

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
72KB

MD5
7293d2210ea0c4082663b2043d44fb1f

SHA1
5af5c3250d8364f0bb5e290ef888c6ccdc801406

SHA256
d607df887fe3952ed7a4546ddb64d486ccda9fa160d4c8ec7d393f6ff01a7d44

SHA512
de88267cbdec038ec5f2c556c0424e9901ef6c52ad623a367c9a29cde82828b53243bcca2d8981df3e8b7f7d1d994fc96e837d46b04501c862ffbf0e5ab734eb

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
72KB

MD5
53f71b572fe296916921b5ce0f8369b6

SHA1
c8fc0ce2917ad615abcfffb1fe5b9f92bd6fbc9c

SHA256
e0f509a478488742a17ac1a2a56d6ab96aea57d127df54af4d61831d596cd912

SHA512
0f8f435851208d217087da2d15eff128aea34337203b516600a0541255ed65dd2bce61a3692f7ec5f6e60c34c5866db8bc9c41476fd64dc5aa25da422a1c7a91

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
72KB

MD5
a5330e84dba90c1ea52f4f43e07ad67c

SHA1
a1824b336c35daa2eacbb141ec1206afb44038a3

SHA256
0b3c5637293ecee7a401d916451fa832fee16c8510d2f2cb579819516ab45145

SHA512
f04bdd629d62561ad11e00cd18bf28952e3e8d3ab516d0faa97b9f399b29203f400acebaf441eddb303f4a1206027e9344cf18245437faa930103b0350cd57d4

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
72KB

MD5
fee036efb28ef40124f717657efd4645

SHA1
2d553ab670ee05f411c68b35e5db4cf74e302dfc

SHA256
46de7e9d6aaf7a890b4ab3e85433fbc56f24224247ac5809f2d705d979da0333

SHA512
221e6576cd8eda29fd46acbb1491d569fcc5197f2269f96d3f084566896093f0177a644a14d9f3a9c21bc1c9f07fcb14b296c7ec01709679e249f875853668aa

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
72KB

MD5
8b986d4452fc7e9ab076ea5c34d83e9b

SHA1
7865562f0aa3b5e80fafe54c851256ba9b09cfc1

SHA256
03ed6bb6994228f914421f18394c79dc3eafb894423f4c7aa7929f30b3665573

SHA512
ed94204065bccfb2964c2226d53d3c1384afc844300d035bbad510d7afbcd46fd41c91494be3691a64511d824bad445922a1661f9d72c93eb32416740f37b77d

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
72KB

MD5
87e4819726fb537633168d93dad5d62c

SHA1
799b5d03750f7a581bedca85c2ea8a159f0833ff

SHA256
446957b1c12b46ea003a9b9b481f0ab2f54da56ef5d069a884c90ae80451e664

SHA512
33947679dd02366b7a094d01179ef0d0ac54f38902639b8b43945c7a056a6a8579d613e2935737a71b422ae851dc679c0308f3b418e419fbb00a02bfb44d4c2d

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
72KB

MD5
28242506c81d0134821cd623f93f2fdc

SHA1
3972150d1f17adc8db86750fd10d3699110424c9

SHA256
dfd670ca02b03286732f42adc3b9b4140cd13c2e180cc5522cff177a4a136931

SHA512
a208a02f67b7535d329537504f794ba5c3b9915ec8474bfda332e95fb352574109aae01a3360d35e36cae396ae42e84b3be49144be2282356eb9ff4da5a87112

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
72KB

MD5
9b0957e4f05b423f393650219190a728

SHA1
7b7b86be96225986be5663a6f91bbb703f68da16

SHA256
6cd2541ba2536e7c34d2607968374a929ceca6489d690688d351e8e8c867a7a4

SHA512
27c5555742bb6b8f6db18890cb7791151090ee8c6951b5c2c6e001877674d768e13edb11d87ba74e8de6c564c4fc15addf4b62ee90c8d532329558e00f45fe9c

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
72KB

MD5
702fd241b1b7b510cf51bf408f7364f6

SHA1
6c3a211e0e180313c5540ebf38040be94feb03e1

SHA256
e49bb829b5dee407995de0d1c441883a9c19be4acfea679a60378562305d2a23

SHA512
5e8a0b1251293b99e0af4b7955aaf3eb109916c37fb9e71a815d6d6d2cb169dc56f4d38e5aacbbeebecfdf5118067f1857cdf778bbe4b90301f7bb87c8a402fc

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
72KB

MD5
cee57eca170a1bec961a190965eae808

SHA1
63a9442455759d03c3303bae9a7ef9d853328cc1

SHA256
87c36b63d8e25394944180f57b3d3badb9e49b0a109f930928428c59c33ce8f6

SHA512
8153da5f561f9d1fb2a531c1fa2aa1059bf6414d45412f3c08c6fa60f6f526918b1b404fd2f55d3a8c3f56f404941be1c35f13bf2f759ad884e2a3a084b7b201

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
72KB

MD5
b15e1d1554e1521217945bbb0cdc6765

SHA1
5d5b79d254492000de58f65f246a6f7177e9eba8

SHA256
c3e74a2d8fd40066210af69b2bd818179001af347d306d34dbf63edeb3f49374

SHA512
1a484c37d8272f8591f83a8aa489a84ffcee987a996a0d34b5c0ff3f3411fcf50a3eb82dc61e680e83596ffbefae4dd179bc6c5970df473bdb9c05469b161bbc

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
72KB

MD5
1a1e6a84f8d08743500bed06e7e55fbc

SHA1
0902351b577bddca4e2d711af8aa0bc5f810335c

SHA256
a49775bea4c56d110fde5d14c68b0a2165b25ea7ec1c8e499d051b128b5dd4fd

SHA512
a8f74aabc02e0f8ce57c46bfce3e7ecf0b3dff42ac1850ece61ff82d72c3b5ede4e054daa719e1cac70fbf9ca21f0c23e16eac218c346c909680f6a72f989d7b

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
72KB

MD5
c1c9d65f77b9a6c814da8e7df2255e56

SHA1
d3c1573bd881217d3296e5c58a64765953c9f2eb

SHA256
9433e757b0043d5e4f00728532ccdc63abea1c6f2d653b5c794f3a6e8b824f16

SHA512
6e0b7974ce49abc6ba4512641c149851016d64dd94ed6e7d7c45e167f8b5bdfec12acfffbd572b36483bfaf64a0bc5d8ba26c994bbd0cbf0211bb2999ee54a05

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
72KB

MD5
fa4959c8e37587caee864f34bf0e8129

SHA1
30f9f6ad31f1caccf3709fdcf48d831eea4f328c

SHA256
7719b905635b71f9f2f96016cfa7d580c636211b10c72f583d12de144b7e6883

SHA512
cd06c6f6c11de3935c5db23c63eacc466fff9ace9e8050494e2878743f6eecc8465a0d230f91e99434b581892ac6296a4c14ba430422bd0b8afb21986c81540a

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
72KB

MD5
d6316414efa2800e02c95b2bdaf06f2b

SHA1
fd3fe965035237588843e377a42fa160ff225d2a

SHA256
3e1ad502fc39611964888b5816e041761b3e36f7fe8b9923ecc724287799ed69

SHA512
c8cee3c3433a00938b827275e3488b1b3987a6a63cca4e0cac624f01ddddba4bbe638c2495a3be433450406eb1ca34deeb1ce0bf2767ddaa2ca55eb4469cd155

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
72KB

MD5
11358b86e2c135cee6df6370931e8dc2

SHA1
d4ce155ca551ce48369a1705506df11b757adf3a

SHA256
48f5efd0b40c70087f2ad76a120a84083d3125295331a5913adf8aa10a921dc3

SHA512
0b741ae7d08f35489744c4f0ae0411b73f7d16539cabc319c23735c6d612150eeda768af5bf6b6b8db66273abbcb4047725dd6bc3a77a03046df1bc9fe02031f

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
72KB

MD5
3a8b30f82942da4984ef248a522ebd4c

SHA1
c6923846d889c96a21dbbc7754116822f7cc541d

SHA256
10ebc65501cb8ab5ab6252bd778f11340f5579dcc6785d283c3864ab0106235f

SHA512
b8d3a4f40bbff8d0595fe6e0e23eda9bb25be96991e8779e0eea887abe6fa70ae1058baf005bc02391ab151314723bfc65cdfba217895be1be5e8aadee9f2481

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
72KB

MD5
a943365d4bb4dc316b29d2db1561938e

SHA1
77bfe77a2c41306148d87bd65f435701ce2bcbdb

SHA256
f838fba98f6490f045ccfce11e0308689f62889a520c729532aed1c3c1135e99

SHA512
efaaa87f17a509a98a59bceeafeab641f6e3a9493a60ae4d0ae572bdd40452bb7032f496fcd286c06f346b587ea0fe7f7ce29915f6e7a628c73996cb8e99dec2

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
72KB

MD5
adb87aedddd5d81b66c2d235f1384b1a

SHA1
bcba1817cc221bb3efc27d6b85e592001c75a60f

SHA256
9e5029b33970d8a56b056241b1e73ee0863ca76be8130b01285149be4d6ee6d9

SHA512
a164109cbc8bc2ab60eaa30a6046e2f6f8c4b88376452eb2022dd0dafd5b7a7f3703e942ff9f58e6967872495c55db3b142c16e0b274866d8c391607b701a1b9

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
72KB

MD5
3f466fd98b02f2d732a0523a062ee55d

SHA1
d4dc4fa70df453cb9880ffffaf1b5948ef051441

SHA256
174406510b1daddde7d00bec73493f8cd0cf2475dbd3320421cc11f0bf237688

SHA512
4f2141792c6d83422988d2137e16bcd0528b8362f422aefa141560e9c3dad22daa60358e2ec23041c7555171f15b66b94564156a2c5960fceb98a194d00478b5

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
72KB

MD5
bd43af24e24ba015bc618a0b33f54118

SHA1
5927c3e240f0ef70a8777f0e9783625331ea7cfc

SHA256
2b58d411a21c3097bab6745712510d4c494740e185e1d72638eea387a16fc004

SHA512
48b7ec3c3d1208547cf234f9aed4ff82bec4f93799cd8398580e902742fc52aa25c69a2fb1f9960f83b59b56478062dfd52af8ec5737f021dd30f0d60bcd4a56

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
72KB

MD5
84520a0697ee94556bade58d4098f7d5

SHA1
f01a9c9cf4cd692448cee5b0f19826fb1fb708b6

SHA256
487d67389593b4c8423c18b46449d8aebd186d459b57547b26f0d6ca86a7002b

SHA512
dc7c4aa6d9b208ee6bd25b7c52aaca52e9ccd656c62912a3a4e077d40ee3943dd17001d221529af11f8b7d76dca056dcb11736e94dca079fad9ee74275050bdf

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
72KB

MD5
f273065bef047fc6100a3db377b7feae

SHA1
b6729949e3848e0592885c4845a510997005dbc4

SHA256
6085afadaed50cf77744559aabd0a25c58304b90e461e293834df39cc9358b38

SHA512
7893dbc138b07c3d71baf68d18928a0d0aa6e560886aaadf1632e2f82a0ac09d2e6a3d588fb79477384c073aae219277f6854103308f2a95621505575011c995

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
72KB

MD5
e470f0daea049420ee0816df0bb14c17

SHA1
cfbab381febac6ee59cdd29b8141467fc41768bd

SHA256
c2bcf6996425c5794e2f92cd93c4c02110e4fe18fea7333a6efd76ac40fc77f0

SHA512
6c62dff944aa3eb7207f7ee9f91871aec3db6d1992ff0a8d86dd467129fe3f51d706f1be8658bc3d174def2ea6e9f7ee5d4a245a8f423df04da70e1f5b1523d7

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
72KB

MD5
cab102f48637ae8ebbd3ee29149a4d05

SHA1
fcdd98a17e445720b78bc61029ef33133f1b931b

SHA256
38ddf0a763086fe7d63f7844ed3a5c92a47e62bb8362b34d8b44b90c90618f9f

SHA512
7021e41ac29ea99e17a3ef98f559973465d4d3edc0e8aa59ca31ab2597a6d39e9f16c3cdde718d98e8b4092bd1592a95b44d84f0d0ce4bcdbdec40a3255fc45a

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
72KB

MD5
04cce3fba4d13d2263bab917d37f3974

SHA1
ea0cc521f72885effac18f2eb750798da1a59d0c

SHA256
db62f7ebc9b7a0885fef58296afeb33e260de18fd0c432288094bff468630fb7

SHA512
08391c786f3470d7b5f72273f23d799151a1378a35c943c06188ace620e21fe20aa11a6cd13068901e15be818923f1f7a664d2be9bd4472d85dd2f4c503d9556

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
72KB

MD5
608876286ff607f41593e64016f5c944

SHA1
e4a4b70141ba4e3756acd1fad4aa86ce7abda116

SHA256
7169f0a57543d2e5cc31386f2e50442136b4b3abc1506bd41b3d84af44de1889

SHA512
f645b0a52c1aecb1827ffab28f3d50b0038df4a0299cc14c8feaea75ad3b3ffaaa09e39aa749e78aaba94e7e1deeb4a5c2b83e1de48800eb3bf20efeab6cf8b6

Download Submit
C:\Windows\SysWOW64\Qihfjd32.dll

Filesize
7KB

MD5
ab0d395e26e859ef4365267064977880

SHA1
619f36f9411523850950adcda3a93cc70969c21b

SHA256
e27613bda28b00b0fa11c000d5fa1adfb393b79881fc929102c5cd9b1e3e04ac

SHA512
28917ab631e9cf26b1c4d08a9e537df3d7723590201304ba744488f4355abe4d619cde4185a609a2f54e42effb84b64657957707966b2c341ec8013df45bad1d

Download Submit
memory/212-207-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/212-284-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/396-111-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/396-296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/408-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/408-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/444-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/444-297-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/600-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/600-280-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/680-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/680-309-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/780-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/780-302-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1452-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1452-87-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1680-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1680-301-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1824-285-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1824-200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2036-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2036-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2084-291-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2084-151-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2156-255-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2156-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2176-281-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2176-231-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2220-275-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2220-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2224-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2224-300-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2308-168-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2308-289-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2356-293-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2356-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2764-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2764-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3096-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3096-295-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3184-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3184-247-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3248-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3248-290-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3800-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3800-308-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3856-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3856-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3968-307-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3968-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4348-175-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4348-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4364-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4364-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4368-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4368-294-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4440-100-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4448-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4448-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4512-223-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4512-282-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4576-299-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4576-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4684-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4684-184-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4776-283-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4776-216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4976-303-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4976-52-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5044-276-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5044-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads