berbew | a75ee1d94b42f21047e9b874854360e116f4bb6111bf3197d7f93fd2b9ab5943

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a75ee1d94b42f21047e9b874854360e116f4bb6111bf3197d7f93fd2b9ab5943N.exe
Size

74KB
MD5

8881a743fdaabe27e512265acb668d90
SHA1

662bd4cc235a56575dc90b2b2a5e49bf57ebda43
SHA256

a75ee1d94b42f21047e9b874854360e116f4bb6111bf3197d7f93fd2b9ab5943
SHA512

3cfb9b9472b17b6f4c1f5e404aa8cdb0011af8ac8f2efaede5bb983261c49aa82f3f388a9820fea8641db832ac37e3223161e4a9d1ef47ed428c2f9545c03c17
SSDEEP

1536:fNoH/EwDEnUgSps2+Umq3iST4dNJZrwqxLjlWhZk:FIDFps20ITWNJRxLam

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a75ee1d94b42f21047e9b874854360e116f4bb6111bf3197d7f93fd2b9ab5943N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a75ee1d94b42f21047e9b874854360e116f4bb6111bf3197d7f93fd2b9ab5943N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 30 IoCs

pid	Process
3120	Chjaol32.exe
4300	Cndikf32.exe
2700	Cabfga32.exe
4924	Cdabcm32.exe
1932	Cjkjpgfi.exe
2804	Caebma32.exe
1716	Cdcoim32.exe
3936	Chokikeb.exe
3664	Cjmgfgdf.exe
1676	Cagobalc.exe
1468	Chagok32.exe
2400	Cjpckf32.exe
4564	Cmnpgb32.exe
3388	Ceehho32.exe
1852	Cffdpghg.exe
2260	Cnnlaehj.exe
2172	Cmqmma32.exe
2296	Dhfajjoj.exe
4740	Dmcibama.exe
3680	Dejacond.exe
5008	Dfknkg32.exe
4072	Dobfld32.exe
1408	Ddonekbl.exe
4632	Dfnjafap.exe
1160	Dodbbdbb.exe
4964	Deokon32.exe
1084	Dogogcpo.exe
1864	Daekdooc.exe
2676	Dhocqigp.exe
2912	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	a75ee1d94b42f21047e9b874854360e116f4bb6111bf3197d7f93fd2b9ab5943N.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	a75ee1d94b42f21047e9b874854360e116f4bb6111bf3197d7f93fd2b9ab5943N.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4440	2912	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a75ee1d94b42f21047e9b874854360e116f4bb6111bf3197d7f93fd2b9ab5943N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a75ee1d94b42f21047e9b874854360e116f4bb6111bf3197d7f93fd2b9ab5943N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a75ee1d94b42f21047e9b874854360e116f4bb6111bf3197d7f93fd2b9ab5943N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 3120	4980	a75ee1d94b42f21047e9b874854360e116f4bb6111bf3197d7f93fd2b9ab5943N.exe	83
PID 4980 wrote to memory of 3120	4980	a75ee1d94b42f21047e9b874854360e116f4bb6111bf3197d7f93fd2b9ab5943N.exe	83
PID 4980 wrote to memory of 3120	4980	a75ee1d94b42f21047e9b874854360e116f4bb6111bf3197d7f93fd2b9ab5943N.exe	83
PID 3120 wrote to memory of 4300	3120	Chjaol32.exe	84
PID 3120 wrote to memory of 4300	3120	Chjaol32.exe	84
PID 3120 wrote to memory of 4300	3120	Chjaol32.exe	84
PID 4300 wrote to memory of 2700	4300	Cndikf32.exe	85
PID 4300 wrote to memory of 2700	4300	Cndikf32.exe	85
PID 4300 wrote to memory of 2700	4300	Cndikf32.exe	85
PID 2700 wrote to memory of 4924	2700	Cabfga32.exe	86
PID 2700 wrote to memory of 4924	2700	Cabfga32.exe	86
PID 2700 wrote to memory of 4924	2700	Cabfga32.exe	86
PID 4924 wrote to memory of 1932	4924	Cdabcm32.exe	87
PID 4924 wrote to memory of 1932	4924	Cdabcm32.exe	87
PID 4924 wrote to memory of 1932	4924	Cdabcm32.exe	87
PID 1932 wrote to memory of 2804	1932	Cjkjpgfi.exe	88
PID 1932 wrote to memory of 2804	1932	Cjkjpgfi.exe	88
PID 1932 wrote to memory of 2804	1932	Cjkjpgfi.exe	88
PID 2804 wrote to memory of 1716	2804	Caebma32.exe	89
PID 2804 wrote to memory of 1716	2804	Caebma32.exe	89
PID 2804 wrote to memory of 1716	2804	Caebma32.exe	89
PID 1716 wrote to memory of 3936	1716	Cdcoim32.exe	90
PID 1716 wrote to memory of 3936	1716	Cdcoim32.exe	90
PID 1716 wrote to memory of 3936	1716	Cdcoim32.exe	90
PID 3936 wrote to memory of 3664	3936	Chokikeb.exe	91
PID 3936 wrote to memory of 3664	3936	Chokikeb.exe	91
PID 3936 wrote to memory of 3664	3936	Chokikeb.exe	91
PID 3664 wrote to memory of 1676	3664	Cjmgfgdf.exe	92
PID 3664 wrote to memory of 1676	3664	Cjmgfgdf.exe	92
PID 3664 wrote to memory of 1676	3664	Cjmgfgdf.exe	92
PID 1676 wrote to memory of 1468	1676	Cagobalc.exe	93
PID 1676 wrote to memory of 1468	1676	Cagobalc.exe	93
PID 1676 wrote to memory of 1468	1676	Cagobalc.exe	93
PID 1468 wrote to memory of 2400	1468	Chagok32.exe	94
PID 1468 wrote to memory of 2400	1468	Chagok32.exe	94
PID 1468 wrote to memory of 2400	1468	Chagok32.exe	94
PID 2400 wrote to memory of 4564	2400	Cjpckf32.exe	95
PID 2400 wrote to memory of 4564	2400	Cjpckf32.exe	95
PID 2400 wrote to memory of 4564	2400	Cjpckf32.exe	95
PID 4564 wrote to memory of 3388	4564	Cmnpgb32.exe	96
PID 4564 wrote to memory of 3388	4564	Cmnpgb32.exe	96
PID 4564 wrote to memory of 3388	4564	Cmnpgb32.exe	96
PID 3388 wrote to memory of 1852	3388	Ceehho32.exe	97
PID 3388 wrote to memory of 1852	3388	Ceehho32.exe	97
PID 3388 wrote to memory of 1852	3388	Ceehho32.exe	97
PID 1852 wrote to memory of 2260	1852	Cffdpghg.exe	98
PID 1852 wrote to memory of 2260	1852	Cffdpghg.exe	98
PID 1852 wrote to memory of 2260	1852	Cffdpghg.exe	98
PID 2260 wrote to memory of 2172	2260	Cnnlaehj.exe	99
PID 2260 wrote to memory of 2172	2260	Cnnlaehj.exe	99
PID 2260 wrote to memory of 2172	2260	Cnnlaehj.exe	99
PID 2172 wrote to memory of 2296	2172	Cmqmma32.exe	100
PID 2172 wrote to memory of 2296	2172	Cmqmma32.exe	100
PID 2172 wrote to memory of 2296	2172	Cmqmma32.exe	100
PID 2296 wrote to memory of 4740	2296	Dhfajjoj.exe	101
PID 2296 wrote to memory of 4740	2296	Dhfajjoj.exe	101
PID 2296 wrote to memory of 4740	2296	Dhfajjoj.exe	101
PID 4740 wrote to memory of 3680	4740	Dmcibama.exe	102
PID 4740 wrote to memory of 3680	4740	Dmcibama.exe	102
PID 4740 wrote to memory of 3680	4740	Dmcibama.exe	102
PID 3680 wrote to memory of 5008	3680	Dejacond.exe	103
PID 3680 wrote to memory of 5008	3680	Dejacond.exe	103
PID 3680 wrote to memory of 5008	3680	Dejacond.exe	103
PID 5008 wrote to memory of 4072	5008	Dfknkg32.exe	104

C:\Users\Admin\AppData\Local\Temp\a75ee1d94b42f21047e9b874854360e116f4bb6111bf3197d7f93fd2b9ab5943N.exe
"C:\Users\Admin\AppData\Local\Temp\a75ee1d94b42f21047e9b874854360e116f4bb6111bf3197d7f93fd2b9ab5943N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\SysWOW64\Chjaol32.exe
  C:\Windows\system32\Chjaol32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\SysWOW64\Cndikf32.exe
    C:\Windows\system32\Cndikf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\SysWOW64\Cabfga32.exe
      C:\Windows\system32\Cabfga32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 416
        32⤵
        Program crash
        
        PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2912 -ip 2912
1⤵
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cabfga32.exe

Filesize
74KB

MD5
2f23d0da30b8dde1c400c03e9edc1f08

SHA1
47dac6adc58d0c6570d2f8aa5340a0bad353c9bd

SHA256
dbe7b2b14941284ff0d092cc0d8bdab0fc9bc936108ddf113cbc14b425689c7c

SHA512
cc462706261fee16a4cc739d792f4d62c7c0df7f419f5dfd8ad733bef732b93973d7f6426d347472460a91fbb0c04b12a7674c78317b1d3ba11e5dccf33f8a69

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
74KB

MD5
54793eb9b3aecb0d9364daccd96180dd

SHA1
53de0f0e1b7a6dc550633ae34e185d667dbf1965

SHA256
019aaaf376cadb55afaf180db8a21e94e198be41878c3afab557f48a3d27362a

SHA512
e0da704f4f8f0e234f728fb5be4a5e6adbcdb10103047ac96c73257d098dc920a03343fc9a2a72cdd291c3eed92a2ff2a55613ddf05cc3ec86e82f6c7c2f6eab

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
74KB

MD5
12e4a4d6bea5b358d4fe70a620aed72c

SHA1
a9c148df38aa414c4bb21c7d413c337269f21841

SHA256
71f2730407916f6e3f03b5c7637aca1fc972ae5801fb42f9b56a5e59bb5ce8ac

SHA512
01e54dd117b5ada271e1c24113709812ea645bb25b97ad5b672f34f8722aeefbf7dab6a2ab8baef924fa3f4f4b00c70cdeaf4ace9a52750ac93432bdd347a949

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
74KB

MD5
826fd67a279289d0da56ad765d96a716

SHA1
12e5b51de28f1509d88ad439c25e572770062f7e

SHA256
1a9b68b0ad9924f0e0f3beadb795148813af0cdbd150058ec84faf8bf13f2066

SHA512
f449bc349aaf846c5c88b2120b413eb1b743b036266e567f16b426666c772d5026b5877f3c4a2d75a6314a0dd8e26857a0099009c89b0ee123f10e1e6bd330db

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
74KB

MD5
6c20ffce8a97421b80761c983feca3c6

SHA1
f5b3c61f7feba9d9e9cf5a44a930606a444b2e82

SHA256
05fc99a560289d407b95375852225de0bdd4a00af04f62f57b80d88729233a95

SHA512
24042a0c8aac669c0821103efed40bdda12d5a838574fd41925069b9abc30b2210b636e31ee484da937da3b1a3eee4577bc13ab7401ea1a8cad5250440735c78

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
74KB

MD5
c27cb9c75e79d6cc8caf5b1baf8ed032

SHA1
3f9c2981f86c67bb0d41e95959fe6679f2e04d13

SHA256
cb3dc400a31f1395912e703fa81f49b4a15129e23e9660d4de54e1f5aab38cea

SHA512
5b1ea34848c98e2c8d0a351b50e244fb408d668d8bff9edd34eaa07cc80036e2fa913b8c3b3c51319331b5d848e0d860741589085037364df33a4072cdd8b78d

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
74KB

MD5
ed1c5960dd5fa085353f9e483b8115f3

SHA1
44d3652dfa8fe0ed1335c461ba75239ba39b5ac2

SHA256
09caa4d946a2ef4073f54f5d99bb253cb69e06ac7b0f1d6f5e190ec9ab07a6a6

SHA512
c0f50968a94aa6fdaee2cdeecca30767e57ff11c0ea6ebc34537f6385039a05b9a7dcdc986178f320ab0d137d949a0a8a30142cf3692b078e67e8c9f6d9cb0df

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
74KB

MD5
1745b2119af002c164d9484663ac282a

SHA1
b6c7dda9788c1b2c2380462d0eaa61ed9a90fc05

SHA256
e3ea09b1e496a2beeaa09676e6cf89d9b0629419a8030b24367462bb8f365127

SHA512
90c14f9be657ba29bdb86d9897aa5b5303d9f5c731e24ca3938b770b4eccbc01fdee7cb8430d434debe8e7685c4d443d268d06d00e3a980aa2fe37875c811ac5

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
74KB

MD5
85503ea724f64802bdc1c8aeba469fa3

SHA1
bc5da2ef91f08221faf3c503f8f14b63716a6018

SHA256
e85ebb2ae1edb62b04799900fb8b2809eee83cb2cb904c9f921bbda7fc09171e

SHA512
54d74670c11ddb6bc7cae2eee105b57e319cf099d90f1c42a0347de7bdf9b6c48261c569234619d00fcc86ce4153adaab6504f6cce2e5e3a3b42ada7c4469e41

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
74KB

MD5
407c46c42814c81e79192abd7cbb390f

SHA1
888a258b78b681d30df20a03f90ffa2b90a741c1

SHA256
55381fe857344c3df0e70f75fefb004b8017ae2305f89e38c8cf00c6724ae820

SHA512
597796642e365dc732291ee9ff37389bf66936c3cf0b4e1ec9cbe43dbcae1432d4e1c709b0a105cfb2176cc166f62c5d1ef444568935bfcf0b451b79c8574cbf

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
74KB

MD5
84096d780dbd84cca88070982438d21a

SHA1
f2c8f1fa7de632ad341d812f254d7b30290377b1

SHA256
c28723efb0170e8d3cbc41350fe36cdcf2f9a875ebe6c542612ad85a0063fdc2

SHA512
0c4a1b9f867a155a46bf8d14f23630a35dbb49a20ba3ba2b824a8b0d1e8296cc4e6fc77a7a66a1b443174694d72009806267da2c4334797b96fe81f1f774c9a5

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
74KB

MD5
984f521e05890fcbfeeaa90ee8d51b4f

SHA1
844d1ce3775fad51a3618442ec8171c3c5fb2baa

SHA256
208c20878df7fcf4c8821361ad4358b8d7ff4f173a3e2ffe66ff8d2b7e784aad

SHA512
34220cbce0a718f11938dc5ff5cf055625270a6af8c033ed25d41a87b9577b5ac3caf5ab48b7be4c9ace22011d501215652f4d8624ba101c69371c3776e9ff17

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
74KB

MD5
1720e83877f4e0080c669988340e8f8c

SHA1
ed8bdbde409c95cf307ef0cff6f0bdb22fe162ed

SHA256
025d25c9cf3f32b3708c4072e8df6461a1e1a3a61f5058ef02a9ecdafb9f6328

SHA512
5779fae8f3f3c1708b22df654d217a2983ae4918368d5762c4c64384301effe563f60f69b6f7c52f39fe1823856ba0cde76ab56c7314034a25739730e4ac3620

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
74KB

MD5
6305feb130f1c517e2c6df1ccf9786e1

SHA1
ced8a0484a3a285f195a70c30ebc23a4594b9127

SHA256
a16f9f9b01a532eb7c518536eb4efd6c7009a923de97f1083668a179ef4543f9

SHA512
73e16aef54cf0c6047f89cc22eba009d61e15aa13235445b080b135cdaaebb7a0ef733bba1a3949e2f84a62b148aae7aec9950cd38d5a91cbde4cbf3df2bfc33

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
74KB

MD5
f90678b686d214994e8a5d715e82b2da

SHA1
e62fe86626a9155454501c308b3c279b4ef01e1b

SHA256
bb6697bcfeeec41698e1b0cf01044f86dacaf574bf3750ae66e895a149bb614a

SHA512
a41e424a182a18294575957e01cc0bd3cd283b18929e84c90715c104d11ab4081c6dcd952909275e90a7d61e0356c506632b155e7d2182d697fc7ac39f611e6a

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
74KB

MD5
be3c09e2cddc1b687b3fcc396991a986

SHA1
795413417e59fb84b2a0f6c99967cfce2c282585

SHA256
0e6f3c166e3f82e1c61c66baee0edede9fd016eb7ec025c08acd80c36753ec34

SHA512
2654bf3648d2ee163b8c772d59759706f73d0ef8860699a31ec8cdf470c6cd42fbf34e781734ca3293e54e0657fe3101abba161b4e1b3de30d1a652fd468ac82

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
74KB

MD5
eddd818f6075a6918c1ec7478f49eca1

SHA1
1b2059328ea65e89a2e68aa72ab6ca1b7ea3be47

SHA256
08109cc28ecc459a901919646c7a8c047a158ffbd2b07e33e901f963f4d367e4

SHA512
33a284f904c66b531c53374b3843a56a8f8490dbcf19e9b0ad8784574d2e091ed6b83428e2b54b22348a10d10fc57085ae53314a9b89360d5e269c522a384dd4

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
74KB

MD5
66996a2971e2e1f67ec89622a81c61a2

SHA1
00eb8d01ef8cf86059afb25d28394bce63dcb9be

SHA256
1670be9170ae6152305aedf2218fe925a1627927bd10026c054f7ae6b6695a87

SHA512
f0490f844a1959111e246873b9ef699da7e28523639d042eea2217fe4b5cc54fe4987ff4bb4fd3f3c39a4d209ce9a6bd276d8f6a01182d72fd6e7911496a8076

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
74KB

MD5
5f2bb99faaf1f169a90c104f2f9c319a

SHA1
4f0ae4f9702f8f7c61fc464aa5ced9461dae5f85

SHA256
87e92508496984ffd86b35c2b0193ae7572a10cae8f84da7976f29b77d490553

SHA512
1c80add490fb333ed133ad0b1cd7a7d88fa2b8b6a5f2b497f3363e91b006ba1c2cb86a511025bf869be4c2c6b3c8b992b94fa86eb0d9a8725107fdf2207270f1

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
74KB

MD5
f01f1bde8d8b977aac9072868abde1f5

SHA1
683dc67a0ae0ea14869a1c50d796821fc44d959e

SHA256
3ca2b534b971735e44e5141a82776a6a1a91d109925f620fed9eabde414214a3

SHA512
ddfdf54e40334c62a0d682df1880a1ad615b727ebd84652a8789221398db911f07d7a8c43f5a64deb5cdf6cd099133a1154f199438b1bd5fefb45060096caa0a

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
74KB

MD5
befac34d4363d912a84a6b1bad90c239

SHA1
172327897897c05df486361a948cfa3f5ea782fd

SHA256
ce71b25498595115b533a89190b8e2c88922bba2f9ba33ef0d6de705143dad4c

SHA512
0bb19e735584029301a7f033ff9e6290cc6d724fc1498d21d0269eb28549abb606713d1417fad234bb0be6d780a709b89f688800c3d3d937e90585e559602dc2

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
74KB

MD5
e753305e96347a2dcca313e7dd8a1522

SHA1
c7fce8782a703eb295cb6fb841a38edccb49b6f9

SHA256
65daaac83e6b6acdf3f38a94195ee9bf29290f8acde476b28dddaabfc8e74e5e

SHA512
81ff30ecfd1099faf74e23ef0c8e4f1f1b064373372e716798d11205d2c542b65158da5cfbc045b07bce404b7c475eb969b3b0b8c82569986658509d25bee544

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
74KB

MD5
ec6c7fe0e2b90ebb48dd0c3878023b20

SHA1
ff619082252be242e894a727388dc474b6448fb6

SHA256
47bc834d21906f99c7cdd9888f973b6ad9566c09ca29d04d5ec2ebec294417fb

SHA512
3c30af695e551b2cd9dd413b42523d55460192549bd8d548cedef2e661150c5498f4fec7d636443c18156d41fddfec1efb45fb6924679ddd0a40fb903fce49e7

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
74KB

MD5
b7e4107d4298980d5b91a82527fc74c9

SHA1
59f6bf2447e0daed19803438ca0a0da6a200f521

SHA256
78258b6c8b3549c24485ed11ad8597fd68b3bb9e23cdd7b996aeda182fb9aadb

SHA512
72aa46317bb33dcc6f4cd6c5c7345ef88d693559732600bf50e686630b47c1bf18eca7f9718b3d6ba64591d3e733556c230b03b0124841d2014d60693aade552

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
74KB

MD5
622a5e891b4e70a3aaaae40d5858b64c

SHA1
8441ecf23aff0f97254a603091dfba8ac705d0c4

SHA256
10f280da97e5d5103ac50c4bd633497583e7313b5a224913a4948a256eb75612

SHA512
4dc0c0351bb723215154cd4bf87595225b29e4db319f00537fa0e30915c1716f1abd5fb8fc17988fb1eddc2a58b031ba0b38457fefbe3da756fa930f787717cc

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
74KB

MD5
3a6acf0c6dbd39ca74fd61c40d87c4c0

SHA1
4e4a38fc2012b26920c05fafc53d38451819ba91

SHA256
55e0b26382c8a60909135d8d0c3046efedd1e35fdbc0abe850ddb22997876712

SHA512
cf0c163ff3105266b80982ce2da96aef00411a2c435e835dc3402b980a098325d54856b2e7ccc7d601f670b55ef694876fa30737bc90adebe3cf869aa8e7b1ee

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
74KB

MD5
847e81122b689eb8afe2b6a07d80b2a6

SHA1
56328c74a1c34b777461989b354c7bb978489300

SHA256
c77acd4b74421307e90ad147b2ca494b1731a9cc84f7bd7b6edaeb32934ea4af

SHA512
9a30c423a0fb697f7445c5d5e391fd9c2c9a7aa7a6017541f0279db555e11a521123f88bf8560000cacdf0f5b6381031e70eb63849a027be639e73cc14be9039

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
74KB

MD5
a237e6a51456f1f1fac35df6862317fc

SHA1
a204b92fdad4bd244d2960428544d045a6d1df8c

SHA256
6046608959fad343efda52c2ee532d4edab69b6591328ea23ee87ccdbaa072da

SHA512
3cea33131a160ac8b1ff6cf6c362b0ea57dda4b873a1ae87c286ad00a757dd0ce7b02b92cbd75696a116ad278391d0b23b526d97f33db606088fe64ed60e9ba6

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
74KB

MD5
427ab54312c2cd1ac2c43da488e73300

SHA1
60f720c94460fedd012906053889508a10ade5e1

SHA256
e534fd537cb3754ba422e3c18d2383296a8d2486b4e3dc99090046bc6c159ece

SHA512
5a6bf7820894ae563bf2c404a0021a312f7257eb43b31735011e120e1d4ffcb1d2f8005a7be1601bb427061381cbe85066dd16fe58e95018a8a278ff863b956d

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
74KB

MD5
d42ee066618ca54077f3a5a6b763100d

SHA1
d1746d34eca448b77d6c49d50738ccb7612fa1e2

SHA256
e8fe336c2873ae77bb02007fe8584e83cf82b04d88916124c492f974b264e626

SHA512
55d3eb470da62bc636c0605c20de13e1ff953d6407cd41d9c4d31e7457c14024f29198e141fbf558743fca684e61811c5137a83f8ea1c48cf11e657e4d0e7d8c

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
74KB

MD5
b97f7139f4d5527bad6f26a4af6fe699

SHA1
eabebb35c20759d61956327503024ff649cb907a

SHA256
d8e19f882208a662f24f02fe276dd19940df8f88526e63f7e323ffb8a1e1dc9e

SHA512
d3d802b40ba8358acd42a8169fe7eba9b81174b053c41d5aaa0d40b557dd985e9e3ec70a1f4ab6fa1d73adb042e894a32822ade99bace9cdf7ba79c8021e4004

Download Submit
C:\Windows\SysWOW64\Omocan32.dll

Filesize
7KB

MD5
6a663cee1185b6d6be32f63bbdaf0a99

SHA1
fe779fa201f28ce615679e33762c38d3a6aa75af

SHA256
61ae1e8bcdb82dee5fa5e516486b5f84dd9c0d2219f5c08e74641ace4ec582cc

SHA512
acde4ee9ca1ca4f29a5e24a6b7d2389f8efe9ab5cfd5ad24bae4d72c571a7b6409ca218182a4f04b8dcb89afb6a28054013aecadbb840e6c5289654525d47e7e

Download Submit
memory/1084-216-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1084-244-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1160-246-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1160-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1408-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1408-248-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1468-260-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1468-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1676-80-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1676-261-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1716-264-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1716-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1852-256-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1852-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1864-243-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1864-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1932-266-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1932-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2172-254-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2172-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2260-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2260-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2296-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2296-253-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2400-96-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2400-259-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2676-242-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2676-231-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2700-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2700-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2804-265-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2804-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2912-240-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2912-241-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3120-270-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3120-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3388-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3388-257-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3664-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3664-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3680-160-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3680-251-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3936-64-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3936-263-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4072-249-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4072-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4300-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4300-269-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4564-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4564-258-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4632-191-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4632-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4740-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4740-252-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4924-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4924-267-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4964-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4964-245-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4980-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4980-271-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5008-250-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5008-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads