berbew | 0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4

Analysis

max time kernel
105s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4N.exe
Size

96KB
MD5

4594f791c3d54cb47a5ae059948a3900
SHA1

94668e816a9db11f281d90626243e96a8697dc8e
SHA256

0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4
SHA512

caaff288c013c8cb884850b6d371f02c294bfa1ed9736fd939a9b340ab3652eb7bf3e01f363b058b86b37338c25e09b23295cb43334e515e308eee40fd9ef8af
SSDEEP

1536:yKMtmls7zf1tz38hvNRc63X4xkVFxTYDv1wrkw92LSc7RZObZUUWaegPYA:2f7RZ0VVFxTYb6r9O9ClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 30 IoCs

pid	Process
3404	Bjddphlq.exe
452	Bmbplc32.exe
3712	Bclhhnca.exe
3624	Bfkedibe.exe
2696	Belebq32.exe
1360	Cjinkg32.exe
3172	Cabfga32.exe
2428	Cdabcm32.exe
2916	Cfpnph32.exe
2236	Cmiflbel.exe
4524	Chokikeb.exe
1340	Cjmgfgdf.exe
3116	Cmlcbbcj.exe
4064	Chagok32.exe
1460	Cajlhqjp.exe
3408	Cdhhdlid.exe
3524	Cffdpghg.exe
2076	Calhnpgn.exe
2484	Dfiafg32.exe
3996	Dmcibama.exe
740	Ddmaok32.exe
1636	Dmefhako.exe
4620	Dhkjej32.exe
4872	Dodbbdbb.exe
3828	Deokon32.exe
2208	Dhmgki32.exe
1480	Dogogcpo.exe
4376	Dmjocp32.exe
456	Dgbdlf32.exe
4428	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4N.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4N.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4716	4428	WerFault.exe	115

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 3404	1584	0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4N.exe	84
PID 1584 wrote to memory of 3404	1584	0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4N.exe	84
PID 1584 wrote to memory of 3404	1584	0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4N.exe	84
PID 3404 wrote to memory of 452	3404	Bjddphlq.exe	85
PID 3404 wrote to memory of 452	3404	Bjddphlq.exe	85
PID 3404 wrote to memory of 452	3404	Bjddphlq.exe	85
PID 452 wrote to memory of 3712	452	Bmbplc32.exe	86
PID 452 wrote to memory of 3712	452	Bmbplc32.exe	86
PID 452 wrote to memory of 3712	452	Bmbplc32.exe	86
PID 3712 wrote to memory of 3624	3712	Bclhhnca.exe	87
PID 3712 wrote to memory of 3624	3712	Bclhhnca.exe	87
PID 3712 wrote to memory of 3624	3712	Bclhhnca.exe	87
PID 3624 wrote to memory of 2696	3624	Bfkedibe.exe	88
PID 3624 wrote to memory of 2696	3624	Bfkedibe.exe	88
PID 3624 wrote to memory of 2696	3624	Bfkedibe.exe	88
PID 2696 wrote to memory of 1360	2696	Belebq32.exe	89
PID 2696 wrote to memory of 1360	2696	Belebq32.exe	89
PID 2696 wrote to memory of 1360	2696	Belebq32.exe	89
PID 1360 wrote to memory of 3172	1360	Cjinkg32.exe	90
PID 1360 wrote to memory of 3172	1360	Cjinkg32.exe	90
PID 1360 wrote to memory of 3172	1360	Cjinkg32.exe	90
PID 3172 wrote to memory of 2428	3172	Cabfga32.exe	91
PID 3172 wrote to memory of 2428	3172	Cabfga32.exe	91
PID 3172 wrote to memory of 2428	3172	Cabfga32.exe	91
PID 2428 wrote to memory of 2916	2428	Cdabcm32.exe	92
PID 2428 wrote to memory of 2916	2428	Cdabcm32.exe	92
PID 2428 wrote to memory of 2916	2428	Cdabcm32.exe	92
PID 2916 wrote to memory of 2236	2916	Cfpnph32.exe	93
PID 2916 wrote to memory of 2236	2916	Cfpnph32.exe	93
PID 2916 wrote to memory of 2236	2916	Cfpnph32.exe	93
PID 2236 wrote to memory of 4524	2236	Cmiflbel.exe	94
PID 2236 wrote to memory of 4524	2236	Cmiflbel.exe	94
PID 2236 wrote to memory of 4524	2236	Cmiflbel.exe	94
PID 4524 wrote to memory of 1340	4524	Chokikeb.exe	95
PID 4524 wrote to memory of 1340	4524	Chokikeb.exe	95
PID 4524 wrote to memory of 1340	4524	Chokikeb.exe	95
PID 1340 wrote to memory of 3116	1340	Cjmgfgdf.exe	96
PID 1340 wrote to memory of 3116	1340	Cjmgfgdf.exe	96
PID 1340 wrote to memory of 3116	1340	Cjmgfgdf.exe	96
PID 3116 wrote to memory of 4064	3116	Cmlcbbcj.exe	97
PID 3116 wrote to memory of 4064	3116	Cmlcbbcj.exe	97
PID 3116 wrote to memory of 4064	3116	Cmlcbbcj.exe	97
PID 4064 wrote to memory of 1460	4064	Chagok32.exe	98
PID 4064 wrote to memory of 1460	4064	Chagok32.exe	98
PID 4064 wrote to memory of 1460	4064	Chagok32.exe	98
PID 1460 wrote to memory of 3408	1460	Cajlhqjp.exe	100
PID 1460 wrote to memory of 3408	1460	Cajlhqjp.exe	100
PID 1460 wrote to memory of 3408	1460	Cajlhqjp.exe	100
PID 3408 wrote to memory of 3524	3408	Cdhhdlid.exe	101
PID 3408 wrote to memory of 3524	3408	Cdhhdlid.exe	101
PID 3408 wrote to memory of 3524	3408	Cdhhdlid.exe	101
PID 3524 wrote to memory of 2076	3524	Cffdpghg.exe	102
PID 3524 wrote to memory of 2076	3524	Cffdpghg.exe	102
PID 3524 wrote to memory of 2076	3524	Cffdpghg.exe	102
PID 2076 wrote to memory of 2484	2076	Calhnpgn.exe	103
PID 2076 wrote to memory of 2484	2076	Calhnpgn.exe	103
PID 2076 wrote to memory of 2484	2076	Calhnpgn.exe	103
PID 2484 wrote to memory of 3996	2484	Dfiafg32.exe	104
PID 2484 wrote to memory of 3996	2484	Dfiafg32.exe	104
PID 2484 wrote to memory of 3996	2484	Dfiafg32.exe	104
PID 3996 wrote to memory of 740	3996	Dmcibama.exe	105
PID 3996 wrote to memory of 740	3996	Dmcibama.exe	105
PID 3996 wrote to memory of 740	3996	Dmcibama.exe	105
PID 740 wrote to memory of 1636	740	Ddmaok32.exe	106

C:\Users\Admin\AppData\Local\Temp\0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4N.exe
"C:\Users\Admin\AppData\Local\Temp\0a59fdd06bb305792471176b2efe3cab3aae4d375b5a5f261303317514b1aeb4N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\SysWOW64\Bjddphlq.exe
  C:\Windows\system32\Bjddphlq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\Bmbplc32.exe
    C:\Windows\system32\Bmbplc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\SysWOW64\Bclhhnca.exe
      C:\Windows\system32\Bclhhnca.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3712
    - - C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
      - C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 396
        32⤵
        Program crash
        
        PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4428 -ip 4428
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
96KB

MD5
116e511e045962ef41176bd3c700cea9

SHA1
40b2480b2cdfec123740da74723d173b6848a2a6

SHA256
beeb341c4fe169b1bbe44deb84a4b7808001a8ffdc4e4d1a319ae4b1ad49b217

SHA512
e5189c48ceef8cf20ee631ccd0c2d9513c7d4e04afabf7877b71ba240d6142a9ced382c01f1b4f27a90278f3fa48f3dd57b33727d343c5730c2bb815df9fc3d7

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
96KB

MD5
bf8601932a072bed7452c1e9e8ca556f

SHA1
6e3515bf83601a11dda6b1810c097cc61d29ae11

SHA256
fdaa8c499da44a1d14025e853f3beeffe05c055f3badd2f76bde541e17276e3f

SHA512
820e409a8451ef09a677ad96f2a2f206238c4f0c635bc761e444b1cd52a82af5ddc05d587d3308ddc75f4ad1afbe5da8a7e9d56621021f2efbba48bf8a04f0aa

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
96KB

MD5
83508198e927314e6683fe5120f7196b

SHA1
78768ba7c5ab3c018e93337c8dade924b736a360

SHA256
cd7c90439676e5e560074b885be86f215aab1765977fdb4983ac075f79eb8d14

SHA512
83b4b3350d03bc564cc6881ab4fc07efaf4f84b9d5be2fec99487b4186a2628218d67181db795462a4cc34b5d6e2e325019c336d638877f620f733510745e56d

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
96KB

MD5
5f01c33201ff53544bbde6d28019d2fa

SHA1
8c80abb39a04c81846955e11e17565241f3a0376

SHA256
c380a0a064e245c8f72f795d7e6ad824bc3e14e1e467ecf3d8a92f31673c2d66

SHA512
9e3174fef79e133bf9aeea9b8417e5411c3744d7f0abcf7c4db8aead618a24196f783c2ef3200c63e1d0e29484f9b161793bbad0bc8647e54494f0741d3bb023

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
96KB

MD5
8260b5d159d0a5c8197935e2f3fc0954

SHA1
7544393ee6e9984542afb0fcb7f06421566f249d

SHA256
2d1beaa3026cc13f859532ff4c6d7e7e352b89ced15e35c4940141bac8715109

SHA512
f85065dde117ba956e3ed6c94e65b6c5ee13fd2efd29e1cccc2e1e2e9dfd04a5b31f4b38b25a8785c261741abebcf06b337489cc0be2ffeea84f27fc193b11e4

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
96KB

MD5
a807929e4c39d050eeda1bce9f093d47

SHA1
03f1f7f82999a9ca80c288d0453dfe863f667179

SHA256
7e9b5801a83ef6f712271399da0cf2e9485e3bec77180dd4a8053cedff08beaf

SHA512
7f45ae2345c45fd396b6d8228eeff2d8212fedfcc0e2d4dda6fec40c43c29b5c6d01f9634295dc9920950fdb6c03d083e4b23217692ea1ac7a4bf14079167d65

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
96KB

MD5
4afb25c055a8c4d956afb393d5761b24

SHA1
2240c1b6665644ceb5a30f4389c989127b461cec

SHA256
652ec00d469ff4483360e1799cf0155d16d1821871bc0a12158666abda42717a

SHA512
efd9f1ee07a8706b1ba8f11d5010231cb826df4c7f94fafc87d6cb09f694644d726703e5fcef079ee3ff6f113c5f00e6f8cfbb60c29599d08234bc6a62428bdd

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
96KB

MD5
1689d40bd34da4de7a62eaa3cc12908f

SHA1
6fa1ddcc21c102bb544d376ca96650d2deaa2a13

SHA256
fdf0a644df26fc626a82d2496b057fd60cfa2cd97882cf054acf7726dae68af7

SHA512
cb05690fa2a1fc0301e82bb49395920e8e3b26c1ad08d5c12120d553daa2bfe5518169f7fbb037648ed4b0f1da9c0d86449bc1b37209330d24a10dc273452225

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
96KB

MD5
19fbfaa5866e67ab7c96e8b92ffae6b5

SHA1
3e7fa2cff595c3292ebb7b7413e69d7305039675

SHA256
328219287cebf73668ae1886e51d41e96c562a15c458d79c471d7c4b382cb910

SHA512
d6c314c476e599ce1b9a4927993b1cb56529739e537a48fbcd75a650710c73804c69e4e8ffc11228240a71e5725bccd44e39c4c1e83bfc04352543bcfcd3b859

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
96KB

MD5
428e3729900f4a6385957bff13e70c1f

SHA1
42a5cc75c024dee9627a91d1baadb88a319fd869

SHA256
4fa1c06a9fabd475630c9f735083d9660cfaff716ac572dc2a3845d8c953d44d

SHA512
5f4a042540708b01fd05cdba9d4ebdda1d01a8948466deb849eb9d50c23a7b7c224dc2ab1c3b6926730ac24d48e83ad4925b02d8c49c35c97bcb0361e86aee39

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
96KB

MD5
6e2d4db8b6be4ba60a2e4a2b6b10db24

SHA1
980bdae6f93a674629c5c293fe44e8c9240be273

SHA256
e1fecd7c50b266518dc9f37c3897acf49eb50350d17b4606022195405a927497

SHA512
644307e9e9ac024c03dc99e61457b776faaf28611aac261c795a604843b9ca4e27edfe51bae3b106ea136e70c71fada99f30483dc3478d2746d2c4db46333da5

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
96KB

MD5
048acb990de1b4a728eed917c370176e

SHA1
4abc170b8533de06aa5439b5d5bf42a4c0fcf6db

SHA256
f55747f86d47901bd67230979fb0ba27f5b42c96a1dc7a80a214e4f42c3c2ec6

SHA512
88978879f1520c78ab4b2299f1b520eafd206da43d1a9426fd02e9b45aea76b3e19a4e2621054876a4fea4c72ea9bfa16b5e9e598723000586b95a3c67917038

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
cb72f0ba4abdd671ab64cb9382af7fb5

SHA1
d33089f2ed039582a62b577a01c5ad09a1638384

SHA256
2ef9d49b93d818de5263d760044925b6b9c2259a00730db7b76425cd75224333

SHA512
7d5c4ee901866a1485cc3dd0df3eb8de823cb9dec1cb13fb448daa37340cc4ba6b328b175834e41b1d115dca8e6cae1c811d23d1cc72ace984ff2b2aecc62f4c

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
c242c94a5cccb45d255993eb23778aa1

SHA1
e4c00adab1196c8e3735d15d65e7c15e5f0a65fa

SHA256
6d8535d65c3d6a74be0edafa5e353a9169bf46df98df1d22271390a7c5e159a1

SHA512
bb08a26cf6221aa35c3dfc6d9a313d0046cbcc1b076c4e5f34ffaeb31c53435b40e1205792714201b2d21b0c92faa4e91630ecbd9e6b69d3b03612889088c3a4

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
e0fcbb66a3eae6427047ff3f8b79f641

SHA1
aa6bf529c2afefe52a511ed39feeaf127b41656a

SHA256
f5c1fadbb60434af387305408ff102f5aaf594701f36703090e6cd69fb559b51

SHA512
eaea741f3708ebd8ae0a57827b5f0b4df24f5e7c5a9a5dc6df32a30280eb2fc72609d565dd4a5370874a92651b97cdb2fbfd4fb7fa052042524554863d3a5981

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
96KB

MD5
29f43104e2e8a9a4b2b8cbfaecf1a778

SHA1
df3b79ace89e72f004bed08c9e17ca3d0355074b

SHA256
bf3c1b3cec4f91520cdb77acdaead9bc110df00926519c0681e1895c0991e5d9

SHA512
6fa83b9f109c367106ca33e8cc3c2d106affc983edd1aa3d1319a3e983261ad2f77c65d87de8ad7236be97983fef1407f70131a57bd4841d9642021565861545

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
9483e20045570457951031f2e5cc145b

SHA1
4c8420301f5c43daadcf3cb001e87f164f51a846

SHA256
e26300eb0d271f4535f15441f8da58a1f1692a5592b09ffaf3ed6c7f1e2aa25c

SHA512
d24d734d9251c412d19528000013dd0c86aeffa00d1b506daaf57fcd9c1ac1218a59ffceebc7e8a13177304a8e73a5cb7ed8edb6581b540c8fc3fbacb296d96e

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
e1e9bd03d08796ab9023a065d12fdd41

SHA1
ff791b1516f36959ae6470541870db3cb6a56852

SHA256
097bc298408f213097fde21a3e20d8c525ddb35f00f7ed335904d169845ce7c8

SHA512
c2500c132ab8d0e453cecaf3da4583468ac9b9040907f8582af6b5a15bafa26843ebfa39f25ef8f4f840ea904fafe07dc264b3668c331842b47cdb78b73fa0c4

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
96KB

MD5
2e36d5018e7f7576bfafb2b8cffea513

SHA1
4cfef728495bfd4269841601dc142d8ec8cdd8d4

SHA256
f81868e0926734e68a997de293708a90ad51e7f0291d0de703997185bb432f1f

SHA512
556dd4cbf8b088dab0d9a61e817d6e5dfaefb24f5d848a228b5cfa408f327d3e4b9dc053a9b1360cd97e8d04005b88fe7ae46e8365b9a133b8408bc46ba5213c

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
96KB

MD5
3618d4a9b02f0164ee0da1af44552b6b

SHA1
951381e0fc1d7d08d6739c89c1007d4d169f3897

SHA256
b2b0ba33fa111263552852eeb37628181d7ad8506a72e139cc72e14e7d5e6700

SHA512
354e6735975c164fbb5c26229a52a46e6dd6603a150b5c17e35a3cc83faf60d57603e16227fde8a9c59e763d2b986ff316a010faa8985782fee68598aa69f209

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
96KB

MD5
2844f1bad771c8238a4b106965b1adf1

SHA1
b75fa69cf75bb979f7d627f98814d1cfa10e9587

SHA256
8826ac78bf37c25409f6e5b9e0552119220d472ce3fa44bc693932da339409e2

SHA512
d20a64a4cb8613313b5280caf354aa10b6a59e276380957ed087249cf8b1959b92952e3b43a95d93ab32073ed05d699b582c4616a0895591bea57c867397f30f

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
133f635f34b9c678c628c7d17938b9a7

SHA1
6e54d31ed6f430b242ddaf1a7d23aec1aeb03a84

SHA256
0f8faa3009785e0dbe44bcbb22c67d19fa481fe428c9be9f40956abf8116d56c

SHA512
67611f68cc434352509dbea31b36dd8df3b2ccec1897b9137374d5c67ba6fe50af1c86b65c4c7dd7398475cdbd4ac81fd667f9b9daa7ae2c0bcce8446f2c4263

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
96KB

MD5
ec1bcc9193cf1692bae66bff1a44f511

SHA1
70fe84b36124d5f5645db5b6b02d01cd3398f90f

SHA256
7e20104a576ef19c92578eb52e7a7dc5de17ed2ad50860aa072debc226db9850

SHA512
92a347a991fd57b02975a72aa16872f91aece2fcb8cd673c79827fd3d0959fdf7ca164624203f38d5fcf5e45a7c3505ef2b72a9f0edf4aa3b23c871fa305093f

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
96KB

MD5
7ebab0f1befdb5b7d1aac546cf886129

SHA1
503c1a97c38e3893dbfddf2f2a4639c31e90aede

SHA256
9d5cb181c8fe7fe0c208bffc73c0b7d03e1d0b020e60d16fa048e08ff4bb9407

SHA512
d85388bc7437419ccfa6dfa999124581047d7151a11f372187b70381b5c3afe012ff3060e877e858850246624dd19b81297be3cd22e3085eb24fc28b5a1c5c59

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
d7ceb64fb10ae2fc43d391653e895e06

SHA1
4da5cd73769208fd53cc89b25c36852495e6144e

SHA256
5b8f57fffee367ab63e24cead3188ef4675a9181a4eaba8322b0e71afba4ced2

SHA512
4489707d6f30730b72a06a0e3596a7bcac433f4b46dc027a7afda2bd12228b9974cfd17a9bd3bdf28cea344dd0ccf55a4ac5743f33ce3f962ac1acd1d6a20dda

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
1d9b93cdda6cf49500d9c084e8a63391

SHA1
3302f7d659eadd0ef19e043b7c3e93ed7ddf26e5

SHA256
9753a5fa6112d03f92421e61cb9e8bd75a8e0116d06da7077ad16bbd6b60ea77

SHA512
bf5851fba207a4a1e95de3e4deac1992b46d267c9f6dacc613d037a1dc4fcc0d902bf1de5a5e3fc04cde490fd0a999088f9274816c89b72318de0875b858da80

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
96KB

MD5
ccfb6e58e68eb71a6b7821cb8225b040

SHA1
57083ec6704aad08d5d3fe7a49a4fd3709e2209a

SHA256
7f78bc3daaae73e8c09d17946c4487df52833229a8caeefa206dc226d191cfd4

SHA512
40af15b4e1c5587914741359b9f0144e9c34c48e89b7b03bb384f26c44f08a647c2dc234717ccdbc1752d89d854d2e0db909fbc533651849da246690cf77957b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
d23cdbb3e3548b900f55474ba67860b1

SHA1
2e18b525c1570fec2999609473d055b491b428a8

SHA256
023911f3a9bc8bf03d61f38b271cd205ead8d056e40e6c5aa1f7c19e823d89a6

SHA512
9466385f089df277fadf5404f74aa2ab43f3b337feea1f318180e47085fddd8bbb134a0b8a150e11b60310d3061c3f12c06271bb7faa542fd115ea8e6e8e8744

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
ffdf7ac41ae368b224ad1f586443077f

SHA1
cea9a5f48b47717a00e4a24b969fd0bcbb7ba075

SHA256
708c3c49d1883e4f5fd8129db0ae4f1b98f69469ed8047048b7522be6a444e9e

SHA512
ed8d3ba1e73c7fbb65500f436675eaaf0714a804e82443d0f4f79c0f56bb4dcf20c241c2247187e5ec0a8b29b128d459b0f964216dad4010345a7d9a08270685

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
96KB

MD5
5a11c0f0e6addf3a73968b781f0d245a

SHA1
9160eb6d7f8f117cc3fae33dc6dc48e374c9613f

SHA256
f6f580d385fc61af9e090b6de457675dce2e462bee1dc9caef798af3e19fd683

SHA512
9997ed17393e4c9e97a226053d8c817ecaa1a3e838f7921911bee0eb585f1c499a485c32f93c2a53ba634a27aeb4361fefcf74e4b7fa7dbde60f7189e4ede361

Download Submit
memory/452-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1584-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads