berbew | b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe
Size

89KB
MD5

15ee1ece0aed9e92c9009943cce3a070
SHA1

3ee381e8b22a3f5a5eb02a59b0ad81df25ce4e35
SHA256

b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a
SHA512

f5336e912bd134788f145432c8707c0d7bf7eb97b444cb85135d8139067708c1eb1c3d6594a74af31f46dcbf347f8f60422da443cf40fbdb1be087cc67017df5
SSDEEP

1536:lNn5Kmt1u5WFx36eSdjeLm5WeqA5pWFnrTXF41UrljRRQBRD68a+VMKKTRVGFtU0:/o0Q5WFp6eyiCAnvbrljReir4MKy3G7j

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 31 IoCs

pid	Process
412	Bcoenmao.exe
4844	Cmgjgcgo.exe
5056	Cdabcm32.exe
64	Cjkjpgfi.exe
4664	Cdcoim32.exe
4484	Cjmgfgdf.exe
2392	Cagobalc.exe
2008	Cdfkolkf.exe
3276	Cfdhkhjj.exe
2788	Chcddk32.exe
3956	Cjbpaf32.exe
4880	Dhfajjoj.exe
628	Dmcibama.exe
512	Dejacond.exe
3964	Dhhnpjmh.exe
1592	Dobfld32.exe
2952	Dmefhako.exe
3980	Delnin32.exe
4840	Dhkjej32.exe
2340	Dkifae32.exe
5004	Dodbbdbb.exe
3940	Daconoae.exe
3232	Ddakjkqi.exe
4028	Dfpgffpm.exe
388	Dogogcpo.exe
4980	Dmjocp32.exe
1820	Deagdn32.exe
4372	Dddhpjof.exe
2700	Dgbdlf32.exe
3700	Dknpmdfc.exe
5060	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2704	5060	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdcoim32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 412	4380	b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe	83
PID 4380 wrote to memory of 412	4380	b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe	83
PID 4380 wrote to memory of 412	4380	b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe	83
PID 412 wrote to memory of 4844	412	Bcoenmao.exe	84
PID 412 wrote to memory of 4844	412	Bcoenmao.exe	84
PID 412 wrote to memory of 4844	412	Bcoenmao.exe	84
PID 4844 wrote to memory of 5056	4844	Cmgjgcgo.exe	85
PID 4844 wrote to memory of 5056	4844	Cmgjgcgo.exe	85
PID 4844 wrote to memory of 5056	4844	Cmgjgcgo.exe	85
PID 5056 wrote to memory of 64	5056	Cdabcm32.exe	86
PID 5056 wrote to memory of 64	5056	Cdabcm32.exe	86
PID 5056 wrote to memory of 64	5056	Cdabcm32.exe	86
PID 64 wrote to memory of 4664	64	Cjkjpgfi.exe	87
PID 64 wrote to memory of 4664	64	Cjkjpgfi.exe	87
PID 64 wrote to memory of 4664	64	Cjkjpgfi.exe	87
PID 4664 wrote to memory of 4484	4664	Cdcoim32.exe	88
PID 4664 wrote to memory of 4484	4664	Cdcoim32.exe	88
PID 4664 wrote to memory of 4484	4664	Cdcoim32.exe	88
PID 4484 wrote to memory of 2392	4484	Cjmgfgdf.exe	89
PID 4484 wrote to memory of 2392	4484	Cjmgfgdf.exe	89
PID 4484 wrote to memory of 2392	4484	Cjmgfgdf.exe	89
PID 2392 wrote to memory of 2008	2392	Cagobalc.exe	90
PID 2392 wrote to memory of 2008	2392	Cagobalc.exe	90
PID 2392 wrote to memory of 2008	2392	Cagobalc.exe	90
PID 2008 wrote to memory of 3276	2008	Cdfkolkf.exe	92
PID 2008 wrote to memory of 3276	2008	Cdfkolkf.exe	92
PID 2008 wrote to memory of 3276	2008	Cdfkolkf.exe	92
PID 3276 wrote to memory of 2788	3276	Cfdhkhjj.exe	93
PID 3276 wrote to memory of 2788	3276	Cfdhkhjj.exe	93
PID 3276 wrote to memory of 2788	3276	Cfdhkhjj.exe	93
PID 2788 wrote to memory of 3956	2788	Chcddk32.exe	94
PID 2788 wrote to memory of 3956	2788	Chcddk32.exe	94
PID 2788 wrote to memory of 3956	2788	Chcddk32.exe	94
PID 3956 wrote to memory of 4880	3956	Cjbpaf32.exe	95
PID 3956 wrote to memory of 4880	3956	Cjbpaf32.exe	95
PID 3956 wrote to memory of 4880	3956	Cjbpaf32.exe	95
PID 4880 wrote to memory of 628	4880	Dhfajjoj.exe	96
PID 4880 wrote to memory of 628	4880	Dhfajjoj.exe	96
PID 4880 wrote to memory of 628	4880	Dhfajjoj.exe	96
PID 628 wrote to memory of 512	628	Dmcibama.exe	97
PID 628 wrote to memory of 512	628	Dmcibama.exe	97
PID 628 wrote to memory of 512	628	Dmcibama.exe	97
PID 512 wrote to memory of 3964	512	Dejacond.exe	98
PID 512 wrote to memory of 3964	512	Dejacond.exe	98
PID 512 wrote to memory of 3964	512	Dejacond.exe	98
PID 3964 wrote to memory of 1592	3964	Dhhnpjmh.exe	99
PID 3964 wrote to memory of 1592	3964	Dhhnpjmh.exe	99
PID 3964 wrote to memory of 1592	3964	Dhhnpjmh.exe	99
PID 1592 wrote to memory of 2952	1592	Dobfld32.exe	100
PID 1592 wrote to memory of 2952	1592	Dobfld32.exe	100
PID 1592 wrote to memory of 2952	1592	Dobfld32.exe	100
PID 2952 wrote to memory of 3980	2952	Dmefhako.exe	101
PID 2952 wrote to memory of 3980	2952	Dmefhako.exe	101
PID 2952 wrote to memory of 3980	2952	Dmefhako.exe	101
PID 3980 wrote to memory of 4840	3980	Delnin32.exe	102
PID 3980 wrote to memory of 4840	3980	Delnin32.exe	102
PID 3980 wrote to memory of 4840	3980	Delnin32.exe	102
PID 4840 wrote to memory of 2340	4840	Dhkjej32.exe	103
PID 4840 wrote to memory of 2340	4840	Dhkjej32.exe	103
PID 4840 wrote to memory of 2340	4840	Dhkjej32.exe	103
PID 2340 wrote to memory of 5004	2340	Dkifae32.exe	104
PID 2340 wrote to memory of 5004	2340	Dkifae32.exe	104
PID 2340 wrote to memory of 5004	2340	Dkifae32.exe	104
PID 5004 wrote to memory of 3940	5004	Dodbbdbb.exe	105

C:\Users\Admin\AppData\Local\Temp\b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe
"C:\Users\Admin\AppData\Local\Temp\b7594b37c79c78f9ae653c7f207490a8d54991aab92a15513dae3d2a9fc2f60a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\SysWOW64\Bcoenmao.exe
  C:\Windows\system32\Bcoenmao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\SysWOW64\Cmgjgcgo.exe
    C:\Windows\system32\Cmgjgcgo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\Cdabcm32.exe
      C:\Windows\system32\Cdabcm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
      - C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 408
        33⤵
        Program crash
        
        PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5060 -ip 5060
1⤵
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
89KB

MD5
24f3e96d2234b31f1876311214dc040b

SHA1
d6945fa312bc603ed13481021dde036777db7909

SHA256
f98c95be06248242ea8d13e1c2a36aaefd6bb52993b53c7e8d75c816c1bead51

SHA512
af87371639c06285a6b77c8c812408ff4a55f893b18d89c350eadda941a07198ed801ef8cb8ad451b86c29aa3506350573e7bc13534353115e19f210ae08ca97

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
89KB

MD5
fd67e352120cf65da85a0b41d8474126

SHA1
060c89b3ee0189528e1a9f1962ebcd9380da9444

SHA256
34bc4103616fb94608cd8039d992d5766d77fb32266720f4afb0f666b910b212

SHA512
dcdf923809e2f2eec4196605dd649ff62ca46d326b8b51cedb6e09dd4c7ca24d4d99721a574b5e22b7c5370dcf0cca6918a637fef5713b364e3c9d1d09d6fddb

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
89KB

MD5
73a3fb0bca3c1e77e72a4d736e289a3c

SHA1
37c834e6c2c00e69554da0e9428c615a3609222f

SHA256
757cf3dd5917fbc975bf866344afe4b1fc1e404fea16bb06125e55884001d307

SHA512
922a7e250264da3548207b7e42e863a0e02b9f4e8bfb0fbc02c375d3a15ce80a98bbbbb9683f2323013946aef627147fc890ccf5904a6c0d0956ae9ab187a933

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
89KB

MD5
de3177f70ab9d996b33c04264049bb92

SHA1
bc757066e9e3cd04011cb0bcdd362fb696797f6c

SHA256
3ddc9a846ddace58401cb78029e04539078821b3dc66333141d3c0f307665b06

SHA512
4b641345d9d7b128db959a7b43fb0d88cd6d004d5e6b81e81b1771034476a178bb368dbe42670acc5d8116a0a3ac4f7a6c630cdd3bf531a8aa50bb31f079dd46

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
89KB

MD5
e3c8a0cff222ebfb8bb61198c8467974

SHA1
49977d90d8b87073aa893a2b36e9072d2a8ce71b

SHA256
76f478ac6a8c02d44850be0ee3c689078ede4ffc335e40059691d96abfea0463

SHA512
2e0b641b20e9b4f4cd45fc46630ba3fdd87e097de43c23685aa5f20a1a1e70df8e36e21cdd52cc209ad341673aab37c7d8dc9f543970597b3617762cb0214d28

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
89KB

MD5
715e97e941bf5fe5f3659b6d1be66f69

SHA1
370067447ee91db3f1729a3b5514c4bc919cc795

SHA256
e99553271ae2ce3f8d9946af935d6e2d4d7cb72885ad80d520dcc78e1554e281

SHA512
277ad461a7f844badaafc1ffe1ae763c041b1dd2267a557c548422cd2294b9f2b61119addd972ff25aedd6d0adb1c92f8f368147710e3c7e72e49c5b03f633ff

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
89KB

MD5
d7c59e0f7e91d93c48558b66a5b7c46b

SHA1
c3e53840608208a236fac9392606b856e43ef584

SHA256
e6e3a63e82df0c2e99f5a116ebea04196ce1ecff6ae24f5f615ae1882739071c

SHA512
f9bf51edbb16419fa089e8e3d299307da33c016a88ba9ec4595ed8c64d5c7c512ca769f7451c8a01706f68d78fb4a37de748ca35ffda8f7a70464963f81b58e2

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
89KB

MD5
73154e5afe593f035b0056f8ddd0d7b6

SHA1
d40dde86ec6c53e0d0abb47e740571d43f0d1502

SHA256
dd24fc418fc9d8b349e73b4152d877c660f311e99330a75beeeb6238f7bf7a31

SHA512
65b98adfeba0406d3db7675e3e62a0f05a60f008b2629db1a19139b3abeb0f156e2fa231d6b3c243ffc369302d1746e1cfe35822f694d71ee38b37074d8f621c

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
89KB

MD5
aa382f248e79e2d571d4f6dfb4422ab7

SHA1
a47ad271faddcf4d050ab4ecf1973d6949e25026

SHA256
d2096aee2d43bc87620aa8f2b4c0b0b86284acb1b8ae6dc2cced77a346df2f7a

SHA512
b132da78b32e472b55d2ac6b9180637ad54936c6d7b537a827e4bc53d575ff06fe68d952084c09c93193f4891413fcc6fe31d3d80f02179aa3366a13ef152d0a

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
89KB

MD5
7c28ef0aca2392e348a1d8174926a7f6

SHA1
d3c22e4de9f7d048f6c7e7d12afcbea5433c025b

SHA256
7c7ad4fcba5d2bc5fec759d28557634ed39638faed858cc398b5670d64e1847c

SHA512
5217774d759201c86710aed4fdb40a51906a45b7bde658b92092331c25d96639bf9a1f1b7ee2c8459874e63eddb5e5122668f9251eff5da50b32b425fa2e1de6

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
89KB

MD5
252fe9099fec724d9997ba22a6ce6de6

SHA1
bd9a68f012e156ee602c694af712fb31993978f3

SHA256
63556c2a1646f1fb916f6aa72e114cc50024fc229c842f7e6da50389bded7e76

SHA512
a27f358491a70a01658c19fe453345c3fb659496c6d2762a1be11e49966dfc6a3651b1c4087f6946fc618a5499a9e4c048688845f7ae16ddf479996d714fa259

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
89KB

MD5
5e28d149a8879bf57dc4866ea90329da

SHA1
a64925c27dc355372bf231c2120c9e4a41477714

SHA256
d7175bab743764f399e8d55df4b957717d45446c4b48188a5f32b02e2143742b

SHA512
b8601a4855aa4cbc72a75bdd341b776efa53ef401938cc0d5eb2c9d1a8688b16069e85335629cf5bf7e66f5ff32dff18ff23fcadafca422232f09d1f7fd4a327

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
89KB

MD5
15e04896782ef8e92f07ddb36d70ec99

SHA1
0395fba17ebca488fbd0cde773ed5831f9c52056

SHA256
b5226b6635765bf654dfd0f2de342fdd9c0a62e3e4e071fe2229483c727f1d30

SHA512
e9411375040143e665060d618a9ae1bd4fde12eaa4eb0dbdd2cdf59c1413c96e741963c228d5b5c86d74ccbcce8dcb90f47287dddb2f2c68c7c66aabd2117a70

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
89KB

MD5
a20de7c9e8a640f2c7307a0f6fec074d

SHA1
7d51510ec4fe74a57018074f80ef1df8645dc4fd

SHA256
b6e11e68f2cb7c108dddcad1b6ef429d0bcebf9da8739a6cf582d634bd2976c1

SHA512
24b40f3eee38148fd6888510ae64b84eeee051cff06237de3c57b44e6c6af2be04bbacbfd3ae324dd0e040c580ac3e081db3503b4df88ee39b43379675b24597

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
89KB

MD5
cd1463d89738e1280d79d06c1f8ee627

SHA1
d590669091adfdcb8832f55a8acdb63f3a64a5f6

SHA256
8b66bbf83956cc788edfd004e7bdc3e62cdb3185a061a4aba7a0dbaf4a0feb70

SHA512
baa7dffbf8ec01022c1726aa603d161b0c937e780749745ffaeec462fffc6aa6cfba1e8bcf20033bdc47b88d18e12e6edf76b64ead09a82d14fd5dd609ec4a77

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
89KB

MD5
245693454fff3593ee556f8f05f544a1

SHA1
7c1635d19cb610f83aea5ac997571ee60c9ca951

SHA256
b5932e963c751813fc0d62098f9358b5a8846f6da74ca3a5eb3d05722eef66c5

SHA512
e584d9bcd473991ed79c8299acfdbb38a8d8bec5de512dcd6ee3895a4ae38085745747bc0bcbece45d6f80a8783cf24f65b739274ac272ed9cdba95ad73116ea

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
89KB

MD5
eba2287ce6a79bd1f62df5149826e661

SHA1
7dc030c10d8465e5ed426a2251d9f48b6eaa7f5a

SHA256
6ba4222f6ae7dae6b802310e6920b495a95b490f753115a63885ea31d28c9d45

SHA512
8c6d3cc62ab8eb9052f773d672696e5d9e2f53fe37b93b5c04c43769a08d035383f7001dbd752651ec2578f11362d6e851d3837ca770810a7fda4d434b92d0d6

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
89KB

MD5
a086802d8b08bf21e9ded8f39d7aff4a

SHA1
eac118559761b0477f17651b134fcc02214b4099

SHA256
56d1b310e9fa70ebac0fdeb08c9cdea6861412d3b7f223bf2c9b9b21003b5ea1

SHA512
b55d4adf98bc7841d4504b34c9c59ee79d7d0c1688f1d08992993f79c5c044d058599a0bfb16eaddb90fdfef108ff4faa56d10e1df18134f2e1323fe1ef63c18

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
89KB

MD5
342c402f3b7ad2a0751926309053e556

SHA1
01d3b35217b2cb8dc7bc9902d5c5e44fefca50ac

SHA256
64716e37510a9675140b39e5b9b3a89eafacf2cd335c3fa39709001cce1f23a4

SHA512
f1e9a79ff31791a2eb2935b2b6a84a3790a0e25b572463aba063c3b23a2892ca039abd7b2e133fb6114c74b75425f6fe8d79e0e273b58500b140872d299584d5

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
89KB

MD5
fc8cfcc08e79558f6fabf0e3defde7c9

SHA1
cd3e9ec882b7513d72d17f05063e57ea57af07ef

SHA256
1d6625dc1e3fb913f782c5d304cb053490a5e72fbbf1fe77d965ab4a2eefc61e

SHA512
8392a861dc89867e8cfc3fb2423997df2866b8560e86f5433a0a8805b26a67acf508a92e7a738ec20d4c3be683219f2e16cb05750d0ae28197b121110c65479d

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
89KB

MD5
6b89712a28dcd4f2b419e396dc7daa6c

SHA1
291b4b0a317b3d3413821322e7fb6c077dcc998c

SHA256
62fbbdedb774870ab55ac3640b7ee8a08797b6abdaf6754dfefe9e570a4e0529

SHA512
51cd72d77970d20f678f4d84546967a3c75d1d1000350dbff2079290f1080b57e5ebaf5a68ad1ac34b3185749bd43ae6f2ae691414e4a7c0fe9999cc5621d2a1

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
89KB

MD5
85d63064cf918bb009290701478bc8e6

SHA1
98c5c7c92544f0292c0ad90a2bf12d67f5a82830

SHA256
7abaa61ed1a4f5749afd93e1d1d1cdc7550abd670bebc0acc9719c7cddc4a4bd

SHA512
e8432ae13db7c7bd07ee68c0e569d3ba68118b3aa2f0790e649b8265555f39a155459ca5db1e65a283321c09a3d48e06ce23bc70e7a5cf852e461eb9377930e2

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
89KB

MD5
fff6e8e5e71a2e3cd66ce00aacdba46f

SHA1
66e4a9fedd4231561e4c2e1df635cd6c22689970

SHA256
0ada04a5625dd3b0fb6bd6179a6063da1cbf21babb03e84a023b55f3abbf3e3a

SHA512
cde6b3ee6066be78a17b9e7aad4447b183fc76b7392c1923c704f20a350aff90db369af03682c678db3b455355da8dd88ff6a512af20f0b43537a0ca77a3fc5e

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
89KB

MD5
518856b96e5ee675133a2b92ecfedf75

SHA1
c83c1ca3800480ae733797ab8f032f6852ca88e5

SHA256
b51473be4204501e32cef3288cb2361a170976cf7968668e430a7de0363f7f31

SHA512
f4a9b957365e8535f8334bae561a3ccc183f39e5c76b254d0c4d8b19f98ef265e3d164c4ffa00583f4704a1dd1886a92d2c444c4b6ca0ea10cf3c03ae2e0bd65

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
89KB

MD5
4c9f12903b9f4d75c8623cb3014b866f

SHA1
bbb311917022eea43548be16cd034b8582e79916

SHA256
15f5f0a756e47fb5e0817bdb19dafaba5922da044a9bc8e0a1843aeb33ce0c19

SHA512
abb1dd6c30848942a97dc9dc5ae6b9cc6863173acd73c4d9c71187a8573c760d0e62a0d5370fa5682d906c61671acd7fd3ad9d449d1f4f3ef460292b07d669c2

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
89KB

MD5
18007f5fe1d56b4572262950ff13beea

SHA1
d6a519ab587c297f0e77f2017682dbc8d5209e60

SHA256
99bea24d6e3c7fda8e510e7a345db9b3ce3282fafbb8e4de24391087bc7c8bbc

SHA512
b9af0f86e6d3923c6b71a4b2104f0153ce5e17c43797ead323f1fa02d0dcf8ab0c2d2cf560109a22fc64f6c98b4190e643db8fa86d6d558ef01afc2c53e237c2

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
89KB

MD5
59dc02f4402efc4e2311bacadfdb338f

SHA1
f371e0be1d98cd5566266881be71bfdcfde29a3d

SHA256
f264f30e45c41d20e0522b18e99b14902eb039e10009f11f975bf90df4e7db31

SHA512
3c4b81bc1ad56b576c9eaf8e8e6a31ad437d9c3de2fdce0c8104bb7d93f3c5e500630f11ca2e53aa00adedd9adbbf4cb30db300d8afaeeed2e38d9d2f88b81f4

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
89KB

MD5
3ed9195d30aabd4b7a9c90eff52449e5

SHA1
2bd6a0aaec673a990350029b715e603da740a087

SHA256
2953d57e9dde38cb8976eba81bc756938fa010e79afaee4bd3d47cd6a823bdab

SHA512
d3c92d1d575d98c7c2a60877bd81b22e4e2e29cfea50c930898059411dbbe9923fd97bc7a9c4d050170d58835c70e88bcdedf373fdcb2c11931d3414daca57dc

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
89KB

MD5
93a4e07a4936b58563b65bcbcef0ea14

SHA1
4f75e819ad9c3a1eb9d107014c563dce4e08cee9

SHA256
8f26c70c0008f9f4becd43c8544cc733b689c9be66f234bbbe8bbf3e872d9ae4

SHA512
94f20ece63d3d1f3c33cc4cc65adab1f2ce2bc016e37a91ab7d7ca8cf86b17386e3445057de774d5a75c296aeb80a7cae3015916f43ce4bc156a80b5adb0e41e

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
89KB

MD5
468128544c8310a6f73207540a7ec00a

SHA1
20f0a304ee02329077d2879223852b94e9d8f50f

SHA256
aa4faa90cd7da92447c8c227499db32fec98f34b2b4c34f2f6e21e85b91ad2c9

SHA512
83093c6affada561330447fbd1b8623ff54d9d47ec13115554afa7e07496b6167fcc7ffc5e15c91ef0e96b2f3a9cbdad1fa270ad4ee634f144660b412aae4202

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
89KB

MD5
b8961e7fae0ae715006e25aec5121322

SHA1
c8a0b69548509e81aa6a0cd00691089d6161f1b9

SHA256
95b76bad6fa94d7ba62308ff7ab979d29b14d0258605f3c05f527b08abaac7d7

SHA512
0922c0a8218aa816974fef288cbba53ef7ec7700167848396a59ec0fcbf25aa2086e4aecc59422b5fef61207f995e8a10064f4911c3c7ee37b3513320bb140ef

Download Submit
C:\Windows\SysWOW64\Nedmmlba.dll

Filesize
7KB

MD5
66f054e3d29aebbd7641e6803d22df63

SHA1
aaaccbbc8af5f15e2efdc83342002f3ec9ac37e0

SHA256
9d552ef687f21b92ffaf9761d2f868dcd05dc2306ca9614776246d0be01b0994

SHA512
97d8a4679727b74df964758773bb3880282f2306ef921665082406d6822397cc461e9dddb9583494071121aa9cb30cadbe628878dcfc3a00e0e1fcbe580ac3ac

Download Submit
memory/64-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/64-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/388-219-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/412-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/412-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/512-121-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/512-209-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/628-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1592-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1820-235-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2340-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2392-147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2392-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2700-251-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-174-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2952-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3232-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3276-165-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3276-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3700-259-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3940-193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3956-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3956-90-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3964-218-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3964-126-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3980-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4028-210-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4372-243-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4380-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4380-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4484-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4484-138-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4664-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4664-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4840-166-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-97-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4880-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4880-99-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4980-227-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5004-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5056-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5056-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5060-263-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads