berbew | 7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd.exe
Size

364KB
MD5

d5d2b33e1a15416278427c7d9c21d231
SHA1

4104302cfc06b4ecbd12577c44d8cc5d49c592d9
SHA256

7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd
SHA512

a1ff51d418ed93c2fc2e699ccecc9210460400c94b39b3b55c83450d3a2ba6439e3dde2ca1928effe666cc1e86b30fb44439e024c1a6293436b4137a93dabad7
SSDEEP

6144:y5eEU9HqdVzQr47V+tbFOLM77OLnFe3HCqxNRmJ4PavntPRRI:y5eEURYzQJtsNePmjvtPRRI

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 36 IoCs

pid	Process
4956	Bchomn32.exe
1940	Bnmcjg32.exe
1668	Beglgani.exe
2864	Bnpppgdj.exe
3460	Bhhdil32.exe
2816	Bjfaeh32.exe
4608	Belebq32.exe
4476	Chjaol32.exe
876	Ceqnmpfo.exe
3512	Cnicfe32.exe
4348	Ceckcp32.exe
2456	Cfdhkhjj.exe
3420	Cajlhqjp.exe
5096	Cffdpghg.exe
780	Cnnlaehj.exe
2828	Ddjejl32.exe
4588	Dmcibama.exe
4008	Dejacond.exe
1844	Dobfld32.exe
4856	Delnin32.exe
4012	Dhkjej32.exe
1496	Dkifae32.exe
1064	Dodbbdbb.exe
4600	Daconoae.exe
700	Deokon32.exe
4168	Ddakjkqi.exe
1892	Dfpgffpm.exe
1680	Dkkcge32.exe
4988	Dogogcpo.exe
2956	Dmjocp32.exe
3092	Daekdooc.exe
4416	Deagdn32.exe
3452	Dddhpjof.exe
1124	Dknpmdfc.exe
1200	Doilmc32.exe
4832	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2500	4832	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 4956	2324	7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd.exe	83
PID 2324 wrote to memory of 4956	2324	7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd.exe	83
PID 2324 wrote to memory of 4956	2324	7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd.exe	83
PID 4956 wrote to memory of 1940	4956	Bchomn32.exe	84
PID 4956 wrote to memory of 1940	4956	Bchomn32.exe	84
PID 4956 wrote to memory of 1940	4956	Bchomn32.exe	84
PID 1940 wrote to memory of 1668	1940	Bnmcjg32.exe	85
PID 1940 wrote to memory of 1668	1940	Bnmcjg32.exe	85
PID 1940 wrote to memory of 1668	1940	Bnmcjg32.exe	85
PID 1668 wrote to memory of 2864	1668	Beglgani.exe	86
PID 1668 wrote to memory of 2864	1668	Beglgani.exe	86
PID 1668 wrote to memory of 2864	1668	Beglgani.exe	86
PID 2864 wrote to memory of 3460	2864	Bnpppgdj.exe	87
PID 2864 wrote to memory of 3460	2864	Bnpppgdj.exe	87
PID 2864 wrote to memory of 3460	2864	Bnpppgdj.exe	87
PID 3460 wrote to memory of 2816	3460	Bhhdil32.exe	88
PID 3460 wrote to memory of 2816	3460	Bhhdil32.exe	88
PID 3460 wrote to memory of 2816	3460	Bhhdil32.exe	88
PID 2816 wrote to memory of 4608	2816	Bjfaeh32.exe	89
PID 2816 wrote to memory of 4608	2816	Bjfaeh32.exe	89
PID 2816 wrote to memory of 4608	2816	Bjfaeh32.exe	89
PID 4608 wrote to memory of 4476	4608	Belebq32.exe	90
PID 4608 wrote to memory of 4476	4608	Belebq32.exe	90
PID 4608 wrote to memory of 4476	4608	Belebq32.exe	90
PID 4476 wrote to memory of 876	4476	Chjaol32.exe	91
PID 4476 wrote to memory of 876	4476	Chjaol32.exe	91
PID 4476 wrote to memory of 876	4476	Chjaol32.exe	91
PID 876 wrote to memory of 3512	876	Ceqnmpfo.exe	92
PID 876 wrote to memory of 3512	876	Ceqnmpfo.exe	92
PID 876 wrote to memory of 3512	876	Ceqnmpfo.exe	92
PID 3512 wrote to memory of 4348	3512	Cnicfe32.exe	93
PID 3512 wrote to memory of 4348	3512	Cnicfe32.exe	93
PID 3512 wrote to memory of 4348	3512	Cnicfe32.exe	93
PID 4348 wrote to memory of 2456	4348	Ceckcp32.exe	94
PID 4348 wrote to memory of 2456	4348	Ceckcp32.exe	94
PID 4348 wrote to memory of 2456	4348	Ceckcp32.exe	94
PID 2456 wrote to memory of 3420	2456	Cfdhkhjj.exe	95
PID 2456 wrote to memory of 3420	2456	Cfdhkhjj.exe	95
PID 2456 wrote to memory of 3420	2456	Cfdhkhjj.exe	95
PID 3420 wrote to memory of 5096	3420	Cajlhqjp.exe	96
PID 3420 wrote to memory of 5096	3420	Cajlhqjp.exe	96
PID 3420 wrote to memory of 5096	3420	Cajlhqjp.exe	96
PID 5096 wrote to memory of 780	5096	Cffdpghg.exe	97
PID 5096 wrote to memory of 780	5096	Cffdpghg.exe	97
PID 5096 wrote to memory of 780	5096	Cffdpghg.exe	97
PID 780 wrote to memory of 2828	780	Cnnlaehj.exe	98
PID 780 wrote to memory of 2828	780	Cnnlaehj.exe	98
PID 780 wrote to memory of 2828	780	Cnnlaehj.exe	98
PID 2828 wrote to memory of 4588	2828	Ddjejl32.exe	99
PID 2828 wrote to memory of 4588	2828	Ddjejl32.exe	99
PID 2828 wrote to memory of 4588	2828	Ddjejl32.exe	99
PID 4588 wrote to memory of 4008	4588	Dmcibama.exe	100
PID 4588 wrote to memory of 4008	4588	Dmcibama.exe	100
PID 4588 wrote to memory of 4008	4588	Dmcibama.exe	100
PID 4008 wrote to memory of 1844	4008	Dejacond.exe	101
PID 4008 wrote to memory of 1844	4008	Dejacond.exe	101
PID 4008 wrote to memory of 1844	4008	Dejacond.exe	101
PID 1844 wrote to memory of 4856	1844	Dobfld32.exe	102
PID 1844 wrote to memory of 4856	1844	Dobfld32.exe	102
PID 1844 wrote to memory of 4856	1844	Dobfld32.exe	102
PID 4856 wrote to memory of 4012	4856	Delnin32.exe	103
PID 4856 wrote to memory of 4012	4856	Delnin32.exe	103
PID 4856 wrote to memory of 4012	4856	Delnin32.exe	103
PID 4012 wrote to memory of 1496	4012	Dhkjej32.exe	104

C:\Users\Admin\AppData\Local\Temp\7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd.exe
"C:\Users\Admin\AppData\Local\Temp\7e50d96cc4daee3a910b1b3496cfafc9703c2ffb56642a6fb20532799aeebcbd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\Bchomn32.exe
  C:\Windows\system32\Bchomn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\Bnmcjg32.exe
    C:\Windows\system32\Bnmcjg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\Beglgani.exe
      C:\Windows\system32\Beglgani.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 408
        39⤵
        Program crash
        
        PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4832 -ip 4832
1⤵
PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bchomn32.exe

Filesize
364KB

MD5
4ebf09dd2fb316c88eb3a6327071ab31

SHA1
587631ea57d4f35d6d56abccdd9eaa02b0554309

SHA256
b4f0b9bcbf55ae8eec248adb95fa992fec67db8a855358a44891243be95aaabb

SHA512
0fd649f753f5cdf0755195760c97b7bed97703181452a69de57f3b059b3692f0b792e4e697cd47881872a58c4f9e5e04568a52c430bb295ff9a14191958c81b2

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
364KB

MD5
b53402704e47ee69ff9b171475c6fdc3

SHA1
04ea3b7f157b36b447ac68ed70156de5b833d00a

SHA256
e367b371ae433e2de116294f59b92521023206063d7e4222bda4d86046aea199

SHA512
c6defd590ed511729cfc415d290d12e06b1e6bda5f664c138265ac566cf7e728270feb84881d80949b0d118020afabcc0f446624fe160a10c4af7209fb676e06

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
364KB

MD5
60bbf3a5c1e23e77039b7608862759cc

SHA1
84a8b465ff463b8f534f44979a954ff17f1df1f9

SHA256
3dd62340db90807b0a01a1028d93b74c176c6c3e6451b96f3c3faacc1237d2b9

SHA512
bce0d10dfed0aabecf413c6f4ccffcb75ec9eac6bb3340b47b607cdb43c5dd96a3702dc60f67bbba4ebfbe04e9e46de4b7901c88ef0bcccb2d036654d83436a7

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
192KB

MD5
70ad35f51f009ffee3dce1cc8454835c

SHA1
bca08aeeb070e112189ee72197fe4b39c2153f61

SHA256
3e4159db0197c1b7bfba992ecd231c2c782b749fbb687f36c86c731093fa4e5e

SHA512
341ee87536878cd2befe1bac02f1d014242343a1a1138d6f3e71a9d3d931fec4803c69f5d9eb8c4a9f810e2cdf1d860cf229fa00e846f02c80942337daeaaba5

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
364KB

MD5
14616c42a1825945792af64050cfabc5

SHA1
34fae21ddcbb703db5c99bb6bec27b67ff83e4b2

SHA256
79e8c6499449cefa7beb7474ca80e790909bafa3aca7ca752b6f71ac2cef46ad

SHA512
0c6be224a3ba5c319862fe05ceda9a7b0eca8554a224fe47d2bdb6b082db8874e8a72a2a200f441773aac576758a16f9194979f45f63e057204cb7ad407e2312

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
364KB

MD5
008a3749d1f1fe7fd6e783fdd425ae62

SHA1
d76de22ea9550047cf0e7a7d4391fd75e7440b95

SHA256
6384000619e62c3c8d71e674e779207254ea0b9eeeedfded070558079e71e782

SHA512
5259877d036f59784ebec4707b0673a48b472a774c3596ef2516d8cfa084349f264e851b0a9221fe0567afaf855e678a25fc2002fe963d8920805c205628d8a0

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
364KB

MD5
a6a910aa6a5fcee571f5a5dda4976df5

SHA1
0945eee955d4f9335b2cb1eaf66b3e41135da8b3

SHA256
4e0e4bf92f31ae22e576fdc00d5b31fbf6ca33cd8fdcd42ccf0efd77ce88ba18

SHA512
7ea65420e4bda784fa355a24d3d2f8f615c7d184201abb327483442135be4e41f6deea2ebf5cc9f1004d6a64fedee503e8b723e8285e7fbcc808e838cfda22aa

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
364KB

MD5
2e15ee8cb989d15d2281c7609665c0aa

SHA1
ecb891a4a5d7e4412cf701d1c990d0ae06d8b79b

SHA256
e90e9f0fbc352fc43ba3a565b003e385f2c841cca6da0a4c3b24f4f093e1436c

SHA512
63fad55aec03dba28c4474fd7c5f1afb2c83cde3c9472f8f2b1d93471ac8f7122c2748e92f78fd7b0a062cb02f1e6b776f1287b3c75295991c7b78db3feebafa

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
364KB

MD5
4c328556562e6bf72d2229f91c18b7ad

SHA1
f8acd642170e7cedab3be6304439ab5d0ccd4fe6

SHA256
acd6c338fef03b058de5cb26691a7158431b9ae212a4d8ae25924092a4d03354

SHA512
3acb7b1f5bf6eed1a789d3bb2051f7e9f8d9a7e5962fe9c9046c6dd9c726565e34b8b12e66a5b2cb8d9197e1a986ae8a7824ca201d74774739ad36ff92de101c

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
364KB

MD5
a754b9d7919af57997a2c7ab516adaf7

SHA1
83393b8491e12a45be82201b1530b40ef4197ada

SHA256
b8745cbae5acb1eb2aa053de7e27a4424312f902bf73a8fb324358859d383b1e

SHA512
5e3cb2a6afc7840990f03a92c9e1d6db77d10084a9d3285c75246c80767ed32c4fbae8d6cb7c6fd7b82c6341c3bdf1dc9ba2cef0fd26f41f15cf64fa3a202846

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
364KB

MD5
a6a0f2b92045d3acd2e1007791f57ea8

SHA1
4cdb3323337e607a69555209eaa0cdcbc308678f

SHA256
960b4956c0d4b68e772191514acd47d3b4fb4cd1ee18609860d0f95ab1d89450

SHA512
bad666c1e66a0bee311a8ce05336e78f8dea0ea388f809e3365ff7443c87826a861c823bcdbbaf271ce2ee6f352e355c11b07538b580010925b7cd29a08ae93c

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
364KB

MD5
cd6966abefcb31b2988f1c0fb9b5999d

SHA1
869c14693af24e6a9bf4237a2b544c856544a411

SHA256
0056164da52f0ff4048cbde7229e5919ed963b3eac3f5f43a779f59f228f3068

SHA512
ca80207ad49f8678092ea8fc261617ca0d2b00db963d1fdb59b1fbef3f2920b97f6c8189bb041d439e3893a1efac05dc8fd62d45f1608bbc421d0b3174c8c840

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
364KB

MD5
d6721c22e0aa45c40a4a3b1a4ddd0e56

SHA1
f909af898615bc0385c55bb0c4a33565b611c158

SHA256
7f0fea0561f86d8f8878ccf3d45836696f05ff678357b3541d65c9df06f14375

SHA512
e3b7b57d2f4f55b818b76d6636b990bd18ba988fdff201c775dba742ac0c1347fdf207087cabc5f4efb052598d903dfc786fcefdff3fe889113b9c60003b0886

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
364KB

MD5
2d1c0c9117bce2aebf9323a310c530ab

SHA1
27c2e1af3fb2a03e6cbf2c697ec65c738ff0518e

SHA256
64588a35235ec6d713979d6ec5e39c8047608fc7514c808acaee003e0a818e90

SHA512
3ce11a618f8fea382869f194ba7e5357f8d147ce0cb73586487da6f47f524d0ab41862e5d3c73fab5132a9cc1f3c8d54c3b22eef0a483ad534118275fec61a61

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
364KB

MD5
26678c6f2b79e7368203261df430050c

SHA1
789018d6296d7c86ffe9d0720dfd73cc8bc509a9

SHA256
09f9ba7b3c2dc72a917939cf69791c5248f0a30419728d88d7a81f30c6d0f562

SHA512
f9b14b9d7cc25f9e803438dc21547bd45754d9bbb3cc9c05d48eb701f1a818eea964be6aaa73c087f3c3a40bd34d22aeddf4c37103ab16693b128ba8590f7bf4

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
364KB

MD5
b0352f7fd107d4b88b997063394faee9

SHA1
1cda4edd3bdd569353cd59f8819d9ce3c6742171

SHA256
cff945de9a2a9795eaeb5ca1a057cce9410cf3f07f661a02146f7e1212a34699

SHA512
bdc99e3e7335a77cc3a309250ecae754884f36222a949998a3aa777c9a98e53135bf602e30caf9f5b05209ba280e5904e599133ea093087304e8a8e77a51cf92

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
364KB

MD5
ebed27e610872e15c53edeee218a3fcb

SHA1
9d0fb46375bf71d82d612e78364def411895dd67

SHA256
773826ab04bd49b34c17dad937b6041e8fa850de4bc4febbac74772326e13a0a

SHA512
fc628c2cfc3f193109d96be63978725bb099c792e991dc5098f25788a44cb6eea8e7d91b53f31dd0d1d971c1e8f4025380e913ea930c2047af8cb3b87776d470

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
364KB

MD5
badb92afbb9281c88326dfa0ee5d9377

SHA1
10ccc3dace0527d0edbf445698aa0fc3cc6bce0f

SHA256
8298148f402c5e248bee01e82f9ab9219514b232a87516f75a3c4eb18d2916be

SHA512
d2b8b11a1c7e7917c2f782e30decf6436a2543573b0a276d93a813bc163b604be9e56090f03a73c1bf17e023e24eb7599dd8d3d4032a66d4dc80e0c2dc7ca081

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
364KB

MD5
677c6b76e255f45d8f75cf4b699ec2ba

SHA1
553d96780e940e3b0dfd48599c07e099db3856be

SHA256
3d129f7c84714dda04f64e4f554ce4171feae6a4324f6c473282abdbed239613

SHA512
0ceb58113830e26dda9927e7cfdb629a389844c56668f8dd395615882688aecf1cd60f43e2b31c829d4ce5c2a3e7e646f199d22c1350c394107cfecdff0ebe8e

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
364KB

MD5
2e590e68e590eebfdb8ae191c23cd692

SHA1
2f98d3cd3f47d258aea7f2f11c96b25bdce28682

SHA256
c8ff30980c6414144b5585e1516b59c511281695b03db40ab0c58e99104b777e

SHA512
25fe46f23375e71fe68a7db8fc9cd073be4497e796bed8c56a398cd16f41615748502b8f542b9f601cccd2ed0777a7e6848df927b035d504e42965a5030982f8

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
364KB

MD5
1df755e0dcfcff2133a8259d56dc2438

SHA1
21113b9c7a6fadba4f3d9edfb8df6b77004806e9

SHA256
4bbe0ca5bf8fd0c8c327b5b13788f7dda04ed8cd45f5188a89fcfbdfd59869e5

SHA512
a76eeb87576e1cb7572008ac7b7cd88641c0cf7884efa08bdc56025ff3b97206fb7a36c089b7a3aa441f335be2ec0f206fcbf41f7afe379b648d63d8e7900edb

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
364KB

MD5
d7eb6c2c88d693495efd6fdca4142a68

SHA1
4c108e50cda0f484a5e97acec6acccc0876254ab

SHA256
89ba29a03fd284bd1bdb9ab49ebdfc2a34aabdf9cd9705ebed1fa758df539424

SHA512
5643f7152d702c23fffe4fc255eb6ac2a1d6586f4b1ddb0e2ce3d1cd0ee9c5709b83d2c876244a34916e6b9c2993bfb7511e28ef8480baa56f49b09742fba5b9

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
364KB

MD5
449f529210a2fed44e5ce43f251bd62a

SHA1
8c6c68c61db8110ea9792dd6320733a33581b283

SHA256
f1c6446ef0e5cdac5044eb4481b21696689501d67078ed61ad618791e5da6dc9

SHA512
23a60c003a424211900d87565a7caa04a81c8ca391a903d9af707b9a3ffc1ca6d035f7875bab008f6b630232a225b6cbbd4858ed0bb611723ee0f0d48c39aecc

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
364KB

MD5
8eee36211ac489f2d69c31af1c399bc7

SHA1
81e102705c1df412e1c2cd298d1a92e7f98e60f0

SHA256
2b136250b0b1fd2c90a128a32fcd87097f0ac975e3bd17f0150823d6ca1c3d13

SHA512
1fc0aed8ec6b52515fd03fd46ebe2d74df6e00ccaa701235f5fcd5ea3eb711f37257b8e2ef96521045f69ad50fdecd8e9d616f15f812070dabf93b2164503313

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
364KB

MD5
b10cf54416bb3c7c22b030a9fdb1f81e

SHA1
47f29717aaa1bb9095b9f8b54002b7e582229f28

SHA256
d4f57ce126529c9db4c351932b1bc965df5733ea8df23aae19a84bbc25915161

SHA512
7cf36c33ed701d91e6b1b2bb23866abbd4a10ec4f92855b59502386aea11d3d14ee1d5fa68e720616818436d09cde6f9b89aaf2845248c185c1237e02b65ef7a

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
364KB

MD5
91dffc730d10838ba0caddc7a715ff27

SHA1
fc9cf499a60d3f2a4372c0e8133823c44d99b827

SHA256
e5331a6d3e190cad61b6b34b5fb6c1a9463c6e813fe580c8359f9cc12bb2e376

SHA512
6802b4bb745cdcbef145cff68d9c1909dbc4fead5b14f3ba0c592b84afd3a5b656a944e6e8cda03e1598b8b95468c0c7cd0d38698ec01ec09975d18e946c3925

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
364KB

MD5
326e2e47dd2b75250dddbb6fd1b3fda9

SHA1
e9ca428a4c3083166462224d48df7814b813d707

SHA256
5e7f6c781a8de7755fb9f65add253616c5de648d27f5ac2dfa1579a7b6cf647a

SHA512
2aa9a68aa767a8a13cc4032abcef68b559982035be4f4dd92fdd6240dfcab25e714c33d9ce7cc73cdcbabba5c1475da698f7553106092927e2fdb68c34c818e1

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
364KB

MD5
cb6a2c3faf663b010ab0edc3233369c1

SHA1
588200b87b01d688be8807a84225aaafaa09c8bb

SHA256
736b69c8b0f61218a52ac1f596db894165788bf4c27389376c23f7d46beeba4f

SHA512
629f256ea470690447eaa5fbd37feff05eb9099927e02171a2d4ce173f4424cf1dba1ee2cbc860d037cd1d0e28ca991f856b5e5ba799981b175a49772e5e6e31

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
364KB

MD5
529314363e52b61695719ac52d3b6770

SHA1
02dd65247fa6bd51a8a6dfd5fad7afe48831bb1e

SHA256
2c493f4a9b527cb3152c8033f0863976dcd6366cea5dcebc8f0f3749b7bc56a4

SHA512
ff4146f791bae4bfb92c486d0948a856067cd2a6ce20d8081510be09964275a4b1466933e9c48d0ea204d1010f8ce3ef4837871ffdf69063a4a3d199674c0271

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
364KB

MD5
798c41a3e713887febe42933ef382190

SHA1
92ac2ae5e7d6898064c4b392f4224335448d248b

SHA256
1f8d608add75aaa567aecdc691143f25fca062d3b2c761699b6da78c2fd69b56

SHA512
d6a7d2638e4b44a94e7a89af1198218103cb3e5a2fb0c41f352f0c112a7ff402020d9aa016487162877949e8ed1a3f93ffcf241a54f3160f9e0f6b602df85821

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
364KB

MD5
b50f90b50ace4ecbfb80dffc3c73015a

SHA1
fe36cd3c52b27e24e2a3f0b36f9599b8957100ec

SHA256
e3df54ccc99bd7d5abb70d6ff89e298cb11ebe0ab1fd46eb89e7e068c4fd9b18

SHA512
f46f3dcdbbd2b23c494b68df28210fb6fa1f86eb04d2bad404db20a9742896b35074d330d90a79a6f259619a0e91e77808a25d61345ad7e88f55b9fa3fa46442

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
364KB

MD5
4d7adccba235cc1e3698ecda98e97842

SHA1
c4f04b757c23c5954eb146ec43e408b0ee728fc1

SHA256
06d8cc0716b3a6107c8f8acbc89ec0e55c8a305cf0391edc0711fdaae4f94e61

SHA512
7508538d49753a3d46dc02db6f1556c89075607f4a549d17dfa57b1ae5c0d0e941fd0bc776a209dc76fba61ddd82533395e3d1ce2de9d0ec418fd58d9a5774b4

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
364KB

MD5
1a39ca43f00a34e964b80b046941edec

SHA1
5034a1c71bf417f6b93b74b514858324099c94fe

SHA256
f3e90a4016e1b23914f4cd791f72004705cdb0668edd17c67d605224c40e291b

SHA512
630f3ca2e876470f65b544308e86009f1648c00772332d315821ffea6ab71dc232a2c74d399f7ced5bb378c55ffefc9142d29e403a64f3b01d52718a27041a78

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
364KB

MD5
6af1ce2dde6928f03a6072833c3fc5c5

SHA1
a1f67ff77f974e455df273a5d854409d9ad49806

SHA256
e8efba137cd55699f2598868e8cff729e0fee284a6a79f953a69c2828ee2eca6

SHA512
15e7c974b04af38d588beb3bd87a929b624f2c5c88e87e7355448d0f8d46f9900b207fff2b373a2c0aa8646946919966d853ae24b666d3c484f67704c53bb0a1

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
364KB

MD5
43dfb0ae1208b7c1100c49b8303259eb

SHA1
0538197386978b2f30cbd457a3058b1dfb10865d

SHA256
254dc61391e3b07e712c2654f1c2ff68510f024dbb35d4ef7f2ca682661b024c

SHA512
e54f12d690d0b5d96178dbac46d0f82d5a0ba23e541e7d8333f1e89c0196762de9e376f36a7dfa15994d7fd04d7228ad8f5f0764b83b13e0284be60cd20465b9

Download Submit
C:\Windows\SysWOW64\Iqjikg32.dll

Filesize
7KB

MD5
dd6746219b7c0bf13a1cf9969826b140

SHA1
4c1b57476426eebe3b8a683ef995cc6c0884f79b

SHA256
78e21ffc8a879bf31cf678ffbc69f624a4160338c0f60bb92ca2240f98cd2bbf

SHA512
77ab28c9530d6e9f87ac625753bce2a65446b3c79f3b26e4f4d533433f054e350daff6b8221df410c2db6e0c6be99d5796a16ba877e2d26966fb18f318d19e09

Download Submit
memory/700-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/700-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1200-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3420-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3420-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4168-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads