berbew | 82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6f

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe
Size

96KB
MD5

d93ce70f6eff4bd78b9e080907a2be70
SHA1

044fcb3bd35b142ce4f41882289b93f5bf14d23c
SHA256

82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6f
SHA512

8e493ece84d9e3dd9730884969226a1f3aae7bd92d7c8154c7de65ce40a27c62f2cd22557346416a4c9af99780f062c37ffe460512c796dce210c855a79b1bfa
SSDEEP

1536:BVwjQOK19MvL/CUENldZy+VIk9i+om/3zb44444444k50txc2L657RZObZUUWaeG:BVGKfc/+LTIk9iy3P44444444BH4ClUt

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ca2-143.dat	family_bruteratel

Executes dropped EXE 28 IoCs

pid	Process
2220	Cjkjpgfi.exe
1708	Cmiflbel.exe
1664	Ceqnmpfo.exe
4936	Cfbkeh32.exe
2748	Cnicfe32.exe
2396	Ceckcp32.exe
2348	Cfdhkhjj.exe
4688	Cnkplejl.exe
1320	Ceehho32.exe
816	Cffdpghg.exe
4332	Cnnlaehj.exe
1736	Cmqmma32.exe
4032	Cegdnopg.exe
4924	Djdmffnn.exe
4456	Danecp32.exe
3516	Dhhnpjmh.exe
3384	Dmefhako.exe
2424	Ddonekbl.exe
4900	Dfnjafap.exe
4620	Dkifae32.exe
2428	Daconoae.exe
920	Ddakjkqi.exe
4452	Dfpgffpm.exe
4816	Dmjocp32.exe
4348	Deagdn32.exe
4184	Dhocqigp.exe
4736	Dgbdlf32.exe
4284	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	4284	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 2220	4072	82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe	83
PID 4072 wrote to memory of 2220	4072	82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe	83
PID 4072 wrote to memory of 2220	4072	82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe	83
PID 2220 wrote to memory of 1708	2220	Cjkjpgfi.exe	84
PID 2220 wrote to memory of 1708	2220	Cjkjpgfi.exe	84
PID 2220 wrote to memory of 1708	2220	Cjkjpgfi.exe	84
PID 1708 wrote to memory of 1664	1708	Cmiflbel.exe	85
PID 1708 wrote to memory of 1664	1708	Cmiflbel.exe	85
PID 1708 wrote to memory of 1664	1708	Cmiflbel.exe	85
PID 1664 wrote to memory of 4936	1664	Ceqnmpfo.exe	86
PID 1664 wrote to memory of 4936	1664	Ceqnmpfo.exe	86
PID 1664 wrote to memory of 4936	1664	Ceqnmpfo.exe	86
PID 4936 wrote to memory of 2748	4936	Cfbkeh32.exe	87
PID 4936 wrote to memory of 2748	4936	Cfbkeh32.exe	87
PID 4936 wrote to memory of 2748	4936	Cfbkeh32.exe	87
PID 2748 wrote to memory of 2396	2748	Cnicfe32.exe	88
PID 2748 wrote to memory of 2396	2748	Cnicfe32.exe	88
PID 2748 wrote to memory of 2396	2748	Cnicfe32.exe	88
PID 2396 wrote to memory of 2348	2396	Ceckcp32.exe	89
PID 2396 wrote to memory of 2348	2396	Ceckcp32.exe	89
PID 2396 wrote to memory of 2348	2396	Ceckcp32.exe	89
PID 2348 wrote to memory of 4688	2348	Cfdhkhjj.exe	90
PID 2348 wrote to memory of 4688	2348	Cfdhkhjj.exe	90
PID 2348 wrote to memory of 4688	2348	Cfdhkhjj.exe	90
PID 4688 wrote to memory of 1320	4688	Cnkplejl.exe	91
PID 4688 wrote to memory of 1320	4688	Cnkplejl.exe	91
PID 4688 wrote to memory of 1320	4688	Cnkplejl.exe	91
PID 1320 wrote to memory of 816	1320	Ceehho32.exe	92
PID 1320 wrote to memory of 816	1320	Ceehho32.exe	92
PID 1320 wrote to memory of 816	1320	Ceehho32.exe	92
PID 816 wrote to memory of 4332	816	Cffdpghg.exe	93
PID 816 wrote to memory of 4332	816	Cffdpghg.exe	93
PID 816 wrote to memory of 4332	816	Cffdpghg.exe	93
PID 4332 wrote to memory of 1736	4332	Cnnlaehj.exe	94
PID 4332 wrote to memory of 1736	4332	Cnnlaehj.exe	94
PID 4332 wrote to memory of 1736	4332	Cnnlaehj.exe	94
PID 1736 wrote to memory of 4032	1736	Cmqmma32.exe	96
PID 1736 wrote to memory of 4032	1736	Cmqmma32.exe	96
PID 1736 wrote to memory of 4032	1736	Cmqmma32.exe	96
PID 4032 wrote to memory of 4924	4032	Cegdnopg.exe	97
PID 4032 wrote to memory of 4924	4032	Cegdnopg.exe	97
PID 4032 wrote to memory of 4924	4032	Cegdnopg.exe	97
PID 4924 wrote to memory of 4456	4924	Djdmffnn.exe	98
PID 4924 wrote to memory of 4456	4924	Djdmffnn.exe	98
PID 4924 wrote to memory of 4456	4924	Djdmffnn.exe	98
PID 4456 wrote to memory of 3516	4456	Danecp32.exe	100
PID 4456 wrote to memory of 3516	4456	Danecp32.exe	100
PID 4456 wrote to memory of 3516	4456	Danecp32.exe	100
PID 3516 wrote to memory of 3384	3516	Dhhnpjmh.exe	101
PID 3516 wrote to memory of 3384	3516	Dhhnpjmh.exe	101
PID 3516 wrote to memory of 3384	3516	Dhhnpjmh.exe	101
PID 3384 wrote to memory of 2424	3384	Dmefhako.exe	102
PID 3384 wrote to memory of 2424	3384	Dmefhako.exe	102
PID 3384 wrote to memory of 2424	3384	Dmefhako.exe	102
PID 2424 wrote to memory of 4900	2424	Ddonekbl.exe	104
PID 2424 wrote to memory of 4900	2424	Ddonekbl.exe	104
PID 2424 wrote to memory of 4900	2424	Ddonekbl.exe	104
PID 4900 wrote to memory of 4620	4900	Dfnjafap.exe	105
PID 4900 wrote to memory of 4620	4900	Dfnjafap.exe	105
PID 4900 wrote to memory of 4620	4900	Dfnjafap.exe	105
PID 4620 wrote to memory of 2428	4620	Dkifae32.exe	106
PID 4620 wrote to memory of 2428	4620	Dkifae32.exe	106
PID 4620 wrote to memory of 2428	4620	Dkifae32.exe	106
PID 2428 wrote to memory of 920	2428	Daconoae.exe	107

C:\Users\Admin\AppData\Local\Temp\82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe
"C:\Users\Admin\AppData\Local\Temp\82ffede64282ffbeb543f97e5acfd185ef1083d814d7d42bf2a8a37242ab6c6fN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\SysWOW64\Cjkjpgfi.exe
  C:\Windows\system32\Cjkjpgfi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\Cmiflbel.exe
    C:\Windows\system32\Cmiflbel.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\SysWOW64\Ceqnmpfo.exe
      C:\Windows\system32\Ceqnmpfo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
      - C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 404
        30⤵
        Program crash
        
        PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4284 -ip 4284
1⤵
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
96KB

MD5
32f1351182c38973a84f366651348a0b

SHA1
f8461fa4c8c87020ba9fc83a83d4e1f2e8441a5b

SHA256
fb691cb6f6fa41c182a5c62f11b3acdc6714c9f532ec072509248411351cbc94

SHA512
245bf1e696b6efe044461afb721fb1d7c4f1f3871b5967f36c24b31e634bfba1c56d16bc255f0d779efdcac34b52a5ff53e2fc77c14cd795c06fadcfb01a07a6

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
96KB

MD5
ebdc1e472637b21fd772b0f3804baa86

SHA1
d868b37054c22fb93bcc090a0eb588870f8952a3

SHA256
867daa78bc519ae1a597a351d1190a0997b05d42154ca71bacd036efbb84ec4f

SHA512
106629ad63e8fe2015dc82374f76d4673974990f5fe6da036d7f30e3a579a7940c8d93d28cc950a598a59e6e04074b1b6bd1edec576e1ad6de6b5c5b2a2a1503

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
96KB

MD5
73b361bce001bc732af003890e69ef64

SHA1
72b60aa256ddc837d98328c5eca7a5a07f0ab879

SHA256
e6327894657aea37271fe19d2dc8819df80006ee54e31d2a1efdea5032f32577

SHA512
92dc03fceca20cc1b7cc6520807833e5fa860fb0097c2bb8d8086269ba12391a2feb883ba75c6edbe788c3695dc2f519b1e61a1914b179076ee7078c1ea882dd

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
96KB

MD5
083f581c38f9e4df9a025bbfdd344bc4

SHA1
e69c1831ffffdeeb5ecb0d568682a09928d09117

SHA256
b111486d838e07b6d045b3ccec8ecf890146a5ce4c19a2129c9d60e51145757c

SHA512
5af0c7448a247fbbde576354d8b3df675ad6258e214658b0411ac33d75f978478d35f1b3096cbc7e0108a5dee971bcb16e5d56194cf14b73be405e224d00050f

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
96KB

MD5
cd84449412fc3f2a64a189ac35823d9d

SHA1
2cde74c2b5774ca25944aaba82be7da6930bc585

SHA256
5c6604565e95f1bdfdabe15820cf4a28bad35a665c2643949fe6d631e1dfd926

SHA512
f579c1cfca601bd0dce9044bf79aea18f52426e8acc79b2fa5e58b8a48aa70e74415e15e6d2f3a3b873ef230b25057c8ae9880386c637449b4cc6be79b3fa300

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
96KB

MD5
1000c2da2176a75a5967e04464d5f31e

SHA1
b2eff8b6e4b8fd340be89540ac69e6f959ab3d4b

SHA256
b5a71e6ba156c2caabf08281e18cf41f355097b5b7a68d402d78650520808108

SHA512
18632a323da023a71237aa181dfa7b6e4c282a866380b9a9eefff49c95e21af15939dbc7359a8749324b7c1e0154ea41f77d97b026c68bf1b9f96725fb58ebdd

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
96KB

MD5
ffda97ba96b1949be60582c608d75f91

SHA1
eecfe482ed5c110ff1a42f693ae6b62fa8d0bef7

SHA256
40e066484ea87bf6af540487c9b1fa7d112918ea0a25a497814ca7e08e5bfbb0

SHA512
e7bca32d138c1f3c7c59de90cc68c2128e96121be0ab8ca9a1df591d6a5613741a3141dfb379aad69480e9fdf61c736cbf1099ba5214df8d266e912c9160b225

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
96KB

MD5
cbff0b331ffc7cfd85a58de8d1530949

SHA1
9e4abf3253f439d59ccc422e5fa4b7fec2d3b67a

SHA256
896e600c43a6304c39072f2de2d1abfeeea7926c1e130e85c48f6492b48f3b53

SHA512
e0588118ea33b1076318f88d345220841a9bd6a5ab6df0ea3c90c8fdeef4ad656fc86760fc1d58e7ee89c467f1ea1c2ac9b923e7427653a4fb96462b18d5b25e

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
e21b2601cb8750277acdba56b1f8fa01

SHA1
7159b2342288f0e8d89d158ab1404c021baf8118

SHA256
4fc92ab62cf472626578599a155a8bddf435187de3600c53759dc57fcf087cba

SHA512
b21e8ab352c5ec0eed0827c82330a090a58571ff79dfdfe9e65f996447646853d0a6c76af6764f4bb0c5e70d3d2d60bd2f7239f0f0732968018a606cf4493a71

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
96KB

MD5
ad50beb23f711998c7858c916a8ec5f2

SHA1
ce985efea1fe27c9c26edb53a4e80569c523811a

SHA256
ad95497ba2196a1f16a18f51e465e9ae64e90f9a4bfc99ab8b002f5e14cfeb38

SHA512
77f6a64c014afdc70c2a7b842318d209408d2dc089ee0ad95243507014d7f0b462f60e7763196da8f4322e38bfda4198d012ea1427b61c74f279b5dcbda9a8d4

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
96KB

MD5
fad2e770375f1469176b7d3505045371

SHA1
d2d54d70002d7911e23f6eba89d1d1c60d709972

SHA256
5578bbd71865c72477c52da8c4646ccbf8ab809e6879e3b222ad325c03a04158

SHA512
2b76a3e7ec7ece6538e1487fabcd0672c223d86b03a65258bae989f510c24c584ceba823958ffea35acce328094d0221cdd63f7c09fbd8c2bf49e8139eb01627

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
545b8e6e1f08218a361791ea12e90889

SHA1
97e602c76036aa8b0ef92bf483a8f9ea357efbcf

SHA256
cef55291a15d49316c2a654d4799558eae861274b9b26276ed7b0fc5cf6a669e

SHA512
09863f5d96c93a1448434ada0b340444a910f5d15876c841cc97a63b8a9fa74a554bb0f0ffcf790c500eb7b9ac2ed0ed6425f12bde2d50cb5f867942535a5412

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
cf6a87204d0c4c0becb33c23f4721298

SHA1
a728d44fa2534a0455d4f78b761ffe5d6ab6810e

SHA256
e871079462c5fa5209e1ea043780a52d19834b4ee7ba1b1ec27b199140357766

SHA512
2fe8a94c6032a5fa6e597ae30c24ce8603d5024e1dbfc0b0d41f854bf144a18a42222fef04f764c1c45c7d4e0b8dfa5b5f6b8b38b103be73a98b9f87a84ead7b

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
d66022205a86fbbbe191b6e64dea6626

SHA1
733dd107142f1602eb77108fc5d6a6ca96e38a3e

SHA256
3836513482af96bccfbe4ab450eb7adc75da9db36e8be21c95ee4e0ea3173c7f

SHA512
063a7ee1c20744236c90fc3db97d635063f8c6125f8c298866ff462869e22d5a4a302475cd0d8d0ebe4f28b6e9c71b4c799a19883b101325eadb5ae6b320caab

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
96KB

MD5
f72f7a1584f361ab0b91a4f960b07000

SHA1
85f26be2aad840f38e763ee233e0e0ca59e80aca

SHA256
c096bdb61741a56d207d2f36d65b84c5ed88991a10064b2e572530a629118edc

SHA512
6e89a6cae12e9bdbdd0f3ded576cf6dfac3ffdded1a6bba8dc75ebf810ecf311775d343a59fe32b1518bfcaed7f3405efd5c863c56df435d76291956da4f9914

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
a456ad47fc2244148d1e5a41cfb10966

SHA1
9e39d3a337ec8cf139ee1236153769a4fa64567e

SHA256
7480c736ea467edaa2a451b16254dd73c866baa7f6e8c23dae053c1dbb6efa2a

SHA512
9a44cf419e48ab5f31747cada06d0648c39e9316b43a34bed0d3f8f7003ee99b804ec3a8e598b8a4a182d9439bfdcb6ed7f5eadb61627e6b0c41dac49f436b23

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
374c376a197eef935d6794dcea861992

SHA1
a1920f915d0049121419941d3eab367e18dcc91b

SHA256
556fc33f1a487e0c22a0e62d3daf5a065c9dd9a4c4bdab1a3b5682058beb7a01

SHA512
df57f3746f3c0dd3596d712b7ea5d1f18c0fa6265544767fc014df5deee47cb2c2a611bb7e7cb45668331e428163f10a8614ae855711815d70adb8644c270bfe

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
96KB

MD5
0285300b9fe9215d2056198c8725382d

SHA1
773a25e8d3d79c98058204a0f2bcde6cca48d958

SHA256
f2e9dd1ed5436d44abef49ec5861feecf65e2054c945179918c91ff61f3913a6

SHA512
84d5d43b2043de3c0ab668888f14890425a9b23cb22de8775c09ae706f6e713799fc8e5cd905a2c54af67319a9538199e841b0df6e04e0f900b38aa51424c425

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
664981b558a3fccff887accbb2862a19

SHA1
b887c8eadaaa4a9f0b9a67a6aaf5736f08d31bcf

SHA256
a3bbffae18d085dab7a1ce3c7ff0abf208b0ad98a15c0da8821d9cf670844f74

SHA512
a4c93954cf9c361e63e2bf1e3e042db469f2efdc0e14c38d80eb8127570cfde52720d66a6ba897d4b3ff15570babe012c803ab898568d3dfb17dedf6085b9645

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
435c431a4a3a89fe40554258e76b9c9e

SHA1
cf92acfbc5f7c5d762e525e1de9007f5976a4401

SHA256
faa1988238bf8914eb6a8a5eab5da16f6d2f441e5ea26b249fafe92589a494f7

SHA512
1f9260d81bcba3468170d30584ac52e28c7d101a259d2a2fd431a8be556894fafaa2a81fe41b0aa108c3e96ac56a9499fce2fc5bce67a9b2a71bfd333acb9657

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
030f7daf10a1b861ec6c7bfe86570edc

SHA1
c102405516c4f7d24879fde6cc77db720448c576

SHA256
8527767f843f04084baf36e080f42404c3daa186dc5caf62dbe438860059e9b3

SHA512
1f06ccbda713c1a9269c70192519fce609cd42f3ccaeb84d4871244a55539d0178741ad3f2aa0cb85e1ccd223f6cffe7eb30d98a4cb2058d5168e0bd8804104a

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
96KB

MD5
bb731b5527404ad54dc26f14a3d62288

SHA1
edac52c7b16ab42dd0af6e53ac45b3208cc21319

SHA256
50e64cc65aa3881753ed3af3d57211300d6818c085cc57743ead3af035c29510

SHA512
46b12e2c16754a6e668852f3b6ef21c0b83240fd13e3d8a278352f560cc7a1844b70d9c9b0699c7caa0ca4b2f23b51f7e5901c44d81cafb32d897957b2520a84

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
96KB

MD5
d02d56f9d4cf6b6425df99a986c59dc0

SHA1
2edaf06fb37ad377b794fd8518db7d01b4986256

SHA256
6ecc98a52cdb11845850b5c808e579e6c5da460a6abd138632784587604ac99e

SHA512
94e866513b922415a39120cbe053de319f58a06aaf296f1922ded59f407fd57f0c30e5a20d23a1385add9a10604466521089269838f7908aab4e75caa0d654fd

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
96KB

MD5
cd4f47c7d5bb3b5f1c9dede198603404

SHA1
d52b9457aaac322cb891c6784863321dd80880be

SHA256
54ee6b329b4eafc70c54c4d21008a65758a86d19876cf8b2ffc077207f22d4e4

SHA512
d68f7bd42209425b69209a2015be783bc7d756b8e69335dfd4c506cd3439b3732a28b9b13b688bea0ba7a4ea64d0df528cd5b7ee34acdcbb65a008439cc98eb0

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
96KB

MD5
f0ae4f289bc6fba67e7966eee72de91a

SHA1
22aeaad6d566ef7134e5ff6a11ca32f91edcfed5

SHA256
26602ec116dc52abee4e6d248efe7faf925fd21cbd68209c6fe95257f9244694

SHA512
d3e1f9b981877ed2822d01b7c8ce4d48a9197feb1b418404c67af732170c834d5d119a99bb53c7c9ed821a85bf9a2c234ead484a55084bf7578739c614bc9a09

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
67dd37c6c745947168155c78b76eaf8a

SHA1
bfd17c58843480b6327ece617fd5d61746ae6d6d

SHA256
3c1cd2b2272bfc5d94062b900abd38f99346a8146878b68a3e5a79cd6301aab0

SHA512
657d3eff7c122f5b6ca63cfbde0c0ca1b561867c5e4b3c7feaa764c4f58a047598c523f8ed2efc3550a79fae29c2223d4327330b1ed4a19205588f508cbeab6a

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
96KB

MD5
ae9fd7be764b3e45a9d9a20fffef3fbc

SHA1
11462bd7d546129d0acc8e1a9c1fd8b38d0ad3ed

SHA256
6f38fb073ea7d0d9ba2f613c5fa680291267554000e39e845607af422e837e90

SHA512
5a688ee34186330c450ac9c520732d7a73478ec76a319a000fda8776d7cf74d98d230538feaef93c9db057be086e9ab9a797b5f9baf271bbcf9499aeaf9720e0

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
4e470a37701fc053a7ff4ddb7e587a80

SHA1
3a6e47321682d11c85ddc838b2908301f23f16cb

SHA256
5ac454cfefeb72e57cef44ed2539913a970282c97355f8abe48e064a38c384eb

SHA512
84ccfbf79a8d92c894451bb07acc3c63820f3de98f9cc55e0a45078a6d19b346d69187a4d41e155240ab4bfe51f3030dd33b1230b8a9d5f5e1c0c70f2d06c2d0

Download Submit
memory/816-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4072-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads