berbew | d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe
Size

320KB
MD5

a0144921cfb2da6785ef2413897e4dc0
SHA1

03409bb5440f4d2be3167fe9064dfea757050640
SHA256

d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003
SHA512

a6ff5997299ec32fd94ab552d08ea47909f21d57410630aa3daf74879998f23d159fe296e7494423e85e26f5cc0a47fa46a513e51df5441ca99a6c3a23b295e3
SSDEEP

6144:GrF5fhkZtDyB8LoedCFJ369BJ369vpui6yYPaIGckvNP8:mtWtyWUedCv2EpV6yYPaN0

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 27 IoCs

pid	Process
4328	Belebq32.exe
3736	Cjinkg32.exe
4780	Cmgjgcgo.exe
3520	Caebma32.exe
1712	Cfbkeh32.exe
3496	Ceckcp32.exe
4732	Cjpckf32.exe
2628	Cajlhqjp.exe
1420	Cmqmma32.exe
3784	Cegdnopg.exe
2332	Dejacond.exe
4588	Djgjlelk.exe
3216	Dmefhako.exe
2000	Ddonekbl.exe
4636	Dhkjej32.exe
4488	Daconoae.exe
4444	Ddakjkqi.exe
900	Dhmgki32.exe
3252	Dkkcge32.exe
4156	Dogogcpo.exe
1532	Daekdooc.exe
428	Deagdn32.exe
3156	Dddhpjof.exe
348	Dhocqigp.exe
2724	Dgbdlf32.exe
4944	Doilmc32.exe
4060	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe

Program crash 1 IoCs

pid	pid_target	Process
2736	4060	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmqmma32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4328	4804	d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe	83
PID 4804 wrote to memory of 4328	4804	d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe	83
PID 4804 wrote to memory of 4328	4804	d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe	83
PID 4328 wrote to memory of 3736	4328	Belebq32.exe	84
PID 4328 wrote to memory of 3736	4328	Belebq32.exe	84
PID 4328 wrote to memory of 3736	4328	Belebq32.exe	84
PID 3736 wrote to memory of 4780	3736	Cjinkg32.exe	85
PID 3736 wrote to memory of 4780	3736	Cjinkg32.exe	85
PID 3736 wrote to memory of 4780	3736	Cjinkg32.exe	85
PID 4780 wrote to memory of 3520	4780	Cmgjgcgo.exe	86
PID 4780 wrote to memory of 3520	4780	Cmgjgcgo.exe	86
PID 4780 wrote to memory of 3520	4780	Cmgjgcgo.exe	86
PID 3520 wrote to memory of 1712	3520	Caebma32.exe	87
PID 3520 wrote to memory of 1712	3520	Caebma32.exe	87
PID 3520 wrote to memory of 1712	3520	Caebma32.exe	87
PID 1712 wrote to memory of 3496	1712	Cfbkeh32.exe	88
PID 1712 wrote to memory of 3496	1712	Cfbkeh32.exe	88
PID 1712 wrote to memory of 3496	1712	Cfbkeh32.exe	88
PID 3496 wrote to memory of 4732	3496	Ceckcp32.exe	89
PID 3496 wrote to memory of 4732	3496	Ceckcp32.exe	89
PID 3496 wrote to memory of 4732	3496	Ceckcp32.exe	89
PID 4732 wrote to memory of 2628	4732	Cjpckf32.exe	90
PID 4732 wrote to memory of 2628	4732	Cjpckf32.exe	90
PID 4732 wrote to memory of 2628	4732	Cjpckf32.exe	90
PID 2628 wrote to memory of 1420	2628	Cajlhqjp.exe	91
PID 2628 wrote to memory of 1420	2628	Cajlhqjp.exe	91
PID 2628 wrote to memory of 1420	2628	Cajlhqjp.exe	91
PID 1420 wrote to memory of 3784	1420	Cmqmma32.exe	92
PID 1420 wrote to memory of 3784	1420	Cmqmma32.exe	92
PID 1420 wrote to memory of 3784	1420	Cmqmma32.exe	92
PID 3784 wrote to memory of 2332	3784	Cegdnopg.exe	93
PID 3784 wrote to memory of 2332	3784	Cegdnopg.exe	93
PID 3784 wrote to memory of 2332	3784	Cegdnopg.exe	93
PID 2332 wrote to memory of 4588	2332	Dejacond.exe	94
PID 2332 wrote to memory of 4588	2332	Dejacond.exe	94
PID 2332 wrote to memory of 4588	2332	Dejacond.exe	94
PID 4588 wrote to memory of 3216	4588	Djgjlelk.exe	95
PID 4588 wrote to memory of 3216	4588	Djgjlelk.exe	95
PID 4588 wrote to memory of 3216	4588	Djgjlelk.exe	95
PID 3216 wrote to memory of 2000	3216	Dmefhako.exe	96
PID 3216 wrote to memory of 2000	3216	Dmefhako.exe	96
PID 3216 wrote to memory of 2000	3216	Dmefhako.exe	96
PID 2000 wrote to memory of 4636	2000	Ddonekbl.exe	97
PID 2000 wrote to memory of 4636	2000	Ddonekbl.exe	97
PID 2000 wrote to memory of 4636	2000	Ddonekbl.exe	97
PID 4636 wrote to memory of 4488	4636	Dhkjej32.exe	98
PID 4636 wrote to memory of 4488	4636	Dhkjej32.exe	98
PID 4636 wrote to memory of 4488	4636	Dhkjej32.exe	98
PID 4488 wrote to memory of 4444	4488	Daconoae.exe	99
PID 4488 wrote to memory of 4444	4488	Daconoae.exe	99
PID 4488 wrote to memory of 4444	4488	Daconoae.exe	99
PID 4444 wrote to memory of 900	4444	Ddakjkqi.exe	100
PID 4444 wrote to memory of 900	4444	Ddakjkqi.exe	100
PID 4444 wrote to memory of 900	4444	Ddakjkqi.exe	100
PID 900 wrote to memory of 3252	900	Dhmgki32.exe	101
PID 900 wrote to memory of 3252	900	Dhmgki32.exe	101
PID 900 wrote to memory of 3252	900	Dhmgki32.exe	101
PID 3252 wrote to memory of 4156	3252	Dkkcge32.exe	102
PID 3252 wrote to memory of 4156	3252	Dkkcge32.exe	102
PID 3252 wrote to memory of 4156	3252	Dkkcge32.exe	102
PID 4156 wrote to memory of 1532	4156	Dogogcpo.exe	103
PID 4156 wrote to memory of 1532	4156	Dogogcpo.exe	103
PID 4156 wrote to memory of 1532	4156	Dogogcpo.exe	103
PID 1532 wrote to memory of 428	1532	Daekdooc.exe	104

C:\Users\Admin\AppData\Local\Temp\d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe
"C:\Users\Admin\AppData\Local\Temp\d3be1785904b0f6d05f97c705b2cdd26e052fd77da5f1345c306b71df50d2003N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\Belebq32.exe
  C:\Windows\system32\Belebq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\SysWOW64\Cjinkg32.exe
    C:\Windows\system32\Cjinkg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\SysWOW64\Cmgjgcgo.exe
      C:\Windows\system32\Cmgjgcgo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
      - C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 408
        29⤵
        Program crash
        
        PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4060 -ip 4060
1⤵
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Belebq32.exe

Filesize
320KB

MD5
fd661b8c0bd6c0725f6155a9d4a46bfd

SHA1
51f792073f3429e869d8c61cab17c63e7b0032a6

SHA256
83c8998c72c594ba43321d6e50f68a65b4395bdd6f3bb411c08a47082ca33316

SHA512
86edf18862d0aa8a51d506b153156c9feaf7f5146841422e94716296f09d9e6125fe179fee0c0578d262a76b3b8a8ae1d70131d24bfe3c5adce16d26d733d796

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
320KB

MD5
01455ad6811974202e89b6f0d4e9190e

SHA1
c2527b725079da0fd7234f36a0aec5361af1920e

SHA256
d414fe8fccc5f7a1203d54c1af130d3de0e00cfe2e1bdad31b76dab3e246ed14

SHA512
d354c10d7b968bf1f308e6aee94815861fcee526561ce015e088502171c38438bc288c958be404cab17f7e6582842fd661f5caa4a7f127e34e79c1b5f9d922d6

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
320KB

MD5
9fa4c59d4bac12ddfacad8585ce4baf7

SHA1
042a5445b10c0402389913d6a47e7b46cee9efc8

SHA256
922dbfd42d3a5cb060fbc293e9dbd4afdf9957385c8d72c034ae7fa68fdf90fa

SHA512
45816f64a4076a09ef1a66151cce95c77f6324520dab56d25e155ce213695f5b8638a4b2abeb25a7896f56752b9f0145513d3c692bf47a5106ca068c29996c96

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
320KB

MD5
608b3805eac4ad511cff9cf90fb21e08

SHA1
9949b851e1b1e4df389bf4f3892326ceb5378c73

SHA256
19fb5e09537ab801526ede19ba3cc8ef787b8f1cc2dda013c0a8788d0baccef5

SHA512
373a0ba1c23f9eea9d0a61cafd69c91e4e005251fd2887acb5b97150a5f755a88d1693fdeb5a748978e0bd4d0025de322d9b5c34b2403e10e96138667ed3f8e6

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
320KB

MD5
557bf761bb0ba2e98e7304ebbb814a2a

SHA1
084c3c83f95373da70179a65bcc472cac198e91a

SHA256
d650d4819828e5c4ccff828fe73d125a6bc8231903301775ad79deb1522ac1e0

SHA512
2401df9695b58269ae2ace835255762d145f10e068807092e91c25d3c01bc69478e2f42c96ce20508ad7a579d0726979513c1a64fcdff54bc0a9112ccd7ca1e4

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
320KB

MD5
90e3b931fd2ac9d2a8d29a8666274050

SHA1
d09e5b31331e5d01b66aacef853340b79dbfb15b

SHA256
6a68a95d1952598435e5f1ed9de7902a4849f4c0a613a8a0420c4cf516f0b1d0

SHA512
aa85ce38e3633e31ca4c5455351f2f9a10c0e24f42a663f6158be9c7ef6ad433f69cbc667fe21a0d7c73ba1da9f4649df5884010098249b6f27bbbf8bd41f4a9

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
320KB

MD5
eacc69681e9cd1f5d0d20fb2d4c9097e

SHA1
a7256c5ec04e5ecb0a4d4ac96b0d1154b96c50cb

SHA256
cbe4f529986557daaf3410d0be08699b838b8ec4a38f2d6c4969a5a0f9370455

SHA512
9dbae1b8cb6c24ede347e9b79dc1074c8fd516c1df2d69269df4cf2ba435f43473b124332ba6bd67efe7a5c268378261e55bbdd42bcfb8013e0641c44387c14c

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
320KB

MD5
40fa504feb8f3d8c5dc6feba07e13136

SHA1
025d59a62124cfeebaf42966f768c34ce4abd88f

SHA256
9c696909051e43229a60249fdd4042eea590002af10c0eb1bb3ad2067f7af9bb

SHA512
bd6726b4e466ae0c9829c6103c208eea4332907e8245b568dddd3a51548f62f130cb93495b5bf34ab1c5e894e43f630df480b087adbb42aaafb181c45f5514be

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
320KB

MD5
6519592d64471b726609e164636185cb

SHA1
debee376e856d90462a1016a7238e69d3c0368fe

SHA256
bb2f3567a9d0586eeed07bd8cf8b3d571c5088ef3581afcb44938fb50d6aa38e

SHA512
da2981e9a202e3cd3cb9f52d4c08359d75857d1a04a428a403aecde6b572492ee0992407559105dc97381e74d24356f9af32a47dc580cd4b740338853002eb1c

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
320KB

MD5
abc18d4f2a8b76d47476126e90c1c772

SHA1
6b2ff05786d574c718092cccdb7a33ede0a34925

SHA256
dec5f4e28964c0c31ed786d23ea3ea1513563a34ff51c53b843e894a72f6fd49

SHA512
2c4755bfbfb2edd390f1039e24eb3b7ac31a6bb63fe1f6faa399d83264d73822dfa6317426e98a277dc346af2a244463dfc8d2a4a72ef9a65b9118f59d80b790

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
320KB

MD5
b85588b58d7347d2707e2288805bcffd

SHA1
06eaa36cc16f73670f35432183fad3a85fc0336b

SHA256
cb6bf7e67d13bade4379a96ae570a3958db0ef975fd75c4cb86ae8d8df9b12ff

SHA512
7ad0dcb93da21dda48e72adf5cd98b8e644469c4b65af5d5a3f822e786a9df3dac945748d9f975d5bf5d34e5555be941a387dba2df01d7168b2630a6306fc9e6

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
320KB

MD5
a95b30e762a480bb80082cf4e65c1e24

SHA1
18ad56c5e68fa35ab151d1d7b9ff5419788d2f16

SHA256
a9362d67685dae52d7d68354248a1e383505241e2f453809958ea7adc41e0465

SHA512
9e01b006b5a9660f0d46defe3a911ba36294de5f62c6b980d09f51365f71e0813aaff3197a324e2f9c530c6e62be3f2c237e47f24f0ca9281aa6d66cfea38620

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
320KB

MD5
4a1f51b103e21101e63a993003aed1e5

SHA1
077aa6fa1bcb586871aa42f8e7484d6a7cd33b68

SHA256
09924cb0b31bf4ec36100c186996e3b4dc75363abee7d759a48ad42b452d2e5b

SHA512
0cf5c14ce1de24ca08e5072cbe6476ca867dbe189b809986fdb894417326203d7f59bcf72d66e93a1224eabab4f4172f69c7899af4ad93790d5d47fa72255212

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
320KB

MD5
32dd794143350391bfb83c3a070e6305

SHA1
1e75fabd9391e3f96c6ecd165b11b4b272594cde

SHA256
87cd2444af4fcb98c54b7205f85e471cea4fe0ad464d0c7d4f8c23f2fe53edb0

SHA512
33dc465da0f12162129e3828842c2da5ff94ec23bea38bc510be975f8316a7166993f3408d8e1b4beaff74b0564f6fe83b1824cb027d3deb4d9565eb753e755e

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
320KB

MD5
cadeb6d831b5250eb66298cfabb7b1bd

SHA1
a37c5746c6bf5aefa62ffdba4d7f4ac2a18063f3

SHA256
a542672b77e1138501e40f437940788e86cedd32caf3abfb04ee25476081c968

SHA512
c0c28cd323db863825efcda7bb5351d29c8df4533942f358aaa09994aed16c145a5dba3cdee7a52c2683d858d6b4ebf20beb1388b1330e790750bcaabcbf6680

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
320KB

MD5
e3e7a251e338b696d9b78226e27f6d90

SHA1
2e40ce9b52a26c1444a828000f1104c820acecaa

SHA256
3ec186a0cdfc01b8f7760633a7a3e99ac73e41b2081309f25d46e8d3bec28432

SHA512
2813e83dc951d6485e4be5de7faebe91fc6046bc81a06e0ff46b339bb0b4b7c7636dde61f38b5fc19da84fab2c164636d66da090a7e4a3c5b242db33acf4b67f

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
320KB

MD5
468dd8ec19259d503ebefec8c331c5a0

SHA1
56e81c2dfe78dcb30b77ba8dd7f073b5e11ab53a

SHA256
db08ee404199ab1e799310015d4c2dac0070015336df36b293d329e536d75ebc

SHA512
da12d91a7df2b5767e0fe774bee5ed358294ca9995e115a4a86dd9a335b5b9c88881f4ad4204b819044a99b7a54feeb1f8f010a028423e1c6cdb947971f9c8bf

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
320KB

MD5
275869a3384d183d4e393eebdd5c11b4

SHA1
8dfcfc035268f0db0a2b4fd3b7f394cf12b5ac37

SHA256
ecd5140d2bd591fc3874aa7faf039b28200f88cfc6b20e727cd02fbdb607bd4a

SHA512
e6773cb0a23fedf8ec0bd0708149fc3cc16cd7754bc8dee6ae45eaf23d49dcbada69cbe71bf29c77dbf637475fb139f79ff8154c00e4aecdb83d542ec54f8607

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
320KB

MD5
64ab41bf66c7ba6c1ac28697dca2e668

SHA1
917d713a74411005c3510de0d81c10d42a3cc26d

SHA256
bd0986df20a097f66e464c329c49fad90a2681a9e48caa516902134d1d5a7fcd

SHA512
7130eda5715769160d0b71cb3708b03650b90f26981b421f596d3ccbe823d91b1b377cc5fd8ecc6941dd5000f7646ab7ccc67286bfc99ceb3e36176096ff58f1

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
320KB

MD5
d67ecbe6be38ec9d8a3050b2d8ee4366

SHA1
4890ee698eaae2f79696f37bbcb5cd091f203415

SHA256
6d0739dc6bfd2e2a160741f4e72ec478942cdec7de60115c256c698f529d8631

SHA512
b14d84322e9db9e0843fda4ce67c99fef2b7072126361d9fca25521c1a6b62790e7ecb8a16ec2579f827debf675855eff5f89c660b13563870ecc4f9c6645df9

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
320KB

MD5
2ca93706cc8506c2e3cc1cd4af2dfa11

SHA1
2cff188f2f7bace8251997d3d3fc995223e50370

SHA256
0670a339d3e45a8238bbd65a76778bdb35635b82f2b69dea4fdb97171905544a

SHA512
9cd1dd76014722b932fab556b43970866dc65dd2e12d349d3516c00fdf168d84f058d18f9c92293ff72b73200f97d6db0ac606eec73d0c90d33a7aee1cd1dff8

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
320KB

MD5
342eee3996f68b9b5429bf4ab9b74d22

SHA1
f2c83a39f98c62852460454e36ad300f30ffb0fe

SHA256
81511ee9230a4e7bffa69f97fbaecf8c1d8b30f3eb8967f3e0fc1ba04f01b098

SHA512
abf5ca79c571ab1dc47e35a5de54fbb216876317240cdd274c40aa8868443d07813b9d1b28abafccbad1468613019fa2e57eb0eab3f318acb46216bb4ca7d302

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
320KB

MD5
99dcd6e099c07e1b66065cf1c6693750

SHA1
3e01a8225c78ee922ad054c9aec7713b9e6a5cd2

SHA256
35e4b0431139286b8a485ae508289241019824c00bd4e4784ba879a10755339d

SHA512
9dbd805d4c2fc28288f70ffe29bf328b0330e757a6b907a588cc2ad5bbaca7e1779cbe0888f75a5383bf63af93f59339332bb499713d640ee66910e043f8d939

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
320KB

MD5
2789006ce0ebf6558dcedfb5901c7515

SHA1
71ed78ac850050dfb34c3446c1853f1b726648fc

SHA256
fe1e948d5ab3bdd18a14f84d8b7a0b72d9d53fdd69329c94ababda22360a6fc7

SHA512
a4e9e0b259f6302ff30d47855cefba6150b3bfa42fb59f4ae59d554284e8f268071220e3f1a127faff5b94a14734097e06f3a6729d5dffea7e17fd2fe80541aa

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
320KB

MD5
6ad00711aaa5cde4bc93fa565375e2cc

SHA1
13ab80c96cf3c0cd66989fd85df860fa4ea2b6ac

SHA256
0d17c6a0bfdf688b7d6abb62dd1a10f805ed2edb615ac0446d9e6521fbe973cd

SHA512
2882f81fd9d50eb9757ff3512e80022060730ecb1d4dd66fb7105aae7598a5461f9fad7f369af8835f41fbb184c97bf0e46cbce4f18485df1c592c2d75b5c244

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
320KB

MD5
b70ecdc3fdfb8b61faa0bf20e1546c29

SHA1
abfa22edf0516aa4d13610ca9df73bb5a6cce19a

SHA256
76f38c6158fd82cc41c971e2eb474f9948397be4aca7320f2c2b09e1add22655

SHA512
ffe80d3bf5150a2fb98677faefa56838dba636853f51271d0d9b2aa120c98d5f8f52ee873de640d898410b706cbce092c93714afccffd2813f618d4527e15d73

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
320KB

MD5
e64129198b31462d807c8c68b0ddca99

SHA1
af8c34e4cd6adf9da3aed845348da5e194f288c0

SHA256
d13cb3cb08289ce4cef55f87097d14ea4886b7fc045f78c1ad88bc80ca343204

SHA512
931c739777480a8a2dbbbe8d9d73aba87a429b4bcc859f40a43b23fbadf2c811684dfe16e35b6ff7c2b2ef224e91d72026a466366d76ec75f8c55322ddf2124c

Download Submit
C:\Windows\SysWOW64\Ghekjiam.dll

Filesize
7KB

MD5
fbe88d6eebe3720416a95d886869d105

SHA1
ce725c4d5ceb6e3e52a02fac23cdc227144c7590

SHA256
0ea76d597c8178dff6c6497e682be01e934e6f991458614cc07866b8084c9963

SHA512
0243f47dc38f6541f1439a62f9780c201018295c3f6dc5d647502f8d49c3eef15b1ea1df901545b1c7314ab26a15fb95194c2c07491e09b32ab0b4d3ecc0aeb1

Download Submit
memory/348-221-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/428-225-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/428-179-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/900-233-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/900-147-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1420-72-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1420-251-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1532-172-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1532-227-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1712-259-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1712-39-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2000-116-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2000-241-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2332-87-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2332-247-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2628-253-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2628-63-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2724-219-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2724-201-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3156-223-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3216-243-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3216-108-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3252-155-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3252-231-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3496-48-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3496-257-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3520-261-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3520-31-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3736-23-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3736-265-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3784-249-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3784-79-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4060-213-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4060-215-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4156-229-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4156-163-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4328-267-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4328-7-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4444-235-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4488-237-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4488-128-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4588-245-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4588-100-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4636-239-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4636-124-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4732-56-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4732-255-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4780-24-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4780-263-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4804-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4804-269-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4944-209-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4944-218-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads