berbew | fdb296d87f8d860b793a351b0f3e7a1cbd8de66f23ee7c7e9ae23f6455c20760

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdb296d87f8d860b793a351b0f3e7a1cbd8de66f23ee7c7e9ae23f6455c20760N.exe
Size

64KB
MD5

9c88aac9eb874f698ada60f936c33200
SHA1

12695c46e43e3d02f719747d713a6a01f03e3cc7
SHA256

fdb296d87f8d860b793a351b0f3e7a1cbd8de66f23ee7c7e9ae23f6455c20760
SHA512

f59c1b62315229b9d72743e60a49092b805dfe4ebbf8c1ca755021cc4c5baf51c91559420fdeeff207b8a057b4f4daad3967da6883495fda1770b6cea78ad777
SSDEEP

768:TjVMJ1p0Lax3Z8vGl3mQ9LbuP04apVQasBiWDwf6UmBjwiQVVcXM/1H516XJ1IwW:ix34inbuPcuasYekiQcXCuXUwXfzwv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fdb296d87f8d860b793a351b0f3e7a1cbd8de66f23ee7c7e9ae23f6455c20760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fdb296d87f8d860b793a351b0f3e7a1cbd8de66f23ee7c7e9ae23f6455c20760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 33 IoCs

pid	Process
2856	Banllbdn.exe
4496	Bhhdil32.exe
4844	Bjfaeh32.exe
3660	Bmemac32.exe
3676	Bcoenmao.exe
3788	Cfmajipb.exe
1312	Cmgjgcgo.exe
1984	Cenahpha.exe
3192	Chmndlge.exe
4004	Cnffqf32.exe
664	Caebma32.exe
4580	Chokikeb.exe
3992	Cjmgfgdf.exe
3748	Cagobalc.exe
1632	Ceckcp32.exe
4556	Cjpckf32.exe
4316	Cmnpgb32.exe
4548	Cdhhdlid.exe
3888	Cffdpghg.exe
60	Cnnlaehj.exe
3032	Cegdnopg.exe
2388	Dhfajjoj.exe
4212	Dopigd32.exe
2332	Ddmaok32.exe
1676	Dfknkg32.exe
2628	Delnin32.exe
1696	Dfnjafap.exe
4360	Dmgbnq32.exe
412	Dfpgffpm.exe
3080	Daekdooc.exe
3124	Deagdn32.exe
1184	Dknpmdfc.exe
1548	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	fdb296d87f8d860b793a351b0f3e7a1cbd8de66f23ee7c7e9ae23f6455c20760N.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4680	1548	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdb296d87f8d860b793a351b0f3e7a1cbd8de66f23ee7c7e9ae23f6455c20760N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	fdb296d87f8d860b793a351b0f3e7a1cbd8de66f23ee7c7e9ae23f6455c20760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	fdb296d87f8d860b793a351b0f3e7a1cbd8de66f23ee7c7e9ae23f6455c20760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 2856	3652	fdb296d87f8d860b793a351b0f3e7a1cbd8de66f23ee7c7e9ae23f6455c20760N.exe	84
PID 3652 wrote to memory of 2856	3652	fdb296d87f8d860b793a351b0f3e7a1cbd8de66f23ee7c7e9ae23f6455c20760N.exe	84
PID 3652 wrote to memory of 2856	3652	fdb296d87f8d860b793a351b0f3e7a1cbd8de66f23ee7c7e9ae23f6455c20760N.exe	84
PID 2856 wrote to memory of 4496	2856	Banllbdn.exe	85
PID 2856 wrote to memory of 4496	2856	Banllbdn.exe	85
PID 2856 wrote to memory of 4496	2856	Banllbdn.exe	85
PID 4496 wrote to memory of 4844	4496	Bhhdil32.exe	86
PID 4496 wrote to memory of 4844	4496	Bhhdil32.exe	86
PID 4496 wrote to memory of 4844	4496	Bhhdil32.exe	86
PID 4844 wrote to memory of 3660	4844	Bjfaeh32.exe	87
PID 4844 wrote to memory of 3660	4844	Bjfaeh32.exe	87
PID 4844 wrote to memory of 3660	4844	Bjfaeh32.exe	87
PID 3660 wrote to memory of 3676	3660	Bmemac32.exe	88
PID 3660 wrote to memory of 3676	3660	Bmemac32.exe	88
PID 3660 wrote to memory of 3676	3660	Bmemac32.exe	88
PID 3676 wrote to memory of 3788	3676	Bcoenmao.exe	90
PID 3676 wrote to memory of 3788	3676	Bcoenmao.exe	90
PID 3676 wrote to memory of 3788	3676	Bcoenmao.exe	90
PID 3788 wrote to memory of 1312	3788	Cfmajipb.exe	91
PID 3788 wrote to memory of 1312	3788	Cfmajipb.exe	91
PID 3788 wrote to memory of 1312	3788	Cfmajipb.exe	91
PID 1312 wrote to memory of 1984	1312	Cmgjgcgo.exe	92
PID 1312 wrote to memory of 1984	1312	Cmgjgcgo.exe	92
PID 1312 wrote to memory of 1984	1312	Cmgjgcgo.exe	92
PID 1984 wrote to memory of 3192	1984	Cenahpha.exe	93
PID 1984 wrote to memory of 3192	1984	Cenahpha.exe	93
PID 1984 wrote to memory of 3192	1984	Cenahpha.exe	93
PID 3192 wrote to memory of 4004	3192	Chmndlge.exe	94
PID 3192 wrote to memory of 4004	3192	Chmndlge.exe	94
PID 3192 wrote to memory of 4004	3192	Chmndlge.exe	94
PID 4004 wrote to memory of 664	4004	Cnffqf32.exe	95
PID 4004 wrote to memory of 664	4004	Cnffqf32.exe	95
PID 4004 wrote to memory of 664	4004	Cnffqf32.exe	95
PID 664 wrote to memory of 4580	664	Caebma32.exe	96
PID 664 wrote to memory of 4580	664	Caebma32.exe	96
PID 664 wrote to memory of 4580	664	Caebma32.exe	96
PID 4580 wrote to memory of 3992	4580	Chokikeb.exe	97
PID 4580 wrote to memory of 3992	4580	Chokikeb.exe	97
PID 4580 wrote to memory of 3992	4580	Chokikeb.exe	97
PID 3992 wrote to memory of 3748	3992	Cjmgfgdf.exe	99
PID 3992 wrote to memory of 3748	3992	Cjmgfgdf.exe	99
PID 3992 wrote to memory of 3748	3992	Cjmgfgdf.exe	99
PID 3748 wrote to memory of 1632	3748	Cagobalc.exe	100
PID 3748 wrote to memory of 1632	3748	Cagobalc.exe	100
PID 3748 wrote to memory of 1632	3748	Cagobalc.exe	100
PID 1632 wrote to memory of 4556	1632	Ceckcp32.exe	101
PID 1632 wrote to memory of 4556	1632	Ceckcp32.exe	101
PID 1632 wrote to memory of 4556	1632	Ceckcp32.exe	101
PID 4556 wrote to memory of 4316	4556	Cjpckf32.exe	102
PID 4556 wrote to memory of 4316	4556	Cjpckf32.exe	102
PID 4556 wrote to memory of 4316	4556	Cjpckf32.exe	102
PID 4316 wrote to memory of 4548	4316	Cmnpgb32.exe	103
PID 4316 wrote to memory of 4548	4316	Cmnpgb32.exe	103
PID 4316 wrote to memory of 4548	4316	Cmnpgb32.exe	103
PID 4548 wrote to memory of 3888	4548	Cdhhdlid.exe	104
PID 4548 wrote to memory of 3888	4548	Cdhhdlid.exe	104
PID 4548 wrote to memory of 3888	4548	Cdhhdlid.exe	104
PID 3888 wrote to memory of 60	3888	Cffdpghg.exe	105
PID 3888 wrote to memory of 60	3888	Cffdpghg.exe	105
PID 3888 wrote to memory of 60	3888	Cffdpghg.exe	105
PID 60 wrote to memory of 3032	60	Cnnlaehj.exe	106
PID 60 wrote to memory of 3032	60	Cnnlaehj.exe	106
PID 60 wrote to memory of 3032	60	Cnnlaehj.exe	106
PID 3032 wrote to memory of 2388	3032	Cegdnopg.exe	107

C:\Users\Admin\AppData\Local\Temp\fdb296d87f8d860b793a351b0f3e7a1cbd8de66f23ee7c7e9ae23f6455c20760N.exe
"C:\Users\Admin\AppData\Local\Temp\fdb296d87f8d860b793a351b0f3e7a1cbd8de66f23ee7c7e9ae23f6455c20760N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SysWOW64\Banllbdn.exe
  C:\Windows\system32\Banllbdn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\Bhhdil32.exe
    C:\Windows\system32\Bhhdil32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\SysWOW64\Bjfaeh32.exe
      C:\Windows\system32\Bjfaeh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 412
        35⤵
        Program crash
        
        PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1548 -ip 1548
1⤵
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Banllbdn.exe

Filesize
64KB

MD5
aa926ea46e01aad80149f741f58125f8

SHA1
48f3c62c5f41e9bb79db60702d1b4802bcd32f0b

SHA256
b4ba5196e134de066e8b382dfe41976e7a5399b76f7c67d3ba7c8f9f23eb768c

SHA512
1de937947042ee45d30db0099f0b7f02eb454b3caa45e47ccf004d9d078d4c02fd79303b93f8b44e7bd8b655f5271949e3b137707e6906198a869442a6cbf0f8

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
64KB

MD5
71da14415f15dfb94d32abaf20236b4b

SHA1
bdeb8f497a1b7e5e18a8923b7fff87a1b0b059d4

SHA256
c070b2a7272e2f1bd1c9eecf2476d363508425ac9facbfd93f73059c9a2b2ef7

SHA512
67a98dc4e5462f2964f909a90b7ca1ca095d471665df4f723dbb093075f8b0125802b0839c3f4e7388e378c2592934e056d55eb1f9ea512ce17224b868c6721e

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
64KB

MD5
dab0717963054dda26ca38d2fe42df8c

SHA1
79089fc8d23a2c3429959e3bf5574d5a14c9549b

SHA256
f3e26f0159e6243851a98af769577b169fe5c1cd26c2c815df20bca9c3f4c1b0

SHA512
8798f4bf79733c661e486abc0ad81ed6ff5c88c717d850aad7135e8bd03db937ba5b601c09cd010d70cb7ec3811f3565bd99d04305364984a0314a6b7e5abfe1

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
64KB

MD5
ef07f6e8ab3e0d86ff9befe402aa7a6b

SHA1
a018f655a3aceda124849c9f03e0828d94711a15

SHA256
550353e6148cf00323c0d930b6e4634b7a4ffbcb1e3fcd5b8220e0513907051f

SHA512
77754cc81480f1751e9c3ab012e2a91256843d4026509a5ab7a61f75df70904152b91533fda4b78b4792e0bb10d60434c3fd1bd067eb09a738932162850a483e

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
64KB

MD5
fe413d5a5f073671cc3fdd251f995b2c

SHA1
35c0a339fc4cc3448fb68fe0a70d41d9eaf29cca

SHA256
7b586f5ca125b9aa1ced085a679ebf46ccb966ae2e4baeb7234ad5a01d87b1dd

SHA512
10463e1ad7b8815da17ce71e500f3527b6791e4dc5afd9014c4057dbc88a1c4544f7b1ac1723f5cc36f51e8938a24df1aebc951628d95ef1bb510aa736a2c7f4

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
64KB

MD5
fcf37124b2befad63dd796985c4a4dec

SHA1
d28f6a5fd7b0e3fcb9d527c6f2039ec986716e5a

SHA256
f8791aeb31e3b699975887ef8e16d40ea5860527f420e2c731e4240ac0c538d6

SHA512
a933ffd23a08305069cbc37181c9ef03769f0bff886ed33bebfaf92ecef6a1422e3f332fc6689a591b7b6124f9221e1c78a276cd52a2fd42b3f460428bde799a

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
64KB

MD5
d02cfcaccfabc5bd2f378c1497cb636f

SHA1
bfa33a9a19a8d26c8bb6772b98501aa7613c3a60

SHA256
1bd443b875db23727cfddb1bf73efb3d8d0cea2a805fb35cace583580fc360db

SHA512
878eb31280f3d3df294b4a6f8ab229dd80804d8dac07537cdf960f1f9179b1bd60e48bef6f9ef54b5370108af986c4a7ceaaa45cb25bc0c51f96337068a60388

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
8acb2107d294ae31085df7012766f46d

SHA1
8657beb830f905473bcd56d991367d91580f4d23

SHA256
5ce1fdaf21ef223bc745df0bbb23fa924aab9b253f74b57f0aa0bd7efa251887

SHA512
4e2bb0bdac3f165b599574e0a0612b99aff9b2f5f3ca248fa19671e2bd1cdac98612cf0eb538a8e9eae6b733bc67c351f8101aa8ea123dc3e8e6005ba50416e1

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
64KB

MD5
0e6251c6795d63acbfca0de4cd5fad87

SHA1
d908aa1099ef58cc536e1cea9af9284fdc7293a9

SHA256
d96938377f6add5678b5f0273b5564dabaa2d8daf8ef996d860fd53633726c8b

SHA512
f9ad4d6315bb676425c7d6310ab87612a3f9ca68cdea717f9a77773b4b4a2a10b734709b0d951a350976e6877a438433404386724e3ac8b56300f52c48b05e7d

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
64KB

MD5
309c799a138ea4e19835925e6663e13d

SHA1
a6ce958596b0f99725f360cc179f952c1f6378ef

SHA256
75fe2abcd5fe6ad710beaad5a9ce67763f33fcd9a1591c89e53b16da9a8e9d73

SHA512
adac33bb96726f6c8840059d495072e2df3bf8bf7d2e71ec0dc80264646a607447b9051e5d414d38768985de708475a5920f4d05381625faa324f67d6af2e935

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
64KB

MD5
93f8576448ae50e7c10d87b2565feb28

SHA1
98cd7b565bd977c79e0ade8104b98bdbf5407771

SHA256
6e6313ad25fe01717bf5c36626aa0ffdebcfb89524b318662d669e39c0cfa288

SHA512
a1c623e8379a3a6eda9ad4a14989b8587383286f9914e42ff7caa73c24591442252712a85c78466bb91d9c81d06619b4aa9263f432917c8d75b0b003e85f762b

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
64KB

MD5
2ce616d983e96197244da440c7499652

SHA1
5a594606cdfdd35a89b215fcabd87a82f9237cd9

SHA256
54e2ba1a607f3ee7b8e407c910b659ec35f190ff401ad6622c9d97caa3ac0f8d

SHA512
555b25da24dca64dd15d69e26029c26240ddcaba776d97e58c6376ca30c9418628a32a7be806130e0aec8a626c3dd0366bd6e8f7b09210fa409e6ff6ad21a6f3

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
64KB

MD5
123c4946eaf975c1257b18be82026e97

SHA1
cddab76f15743b95b368f0e15f550d80eb2e399f

SHA256
e77a628c5b577842d7145b70fb116e5851c03052c61762fc13bb9b7709d94afb

SHA512
2b044357fd32da9e84669ee16f848ee2a4a055271f7cb5022f6dc3a2fea7b7d80e9f4350a5980b2ff2162aab4368178e62e5789f4d9439ea36d76af3f92eec1e

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
64KB

MD5
f2c97c2b4a17abfb3f8953d6f2f21590

SHA1
c118e48fa3da95e8a89817d0f31ae25891838b36

SHA256
dde12e9b1a5b7f8e232c1e473a1a3dd549809c4e8c04ebdebf1b2bebf4259b43

SHA512
fb8788de99f7e7ed096ff1a8743c3bee416fd6504325f3550cc0f49824f732171b01b0e97484200f43f2a356b026dc54d6f2dd90a849e2a77d4296de48119239

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
64KB

MD5
aa074205f2d6abb779e796f80028ef29

SHA1
85d36717e0db1ff1dd0d217b92a7831155635ace

SHA256
6db088e8b70bb09fa23ff7f689da7e736ada97d0d82f522d3143e85e4503c893

SHA512
c9e7598d54e356e861ac1c14c43620ee7a1dc40176894d74db6c8b98143b4509484dcf39ff322a5d692504ba90c7b94063c541a11a866a6ede17552cb1ef7b56

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
64KB

MD5
76a8e194eaa39f366f45b9d8241bd5d6

SHA1
5f37c8a68365250e4c613b7ef8df8c81084083c5

SHA256
a3e568241c83c27ec60837db33223f4563724c2080cdaecffc63d5ca8c08c8e8

SHA512
d694d53f4fad2455fc30b84736861aeabcf66dd5b8e6c2661ad61c69d20b6032d4c3eb21e41c257062a1da701352b9bd8b861bd75d636b2ff972aac72a9f04de

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
64KB

MD5
d905b5838ecfe3dff38d9c36383ec956

SHA1
db17a71f2a2f1657d5832b2bca54358f39aba320

SHA256
76c8fbf1154705078da400efee7c1d8274e108b9e5fadc05da54952afe346052

SHA512
d2f4122e20ab753cdbd067bd37223ce89e015fd4bdcab4bf3743a158cd1f6df37b65c4a647293db9a60aeeff9eba709dfde3c59eb24e67de62ecbbe18609d05c

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
64KB

MD5
6381b669177ac34c4ce379597bb1b5fa

SHA1
47cb02884512fae6a89289ce4ee1aeee87c8fa19

SHA256
ac4b89296c96053fbc52819f6e2050269164e598c574bdf96f0c6f7734b09d23

SHA512
aabda6e040b71687ec0aee8bf56bf79a4e6d5d8b3658b3cb536d24559ed6b3ac353ea1e7e4a6268c972e3ec41513dbd70113c45140081d1fe6ab88797b200e18

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
64KB

MD5
744595c3d3881aeb61d695e3e22ec78f

SHA1
aafa6bfd6b1998a5fe65c85c3aa77ed891c9a2b9

SHA256
8338d97fac5315ea5c70b4bbbd5392a062709afd6d7d3cdb848d32563f9912db

SHA512
4013c845ff425de5b4c48e6a24249033f3eebeb2ccd3d03685712e855e529265b9c08684614c2a7d0913d2ef952ac1b01c5cdc143f5dec6a9771da382c6c5eec

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
64KB

MD5
9c61218b8b19ccaf381dd7496ed50db9

SHA1
41640942ad4b7d1e2cbedbf370e3c8eac46c07d7

SHA256
5a39f7af9d9e5391402367eddd172f76b5584c3a1a46f77aed578f6d0ed335ca

SHA512
9c8d38e4aba48bf63561c6f88cad6d2e9defadf4196ec7db5a1da66cb71eb8966568195d2b57028e439ea72897c86ba258492594e4b6bd979eed64bdcd3dc8b8

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
64KB

MD5
519a6b7ebebca8fc18dbd5ccaef8a7e1

SHA1
80714e2e4f19ea1da161930f8669aaa366c8bc20

SHA256
f0e10760bd0c8cd80f1d3840611214411adc1f41a88976aaee4999d2f6078f22

SHA512
36520a6f8e02a36f0cc1f3534e75cbfce7197cca0c660b61b9a3b45d9e841c042a10bb3d50c7aeecd9eb858a238c43505b938f099b26389b1aa79805bad7f704

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
64KB

MD5
744bacccbe3f709329722b243427a147

SHA1
aa34855a263e13fc48b4b62e5614dc0634fae80b

SHA256
71846465f5815f0b94bafd35ce54d1d50e5c7cc706ca98ccc3afc0223b3bb9c3

SHA512
68d2f8f51f97e0404ddb9af4c17d69103a8a68a9264691850406b3bb916aaa4d58f2a79414929c226612887bd59f0971815640733b309fbed3369232c6a42279

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
8887f6e12a4bdebdff952c354f30b094

SHA1
4985bc7baf033577d81d50f390830fd19f966213

SHA256
d259b04cf870a6a592ea7f4356880cb352e88e1790320bcacc67cf65008b74b2

SHA512
158e3b0e624ed392158661754346e0de497edfc6449f544947dbc9feb772bb9f93676ca9b9b5fdf6d48fe92261f6a0ccd18613c0124c14142243e2f8ea233c20

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
64KB

MD5
aeffda4c50835042bc6069db5756cfcf

SHA1
3945c28dc698e7d1ccd141651014c6b06c77b44e

SHA256
3e1b3be69f3fae09b78882749da83048795444e0b79f0c4228a21a5c3b4eee7c

SHA512
f18bc02a2f1dabf56b60c1b46eacb701f21ede9f34e9969f4007398a6c835cb1bbb68641e38902cc61bf2016c315c8ab5faf3b2e1e9988d98b2e37d8d691af5f

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
64KB

MD5
9cb51149e1feb969f9e331f1be623eee

SHA1
c37dc17f6ce35a208da975fb93f0acc7ced3e5f8

SHA256
75230611e7403d1a15de23edb440358d3e3fbfe4a1176c66bd4d48725a88249e

SHA512
10382daf2433b51d7cdce7827840157102f346d55f89d9e1d4346a98ef840c018f6f776fd5b0da4f2b2e2b2ebc03e86b428316d77b137b8929ecb1f1de6faaaa

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
64KB

MD5
794c480a9cc4c3e61d299dd5b6dc5694

SHA1
28e94474de3c77c120f46cd93ce53621cb24b019

SHA256
b25cd2ddb616db476e5df034df0f195ce192a7d29c111ac058a467305eddd67d

SHA512
38fe38b7943a04b2b35bebbb699f935eaa3c9c4c92739f37dd09d74e07ac4cd418040f06a9ac670adaebf96ca4105a26480d177cf68e44b24d86439f87eb28e2

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
64KB

MD5
e8e527074176f4a97cf25b4c81244886

SHA1
679e7115c70f47e6df227be01fdfd81b3b452bc9

SHA256
575c1b1964684528492ce896d03080e8f25db1ca34752131ff830d91119852d9

SHA512
77abc519cbbbcdb16db95635f869342865311d27298f7f909d3e09ea991d3045a45c9463ce4f92dda90c1a92c1892621f135ffa8f627b3d0f99cf5821cd5c27c

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
64KB

MD5
35913736c3795c95918b204bb91cd567

SHA1
fb1c4a82b14d5088da367303399f792f6ae1f63c

SHA256
9cd1175b3cb1ff8afcb92654e5b93db81170bee2877a4466619f16a1ed782806

SHA512
556611a4e80d53ead182c87e0d5a7b911bce74169cd3041f24defb59df3f568a60073e4bd6619175a3dc213fedf198d13c1d5dd97815c56ffda6ad3ea4383a59

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
211360b2a1f393a8402930e7409f9022

SHA1
b688884f29048711fc1310d0e34e83baeb7481d6

SHA256
4c1acbad3b7f3265133534e269d654082a32d9db5476c039ee500ba88530138f

SHA512
15e54a5aec11d97e3ea0fa42856ff30535a97be5ae17b1c70dba1f970e514a7529f111b174b81104a7b2aecd68608bcf039b6dfd8828020a3f23db277968584b

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
64KB

MD5
8bb0b045f6a6e5a77f57fd12d2aa0c9c

SHA1
55be2e8f294f7239c903a5f2e96f841a31563aaf

SHA256
9a31ec988e884864f8789a4ad2df9f20435826747cf2974103650643b29bb0ff

SHA512
ebb49850e1071306cccb3d44584583593b18e44a7406def0296869d9ee39dd1ca8bb0bbbc80af6e7c7615df26994489f683f21effb3576e24ab349855f368588

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
ca454ef15ff1ed30ec5d53ad6ad4f2f2

SHA1
a9c3024f59fc32fda2f6151379ad2bd8ed3d50e3

SHA256
1ffe7a53a4d2c41544d123d06d03ee5da674709e22d39f6f010f1ba2f78ce290

SHA512
93c0c7babd2f99d7c18a94348361d759e2b7f7e01f383b4ec77daafa32c81616eaabd8e612e694aa8fb612183f3b22cbb2fd3f22601278039340f8aec590d459

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
64KB

MD5
f3cfb3dfdf6e21c712da092d0013654b

SHA1
3f214c4e842ccb32278566dc6e2e884e30daef3e

SHA256
5e5a6d232ba2f6c19bc10b3675613584e2733a9e977ddd2ae13cfaef1a11e7cb

SHA512
f41e1189b454c2b5a000200af5362a81a519563a870f4d5d6631bbc76b02d82de5c9885ae9b8401f81fef66a31dc7ed0c1e26168e5abfdc4d4f2d2ecdc768a04

Download Submit
memory/60-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/60-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/412-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/412-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/664-306-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/664-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1184-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1184-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1312-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1312-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1632-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1632-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3080-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3080-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3192-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3192-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3676-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3676-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3748-117-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3788-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3788-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3888-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3888-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3992-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3992-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-295-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4556-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4556-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads