berbew | 72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe
Size

96KB
MD5

5ac69f9585b2d612f6d8c4ea1d635081
SHA1

03294761e84b229aa814e084d328e7d6377c4f9d
SHA256

72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11
SHA512

a29d07cfcd3dff2627589524e54d269fa1879c909f9a9d59bd7ff34ecfbd0ce2e2ea8f0ddc2d51fb64260386fa378e518bee96d4a2b081dd409085a1b5598aac
SSDEEP

1536:Ep7JJ8o73TCr0ClZFGzKtM8IsHK2Lj7RZObZUUWaegPYAS:MNfcojsHXjClUUWaef

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ca3-143.dat	family_bruteratel

Executes dropped EXE 28 IoCs

pid	Process
3140	Cnffqf32.exe
2272	Ceqnmpfo.exe
720	Chokikeb.exe
1196	Cnicfe32.exe
1872	Ceckcp32.exe
2108	Chagok32.exe
2368	Cnkplejl.exe
452	Cdhhdlid.exe
3940	Cffdpghg.exe
1976	Cnnlaehj.exe
1088	Cegdnopg.exe
2296	Dfiafg32.exe
1652	Dmcibama.exe
3676	Dejacond.exe
948	Dhhnpjmh.exe
4612	Dmefhako.exe
456	Delnin32.exe
2260	Ddonekbl.exe
4292	Dfnjafap.exe
4560	Dodbbdbb.exe
3040	Dmgbnq32.exe
3744	Ddakjkqi.exe
336	Dfpgffpm.exe
4620	Dogogcpo.exe
3116	Daekdooc.exe
2476	Dhocqigp.exe
5108	Dknpmdfc.exe
1784	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4724	1784	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 3140	4836	72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe	83
PID 4836 wrote to memory of 3140	4836	72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe	83
PID 4836 wrote to memory of 3140	4836	72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe	83
PID 3140 wrote to memory of 2272	3140	Cnffqf32.exe	84
PID 3140 wrote to memory of 2272	3140	Cnffqf32.exe	84
PID 3140 wrote to memory of 2272	3140	Cnffqf32.exe	84
PID 2272 wrote to memory of 720	2272	Ceqnmpfo.exe	85
PID 2272 wrote to memory of 720	2272	Ceqnmpfo.exe	85
PID 2272 wrote to memory of 720	2272	Ceqnmpfo.exe	85
PID 720 wrote to memory of 1196	720	Chokikeb.exe	86
PID 720 wrote to memory of 1196	720	Chokikeb.exe	86
PID 720 wrote to memory of 1196	720	Chokikeb.exe	86
PID 1196 wrote to memory of 1872	1196	Cnicfe32.exe	87
PID 1196 wrote to memory of 1872	1196	Cnicfe32.exe	87
PID 1196 wrote to memory of 1872	1196	Cnicfe32.exe	87
PID 1872 wrote to memory of 2108	1872	Ceckcp32.exe	88
PID 1872 wrote to memory of 2108	1872	Ceckcp32.exe	88
PID 1872 wrote to memory of 2108	1872	Ceckcp32.exe	88
PID 2108 wrote to memory of 2368	2108	Chagok32.exe	89
PID 2108 wrote to memory of 2368	2108	Chagok32.exe	89
PID 2108 wrote to memory of 2368	2108	Chagok32.exe	89
PID 2368 wrote to memory of 452	2368	Cnkplejl.exe	90
PID 2368 wrote to memory of 452	2368	Cnkplejl.exe	90
PID 2368 wrote to memory of 452	2368	Cnkplejl.exe	90
PID 452 wrote to memory of 3940	452	Cdhhdlid.exe	91
PID 452 wrote to memory of 3940	452	Cdhhdlid.exe	91
PID 452 wrote to memory of 3940	452	Cdhhdlid.exe	91
PID 3940 wrote to memory of 1976	3940	Cffdpghg.exe	92
PID 3940 wrote to memory of 1976	3940	Cffdpghg.exe	92
PID 3940 wrote to memory of 1976	3940	Cffdpghg.exe	92
PID 1976 wrote to memory of 1088	1976	Cnnlaehj.exe	93
PID 1976 wrote to memory of 1088	1976	Cnnlaehj.exe	93
PID 1976 wrote to memory of 1088	1976	Cnnlaehj.exe	93
PID 1088 wrote to memory of 2296	1088	Cegdnopg.exe	94
PID 1088 wrote to memory of 2296	1088	Cegdnopg.exe	94
PID 1088 wrote to memory of 2296	1088	Cegdnopg.exe	94
PID 2296 wrote to memory of 1652	2296	Dfiafg32.exe	95
PID 2296 wrote to memory of 1652	2296	Dfiafg32.exe	95
PID 2296 wrote to memory of 1652	2296	Dfiafg32.exe	95
PID 1652 wrote to memory of 3676	1652	Dmcibama.exe	96
PID 1652 wrote to memory of 3676	1652	Dmcibama.exe	96
PID 1652 wrote to memory of 3676	1652	Dmcibama.exe	96
PID 3676 wrote to memory of 948	3676	Dejacond.exe	97
PID 3676 wrote to memory of 948	3676	Dejacond.exe	97
PID 3676 wrote to memory of 948	3676	Dejacond.exe	97
PID 948 wrote to memory of 4612	948	Dhhnpjmh.exe	98
PID 948 wrote to memory of 4612	948	Dhhnpjmh.exe	98
PID 948 wrote to memory of 4612	948	Dhhnpjmh.exe	98
PID 4612 wrote to memory of 456	4612	Dmefhako.exe	99
PID 4612 wrote to memory of 456	4612	Dmefhako.exe	99
PID 4612 wrote to memory of 456	4612	Dmefhako.exe	99
PID 456 wrote to memory of 2260	456	Delnin32.exe	100
PID 456 wrote to memory of 2260	456	Delnin32.exe	100
PID 456 wrote to memory of 2260	456	Delnin32.exe	100
PID 2260 wrote to memory of 4292	2260	Ddonekbl.exe	101
PID 2260 wrote to memory of 4292	2260	Ddonekbl.exe	101
PID 2260 wrote to memory of 4292	2260	Ddonekbl.exe	101
PID 4292 wrote to memory of 4560	4292	Dfnjafap.exe	102
PID 4292 wrote to memory of 4560	4292	Dfnjafap.exe	102
PID 4292 wrote to memory of 4560	4292	Dfnjafap.exe	102
PID 4560 wrote to memory of 3040	4560	Dodbbdbb.exe	103
PID 4560 wrote to memory of 3040	4560	Dodbbdbb.exe	103
PID 4560 wrote to memory of 3040	4560	Dodbbdbb.exe	103
PID 3040 wrote to memory of 3744	3040	Dmgbnq32.exe	104

C:\Users\Admin\AppData\Local\Temp\72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe
"C:\Users\Admin\AppData\Local\Temp\72ec1a0f82e8aae66b7428bd04cf1c01312316140e8733cd4b644c3de3f76d11.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\Cnffqf32.exe
  C:\Windows\system32\Cnffqf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\Ceqnmpfo.exe
    C:\Windows\system32\Ceqnmpfo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\SysWOW64\Chokikeb.exe
      C:\Windows\system32\Chokikeb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:720
    - - C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 404
        30⤵
        Program crash
        
        PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1784 -ip 1784
1⤵
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
96KB

MD5
4be125551495623ad4fbe5855f57bcbb

SHA1
7ebe0010c9962af90f3c6e17260f5312fed94f60

SHA256
0032179a16cc461ba9949961a2bab3b12faaf2c6196fa665820d7f9b33ac00ac

SHA512
c92b2641004b48e2940cbf35997536dd7ed433ba2c9f6261550c13ae1c7ecac71a8c9609a9d4914db6f7a736c4a514ec57ddb78d1ef221ac2f30fa11f0a28caa

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
96KB

MD5
b7c57373e31330f95515ed6001113274

SHA1
c73c39498305c4fdb31b3d454be2f87918fa0b4a

SHA256
e0b7209220881587d171c5d8d6791ab709a973913a25b1f5db17f39783808a42

SHA512
f16fd91b8f3b19cbd7d7703ea55d9fddf4b679a782c0b0dc160f5ab62d0bf4ed6f26e8c94e3c05a6cdd683b175fd18cf6c35c86708c86ba31cdf224f45e6d674

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
96KB

MD5
abe8d798300a7c5ae1c45730035aa249

SHA1
16a50e2f044fdc8c5377314a4f56701908fb921c

SHA256
275d98d88e0eefedb1587b662cd2b393bd6dc64e2a114dcc44339f16f051255a

SHA512
911f32915781ec7cfe3ee4093bd72459e4955851de8273e40194350edea3b37470507b2a8d5bd0d4bc9767020f903933abe90a322fc21feeeb2a8a12799a8385

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
96KB

MD5
a12d49ecb4dd050d0e49dc8ee672de54

SHA1
95d92541e674805ff61a041198a540e99e2b1dcb

SHA256
362371fc7772556a78ea8204c224384eb4a76115d0105feae1f2fcf87b74d267

SHA512
3b70ab0a1cd87ab13a51ef443b94ad46cb67211ba2d4288c055bcfd7d749350872dcad93d24003749b6f5000634566f0178b5ac65faaffdd63dacc07d0d545a4

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
96KB

MD5
93e9c48da9b954ac56845ebf2e86c056

SHA1
50f876436093fcfd5e94ee678a886e0447c93e0c

SHA256
2a7e08043b237143cd27b90590bfe638e477269f7aa156db41bdcc3fc6d22cb3

SHA512
83f363a51beb45ccd63c72b34fab2bf3f3d5ffb94cfe00fb1250cda050ef8c37dab1ddc377bced49e68ab5a21974d8387f8df6255d5f8b803c9abd3a0ed4615d

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
cae77b2d84e07475c06f450049044e89

SHA1
4165f3b0ee222c8653f2b1dc46f88a03c6feecae

SHA256
8f025fddec59d1d73a19bf317c23e8516cced35c8af54b662a01a4d56847af8f

SHA512
e8b4d036f55058ebc685de34524c7d0746a54d8df2651047f9f36994350422b098d9c9b1340df2a8fd01aa553527a46d495dfd1c7a0e58f67a2c0bf8dc71d367

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
260742475bb57dd9b0679746dc95fd33

SHA1
2a8a2e4122a6edaa4d821b32cf11267274ef4d98

SHA256
0b69c3e98ccaeabe462e15264b0b7db3f0f1de4b6faaa157b08c80edcef4de68

SHA512
1da4a4169b496bb26c7bd4672f5d34a60d3349fc272a42f1b2e63d3199a9bfa1db06f2e9eaed2363c7dcdb0b3ce02c806f068fc61ab98a021efdd5c62dcf155e

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
96KB

MD5
970cb11e2144702391adac8a06f83fc8

SHA1
73136fe72875858c3c4a5977778b801963713afe

SHA256
3dd217e5e364cc3f0ede0f62fc7f737c099b012c8830ae8b255fab756948f5f2

SHA512
1111c87e8f6dbc7f5c3fa32915947cc6be67c06067e0a7c8df2f0472c069a3cf71f60a50cd66a99b142bfd8b2ff1d10b06944c2d5bbbef74dcb70c351783d84a

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
96KB

MD5
d0666cf210f5fdb802756a6763eb37d4

SHA1
fe21a9f526413a30eab571e78e33ba858f6cdcc6

SHA256
33ffaf2075303e54852e4f84ff613a40a63ef1ff5fb22e64ba2c060ddac416e1

SHA512
3933cffaa94d85f55407cabc7062e1dae6f606d04c9359ba4848b8160b518a38bcbbb86fc2707c5bf63f2b6983de1ce428432711a9711f5fd754ea6161fad580

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
f1a5c443d5d8fef50ec9b9e4b0a66583

SHA1
a41823e5eead963ca8e6746ccc2f21d1c3a7a252

SHA256
378f166da1ccfc21d04c15c357b8a38c353e5190ca817f518e108973459c1ba7

SHA512
b1f27db15eaa4827f7d48ef9d702b36cef5e03e15ceeb491ab45ab5f9cdc802f453f02c946696f00ec3062bb573959b7df1148abcaee8e0039adf27119b0002f

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
fdb4dc779028b777d031ecbd25fcfef7

SHA1
bf6f419f93ed5476403052e735cd8ba65e6fc98f

SHA256
530d04433e948e6e59c25ac65c9b725a3938e84a6287194c04286c9b05570e77

SHA512
3d6c3efcb161a3b44ce903cfe7eca4c89fc212b4479899866b41e920a11769870ab36843fd1a5228a88cfbf9a67dba469b244c0235c01a350ea7b4a5a0ecf8f5

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
96KB

MD5
eb1dc29d960b6e0e6edd1880a3c7ae0f

SHA1
3c727b3db597533f36aa2bf1db8ac12e01e08cbc

SHA256
c739995c25529b57daf24564ac525ba6af8c4259a0ff140a9f747a184862c0d7

SHA512
423f2abe5d304690c45605e12ab355204a2d465c105d0834cca367eb3b36b8b504066e4ce2b830f11ecca2ca8f04f10f70e3420638898325d28011ec039356bf

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
6671fee0383129b936b5cc2b50361c4b

SHA1
dec453e7552f5463c26cc109697c406df5ffdfd1

SHA256
4908e67a1903045042b603ea41a1b6440fbade90153c5a43f314fdd2e6b0a548

SHA512
5ffc01e5e3ec749df7ba58ddc01b5a61d1556d5e9c6dfd22c81ac4b313d03b2a570d5c5a3ae4f4c32482dbd0d3914509166cb66d566545dbb568bbd4a9b3add1

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
a294132b8ae32bc594c8ca00fe3327d3

SHA1
6df972b9e576488a4ef7fc02843b1577c8178850

SHA256
64fe1f26cc90918341cd2ac38c38a597dd3d948127f895005cb72b0b3163b3e7

SHA512
7e8aa9c48cfd9465b2ca67a22a4f62cada38e29db8192d843186e34626ff1eb014663ea162ccd4ed4d9354f2f9fd19f45c83769c0c6c3687e8300df40116c42d

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
96KB

MD5
b4a83294657993659c8d11b54b49579e

SHA1
9f4eb2013174813ab45cc54372b53b60b9d8e782

SHA256
360da26d263a992408b38797b7c980dd03edefff9a71965014c2c2375c3ec8ea

SHA512
6afd796cac491f33072ebe50d20be4782d32abd98908cc4104e3422130845f470d3a851b1275c39108eea1584825dd275fdfeaffdcc263d0585c0a5e8cbe52fc

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
b2eb8559f203f9dd0e77e70ea1e9cf66

SHA1
be2808568538bd41f9124840c80d1f97d04a349b

SHA256
f2ddfb82c15aea1aa48cca1ec6c6ce9a798c3fbb76c114a98028f2aadf0c4e63

SHA512
fe54c6f1d1164c250ceacc4aff3fc84a65844a63ac9abf56c0cd30f44230a1147100d06324f00d228e6bf4396ca52cf6c4a8a6b490eb35b1cd6140a24fc7d1f5

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
96KB

MD5
54acbed48bf6cbeddb172a0efc8ae617

SHA1
7383ab51b31700530b18ded57f4a08999207db60

SHA256
28df25926cd5dad090fb71a23abdb12d4985541223970c942696c7a92d55639e

SHA512
1fbdc0a609c24446dbb3e19d50fbc73ea9ec18d7e64d584f9f21ab2847ab0a7e4d91194795a712ab62ab2b223516eab2e6ace91cec2076d326f4be5157575ce5

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
62423c209152794c988057eee8c71352

SHA1
02eabe2fb5eb3ede790f84d6951d0f3501122266

SHA256
9f124ad7d81f921e572a1076f39b82dd841378327709e89ff050313650078b70

SHA512
b9bd7135ee7f65e383cf35a2c7331410bbe9042339d2456e71f5e3d93730a3173ed352e715b9af7cae28a3836ead6f887fc743c43f01ec850a1b95ff70af2720

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
24ed3b9d848330240337bc7c5848c720

SHA1
fdc4a5c0e87d0c09ceae8dc425c002df90ad56d7

SHA256
a8b37b3d9b23e169436c2418dbab91cecd3062331f674752d56151e4c5697e2a

SHA512
a0cfad4e377d9751fb0f766e40d0a23e9dbafc3642db5116c98d33bdc052cbe18338f7f88d82cee40c312a225f71426cceb34f7ab57a18a56306fd0ee9d41be9

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
96KB

MD5
bb8ee19eca3b8751582f8e6c65f1e05c

SHA1
97fa22b35550705b9d89dec8bc652bdc50dd26fc

SHA256
ed77e99bd7c9091fc5afaa10a3e1e002c8041fe01dfabc2ba6463e03d7cd9be3

SHA512
06bed8b4129ad9b2984cd625533423efb71b566964504dc893b4c6dbaebaf7b53bcd8888fbfbac08e596ed77d8b20f3b93356b6992125eacbdbcb4eb944c4172

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
96KB

MD5
cdd92deafa452f0bfd3bdbc8a8595da3

SHA1
673c1c74481658b20c7024697d1c3394432e6a05

SHA256
11ccb7018d7d9237117af5b4a80c7c491d59e35824343efc5dc0140ddb2920e5

SHA512
1f3818982d7b62b9e8c75fd5f32d7b4be1e781d88123c4088ef5acf5c1067dcbc4da2a36133bc3db89da4a444cf23b4e637d77aeb98133bdb7066a4727db4ce7

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
96KB

MD5
e45081f90c8fc7da524f3b51e8d47ea2

SHA1
703a0f657c2452d4bb406e403cd5d1916d5738b0

SHA256
2d6bd904beba189b766e332a95975d897af3ad1f1b92d8ee428dd198c620a892

SHA512
eb8a3e7434ca25efa1a10346b01e71e25c6f3f3297b029c14fb1cd13eec7e332845d099bf8c1855d8f9f399f2e2ecde2d1c7517645c9bb44b1ab1512bab9223f

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
06862cabf899be9864beb18297f29ed3

SHA1
ac078a3c3f1d77c22fb5f1587572e2f57253429d

SHA256
c593ae6aad71a5e32854a730eda687c6a533d0ab51606f5bac2391fee9fedfed

SHA512
638a8d72d2e11b81f206e82bdaa5928ab62205c4f37b76f2603056d68b90b08baadff9741f1d63dfa556cb9bfc1d1b28a825bceca91c32dfc8ef330cd42a676a

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
18f3a3218df6aabc3d1a73ecf6c4712e

SHA1
90a0584d1f63ab921749d676bda9df993f7e895c

SHA256
2d0c524374bcb0239d37eb9c1a9dfe48665da9ea6f5661861397e049845a8e0e

SHA512
2c2a33179c2cf4ffb6a92dd831eb35a95801c142bc01af16d0cca3747dbb935fb1be3fcfa063b83076d9aa62fa274b4f88a79d8c54e77cd4b75f887c94ac8f16

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
cbeab599f94ab5a6802488c09123b9f1

SHA1
49ea0852b1380e3edb99c5ce228c40c540295af0

SHA256
af5cf1f749d5fa0ad3101b18a77b48f1c5c6cae2f463ff3d5604dd51849475ee

SHA512
4939e21731565f18f7453e69f440abd68c964dac2bf8dab7a6a5e0c07058b8442eddb89b55ab2a0f718c1df4ccef8056aea31a952a5bb066ff54749869a415e5

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
367d534eb144ddce7e76a5be52d085bd

SHA1
7a4c69aca995d029a223e9708b1afe87bd3552fa

SHA256
bdd80fb89b9ec5fa5b226b64dd4e5dee0e91c88f0e7d1db1ff5246574b88b22a

SHA512
c5a4744bda27d8622d7e73c123378f0f8a05e0d0dd172187532e7ff27f0d5e529dc1afd6a93768d37ad9210e63b3c0981a40cdafa8436ac705e643987bc2ce9b

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
32f9ff14694a216b05b15cacb0776ce7

SHA1
7144e044bdec13a40ba4635a47b65f9769a0e94d

SHA256
7b10714afdc7fb260827ab729841d79d3ea3ba3ea46d0eda9f29eb08dd48328a

SHA512
7f8f1918e57dda721fb97610364dbcc8e013c20714f07581245ae079d2d8dc1cc3e8e69d253ade31e1e96096f4507937229b6df5222a79fc77cc1d73829c0432

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
96KB

MD5
cb1be4e060856ba0c0f5c50abf377f49

SHA1
5d613314722a797da46f3a800e534787216c8e5c

SHA256
da4d19a3f259866a27df92307829c8b939a00ce00af401b38fba4371709cf062

SHA512
f90e7b937c69f501bf24596cd1236a22fae5e214056b5b9d9220a4d4fba773263862ab8689075101ff03c2280e61c80b3fa864e036a5c3893681420d7b3ab41f

Download Submit
memory/336-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/336-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4836-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads