berbew | 2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63

Analysis

max time kernel
95s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63.exe
Size

236KB
MD5

e081d5fbcd4a7b5588571460747e55ef
SHA1

26ce405cafa14ad211e7be4b8315f2c1da453c1c
SHA256

2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63
SHA512

2835cd877c3db6e1113e212c9de86e18b86bd2872616dc25d7ffb85fc395f7977b4359eb66e27d3e275a26ecdb5e40fb0163e8132abf444094870905d767c9e2
SSDEEP

3072:99pKzkVvElHg/moOQ3KEtUJ9IDlRxyhTbhgu+tAcrbFAJc+RsUi1aVDkOvhJjvJq:99FvhtUsDshsrtMsQB4

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 29 IoCs

pid	Process
1540	Bnpppgdj.exe
1668	Bclhhnca.exe
3376	Bhhdil32.exe
3256	Bjfaeh32.exe
648	Bcoenmao.exe
2932	Cjinkg32.exe
4832	Cmgjgcgo.exe
3792	Cdabcm32.exe
2976	Cnffqf32.exe
2960	Ceqnmpfo.exe
2176	Cfbkeh32.exe
3188	Cnicfe32.exe
4224	Cagobalc.exe
3076	Cnkplejl.exe
4720	Ceehho32.exe
1156	Cjbpaf32.exe
3560	Cmqmma32.exe
4356	Cegdnopg.exe
1836	Djdmffnn.exe
3716	Danecp32.exe
2060	Ddmaok32.exe
4756	Dfknkg32.exe
2684	Dobfld32.exe
1464	Dfnjafap.exe
3888	Dodbbdbb.exe
4500	Ddakjkqi.exe
4944	Daekdooc.exe
4888	Dhocqigp.exe
1532	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2332	1532	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Ddakjkqi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 1540	3284	2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63.exe	83
PID 3284 wrote to memory of 1540	3284	2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63.exe	83
PID 3284 wrote to memory of 1540	3284	2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63.exe	83
PID 1540 wrote to memory of 1668	1540	Bnpppgdj.exe	84
PID 1540 wrote to memory of 1668	1540	Bnpppgdj.exe	84
PID 1540 wrote to memory of 1668	1540	Bnpppgdj.exe	84
PID 1668 wrote to memory of 3376	1668	Bclhhnca.exe	85
PID 1668 wrote to memory of 3376	1668	Bclhhnca.exe	85
PID 1668 wrote to memory of 3376	1668	Bclhhnca.exe	85
PID 3376 wrote to memory of 3256	3376	Bhhdil32.exe	86
PID 3376 wrote to memory of 3256	3376	Bhhdil32.exe	86
PID 3376 wrote to memory of 3256	3376	Bhhdil32.exe	86
PID 3256 wrote to memory of 648	3256	Bjfaeh32.exe	87
PID 3256 wrote to memory of 648	3256	Bjfaeh32.exe	87
PID 3256 wrote to memory of 648	3256	Bjfaeh32.exe	87
PID 648 wrote to memory of 2932	648	Bcoenmao.exe	88
PID 648 wrote to memory of 2932	648	Bcoenmao.exe	88
PID 648 wrote to memory of 2932	648	Bcoenmao.exe	88
PID 2932 wrote to memory of 4832	2932	Cjinkg32.exe	89
PID 2932 wrote to memory of 4832	2932	Cjinkg32.exe	89
PID 2932 wrote to memory of 4832	2932	Cjinkg32.exe	89
PID 4832 wrote to memory of 3792	4832	Cmgjgcgo.exe	90
PID 4832 wrote to memory of 3792	4832	Cmgjgcgo.exe	90
PID 4832 wrote to memory of 3792	4832	Cmgjgcgo.exe	90
PID 3792 wrote to memory of 2976	3792	Cdabcm32.exe	91
PID 3792 wrote to memory of 2976	3792	Cdabcm32.exe	91
PID 3792 wrote to memory of 2976	3792	Cdabcm32.exe	91
PID 2976 wrote to memory of 2960	2976	Cnffqf32.exe	92
PID 2976 wrote to memory of 2960	2976	Cnffqf32.exe	92
PID 2976 wrote to memory of 2960	2976	Cnffqf32.exe	92
PID 2960 wrote to memory of 2176	2960	Ceqnmpfo.exe	93
PID 2960 wrote to memory of 2176	2960	Ceqnmpfo.exe	93
PID 2960 wrote to memory of 2176	2960	Ceqnmpfo.exe	93
PID 2176 wrote to memory of 3188	2176	Cfbkeh32.exe	94
PID 2176 wrote to memory of 3188	2176	Cfbkeh32.exe	94
PID 2176 wrote to memory of 3188	2176	Cfbkeh32.exe	94
PID 3188 wrote to memory of 4224	3188	Cnicfe32.exe	95
PID 3188 wrote to memory of 4224	3188	Cnicfe32.exe	95
PID 3188 wrote to memory of 4224	3188	Cnicfe32.exe	95
PID 4224 wrote to memory of 3076	4224	Cagobalc.exe	96
PID 4224 wrote to memory of 3076	4224	Cagobalc.exe	96
PID 4224 wrote to memory of 3076	4224	Cagobalc.exe	96
PID 3076 wrote to memory of 4720	3076	Cnkplejl.exe	97
PID 3076 wrote to memory of 4720	3076	Cnkplejl.exe	97
PID 3076 wrote to memory of 4720	3076	Cnkplejl.exe	97
PID 4720 wrote to memory of 1156	4720	Ceehho32.exe	98
PID 4720 wrote to memory of 1156	4720	Ceehho32.exe	98
PID 4720 wrote to memory of 1156	4720	Ceehho32.exe	98
PID 1156 wrote to memory of 3560	1156	Cjbpaf32.exe	99
PID 1156 wrote to memory of 3560	1156	Cjbpaf32.exe	99
PID 1156 wrote to memory of 3560	1156	Cjbpaf32.exe	99
PID 3560 wrote to memory of 4356	3560	Cmqmma32.exe	100
PID 3560 wrote to memory of 4356	3560	Cmqmma32.exe	100
PID 3560 wrote to memory of 4356	3560	Cmqmma32.exe	100
PID 4356 wrote to memory of 1836	4356	Cegdnopg.exe	101
PID 4356 wrote to memory of 1836	4356	Cegdnopg.exe	101
PID 4356 wrote to memory of 1836	4356	Cegdnopg.exe	101
PID 1836 wrote to memory of 3716	1836	Djdmffnn.exe	102
PID 1836 wrote to memory of 3716	1836	Djdmffnn.exe	102
PID 1836 wrote to memory of 3716	1836	Djdmffnn.exe	102
PID 3716 wrote to memory of 2060	3716	Danecp32.exe	103
PID 3716 wrote to memory of 2060	3716	Danecp32.exe	103
PID 3716 wrote to memory of 2060	3716	Danecp32.exe	103
PID 2060 wrote to memory of 4756	2060	Ddmaok32.exe	104

C:\Users\Admin\AppData\Local\Temp\2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63.exe
"C:\Users\Admin\AppData\Local\Temp\2b1a2a0a3ba214d75d935ffc1beac96b1976f383ea965477316b33b60d463a63.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Windows\SysWOW64\Bnpppgdj.exe
  C:\Windows\system32\Bnpppgdj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\Bclhhnca.exe
    C:\Windows\system32\Bclhhnca.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\Bhhdil32.exe
      C:\Windows\system32\Bhhdil32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3376
    - - C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
      - C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 396
        31⤵
        Program crash
        
        PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1532 -ip 1532
1⤵
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
236KB

MD5
61795744c24e843646c54677c0ae6bb1

SHA1
3af0ff10cc7bd04a9dcbc57f7ceba9693560aa18

SHA256
d3b3fea14ca98ef93f1bfd79ce2073ba5adc0616e5d73797a8217fbcea464688

SHA512
39347ead00d8ae00b7d215560dc95613c724fc25b79d615b53921798707b85f9b7325c0ffa97b2aa620251ee2d31046f0b06bdb495e49cdaa31f0ccf0799e59e

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
236KB

MD5
d11a0b466543ce92efd290cff57ab3f1

SHA1
2f0ec904975c961beddda6794eee5c153249c099

SHA256
54cea07b2a6bdfe8f42957414fafa47f5fd039fdf65bb7d0405c62c1d4bc2547

SHA512
b4ec7a3d213ca665402e67714aa56aa6efc1837528402d4bfcacd5f95cd81862886904cd1c7d7448a30638e9d92a2780bce40d9d4b25334223d3133125678877

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
236KB

MD5
bb864631b5e923261459c228de7bb04b

SHA1
4f2606f5ea447e1e37405d40b20c13597eba49a5

SHA256
65c192b9a7fb43b042ef3250c1b2981956c86373e31af9df3a87fe3b36646ab1

SHA512
e9fa0e64846bae8c4a9764fe6ba0e022eb9144b637edc499d8d92836c031581af624a4673be66f36bff3b71d317dcbf7e4da766e796e472189c8947de9939e98

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
236KB

MD5
2db46c4f84c88c990941e7deae11d2ab

SHA1
93e2e530ba36be2ffb9ce01adeec54fde9537ee6

SHA256
9e51431fa1153b9330466d932d5988ec0fd6d6d122a168ff237016fb5fc5efa9

SHA512
b6ba3927f345e7c02b6561712040df589cebe1a40f7bdd2e2bfd99983bcfb13971293f4e01a0a1a7a2630e38a22fab6a84880c108b18dcd2449c2b05d7cf1749

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
236KB

MD5
32b07307588684343a1b5877298a7caa

SHA1
f41dbd3e7a9168b4a7417e345287d6a31f8b2000

SHA256
862d9381e14b6accd1a3e4e4ddf1be58f9b2647150505cd1f22171f75c2b2276

SHA512
f079b45e7c28baa4bf43c47115934a01faa0553dd70cb9464d2654114312b50ca63588b81de61e967c01e1667352c40acde2a0a9951d8ad42dc3e025431452fe

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
236KB

MD5
54bbc07e628776c2c6c25603666e9a68

SHA1
07a661a181ec131a34206853feb108f78d790cbc

SHA256
bc4e850b1108c72115df7c10e0740496d2c369aacfb59c23d9930c05cadca68f

SHA512
99c0de93933e0bcee88cb63da133e0e3201fcdf5fd6ef5975f0ecc87eb6808d9d07e6127c737d2031adbae70aa3892cdfa0dd272be98cf33e9783a044cea030d

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
236KB

MD5
ccb94906f4503442beafe27a7b609fe1

SHA1
82c74315975760dc929840fd0e830bf14df6fba8

SHA256
0687c71c57d11c055da8bbacf440d8af48c8b237ae9d47bec4ff300d53ff8d93

SHA512
133bc3dbe41e5152b4384606edfdb8426659d39139b81380902f2eb45f5e68b490670d7e6ee7eb96c847713b32f270c16b55bddfec50d771b9d42579849a7858

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
236KB

MD5
30f63e982bf28058d9eebb562c1730a0

SHA1
b1cc53f286ef27471c95deb72cf5aadb48ac00e7

SHA256
57ac421650f95483da5b879d8b111cf3cd94ce87a6ad70d65bca1893eb9c1895

SHA512
1477287c63a2cfca5d54d749612fc57d478863f85a622317be0e5cd107fde67280fd82108ad94c6709abd1e13d5a7651e5c5455abb68e5f61d3798b14d109ab8

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
236KB

MD5
8e392c3a298af6db80d9de54523ab5bb

SHA1
141986b515afe17073a7cfe0bfa767cc38b1f622

SHA256
55636a96c32ebe0b01ec7511f354609d8d4319835508441780ef07325ec79675

SHA512
f9a83fdaa78b5fa089c59e7ca8b8308a242f5c0fc50526a82663996a09a3e7f14b2263afbbb61709068e6a08e9cd5de8442d655f60d8bcf48b3664bfa7a4dc62

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
236KB

MD5
76d46b71c53610bfce3572a72e883b50

SHA1
3dd35ffbd2755a4d5576ae718396e4ae4b54c5bf

SHA256
a9e3e28327a6757d39f0593cb2e49a487b6d977f3f071db6f097cc9c5b6a4224

SHA512
cf96aa6db5c5c82d4a43078eb921e94fead9bf9fd524eed8cfd2f33db52ec7c9f3e13d853cfb265f66d6234022dc7625699eee22353df4f4eee3251325c40a09

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
236KB

MD5
c24a3adfd8dbe749de45231817e15d4b

SHA1
c39e750046c84ba2955d60961b9262edfedd00a0

SHA256
a94741d9f97e71e7e0692f5b70b60f5043732f3fb7820a6ba373092f04610225

SHA512
c1250021a943da15f221d3816c50873a17ec78d229a781970c8f006a9519dd5b67bf5cbc41eeef60fe57613c6d7561d5a2a1824e92441177c056e38387dd205b

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
236KB

MD5
09143ccd409d4c87a10be2a284a7c348

SHA1
a4cfa4098cf7ca4f3f35a48db2c3de8bff31633b

SHA256
f8194f52794be608172b05357b85016a3f0c2f8f71b1e47edddfc27f440134d9

SHA512
4e905365e8a5464bf1782fed9d0ed621047ccaef25d3ae97d485f12a34dc3ae54a6f6c3b3c668050fb332c041bf7bf9381e671d5faca2bdd82332c57186ca495

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
236KB

MD5
9126175c3444852ca316ac376ff4ac13

SHA1
6de4c2e273398893fb757d988e882128bb13e524

SHA256
681f833ae3ca481beba0a10466c1b82607429658528dc20f9507442331126152

SHA512
ea5ddac57d1ea2d233ecf8efe5b077c1269699adfc04bc7f4ee077afa6ac9e9cb4be4e583d8bf2de314af4ab17dffd60a330894ab65bb07212908aeb7e6cc3bb

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
236KB

MD5
8cd156037f15789bb72dcfcf30b74cf3

SHA1
39a7633d8220394456adc407da7b0aabdfbaa636

SHA256
0a3dfabd7a65fabef9593c6deae1d9a5c10710e4b05b213a0bf71a67004ab015

SHA512
98c176412075a28294d4514857ab235a1bb4a646ab6159840ec3034801170caf455b7de6e774cc9df0991f9a48bd50ce38186a69de6636826ba8119643090b15

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
236KB

MD5
69f26c897bcfae7ca962804694f5db15

SHA1
66253814cc2fc8ba3439e980a2eae5883e4ba112

SHA256
bc11991d7e8e858ce7c2f1bf86f481d79a4a0ee4946f4f4af04b8a6982a73bb8

SHA512
2a3e8e31ffcbdd8c4f71d170facbb373305c463c8ba9183510cf93313541d1552a2e58e68446af68789957f9ab2e5482ea34a776ad6d3f044f6c7cf522f94531

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
236KB

MD5
995769493311ee447a0d19a8a567ff9a

SHA1
3f86c72206165a1b538b617a18d0ba3dd06b1580

SHA256
36f4385a2f3054d7bbed345c49c17e769aa6637bfa1f149d9b2b8db656b5633f

SHA512
1982240fb048d85310332c7d58d71d48e08c82400091c84bc6e6f4d5f5e1efe7b8160b35cebb95c2f3c05916591efb31ac2f4a9eb51c9aae38b28a0ec7db354b

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
236KB

MD5
870ee4d09c316413d3a3c85e234f3c7c

SHA1
3313a192402234f09550f5b2ef57e9cdeeec269b

SHA256
909bf3812f7d09d409d002a85d3248b3a3bc03348da288fe19689942500fc604

SHA512
34e5a5f7e47c0af7f10ce0c6065b8c4d2fb34981aed2449b139b166f24ba71d8da926af7eb3b62aa885f5a48507088f55f12c864e248cb38f6d7e75495513c25

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
236KB

MD5
8a72d15d002f65b38f5f88822136606b

SHA1
3b87aa32b32db894761363999cdb533d17323c95

SHA256
5b7bb73911502f21f4579ab6b6766be168ddfaf240088f26771430b8b979c096

SHA512
ff3d8d9a2d32aedf78c6bcee82cc8eba8ad6511d61db818b6166027ad0281ab626dc872ff8e56d7a0f2ea6501944ed49235a3be42578fe3743b5d46d7c0161b7

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
236KB

MD5
f89f33bd13e4339bcba236b4a7f01e8a

SHA1
534909bac7a9f03a1fe5d5475fd26f3acb5e8738

SHA256
05ba0bd00798c90b8ad75c6996c64768b4285c5f4434d8b41f03c0d96c4d8e3e

SHA512
e63b67b503464dad52da301e66f26e53eeba70241e3246ca48a71c6656026350abd0e2877103e636b80d6924fa7d890196843964dea79626590ec192c65885b8

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
236KB

MD5
7db5b93cc03df9e13c5f1a970de136b3

SHA1
a2b0f86b2970b0566faf4f85e67b2144d025221c

SHA256
e6de6252e5fd2304a8d0b647a23a815a6ec4eaec19cd4278828918db5165a6fc

SHA512
fa302382fc4dd0dc99cb9700e0cd69b2b35a12a75365fa09c36bb0df5a2337a7256a3b06d81fe5778f724a8e25b97d31a91ae0fecd9916cc93ac4d0462322932

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
236KB

MD5
02c81399c083de0856b8f4322e443991

SHA1
1455cebfb100366175ec44724e6e1a4f77dcc9dd

SHA256
b8d73cc29b2b279bc55192c82429d388f0a6862eab36cc780d1cb573b9aae23e

SHA512
6bc87088d61f7fd8d6cd29f45afdc75fd5fe57ac685737c0452d4d66a0bc77bb50d8c87d699f954f11a5d08c3a5ca0b9ebf05577f5383d43bb0314bdeee03b75

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
236KB

MD5
6bab58a723f040abc12ff2a7c5bb74fb

SHA1
97763b641f14ff6c9a796bc5d57929f3a5002f24

SHA256
71972a6819933576aa14b4838ab541f3000cb3a49841e6ff7630adbd50d4fc78

SHA512
4ae6888bc7a0c901e6c300697e68f8dfc4cc62c0757b9aab766615548765c1da4f86f25b16bddfb6abaaf87b13c36751f1cee568c3853a12e78a2db622030a4d

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
236KB

MD5
247ffd9875db3cd48002f77e3c8ba23f

SHA1
3cd5364b5a7913c83c6f72ffb4ba84874ea4a675

SHA256
d83f8c8083b7d6367958c71515b814c1b912a429a7988fe932cb49a89ff46e51

SHA512
5c2eb5c52b00d26689af46db7f3f3fcee29d59cba73cf0df6b5dbed290a0d9e2a94c0f1a7de3399a13899bde96cd266d81d03fc0ee1f9b6e1ec8ad23521c6b94

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
236KB

MD5
ea9ef463336d91c0935f9d5ba5f97b0d

SHA1
3bebad75a95b15aec2a2b0046e03438e2154928f

SHA256
b44841476ecadf6d3f060160994961f579e0b8aa5e1f2939cef9a20a3fbcbdc9

SHA512
68e3ba1ed5523eff37c178c25592afd281ec9f342ff4e35b5da03fa75de94dea302d35aea632a296e5c367fe11e8eb62417e25aa5758f1430e56763e528952c6

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
236KB

MD5
41ac8284305c5f66e7807316272cd2b6

SHA1
8a1614fc123593af69a767f778789af1f4068d8a

SHA256
ef9339dcfa1c8c9b740c64f269399419f5ec45f509ae50240b2aa0aeda751abc

SHA512
dbe655f4d5715be424d1ba927330504d4a996a0a1e340588a6762d0e0f6ce919718e2210b7a1bda64061ee20d9c4ad4b13e7e92570ea3d603b68e01b131e5388

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
236KB

MD5
0d695abebf0d8025b74d2c7a8c74280f

SHA1
0954cda1dcfa521caf24a418772779470e8cfb6c

SHA256
5c019c6595a5653fccd97c5bd97899aff028e11361034e9ad1d79d75566d7556

SHA512
edaf9b5e2a0294232cf22840b1382a7c22fde5f7d0a0801abe33ee2dde60bb18cc95824f6dc62e1f4e04b8250b6c326a0c575308abd543d8db383d86909b9c2a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
236KB

MD5
1e1bcd0803c502863c95ce8fdb18a739

SHA1
99cf75c7ed054ec6587bcfb07f54e0e723ec3d95

SHA256
bdaed3bbb87af13021825adca27408f029d7f1e3a489e2ff081466b0f5a781c6

SHA512
5494960c1531fe88550a963d74302c607d3fc0862abe88d2ad5f0c00e421cfe52f8c6fd54ab2e2ce6bc042f4304677828e9c02306890fd3a0cdabd1b65ad6782

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
236KB

MD5
0f4c1aa984f295f852ef130a6b8091df

SHA1
906e04add97eff864af903be5bd3901638534bad

SHA256
c071ddb9d1c8fec9388a6ec1ea48516b9b6e223a75d3c3c723a34ac17bab7b44

SHA512
832f1242832cc38ec20fca5e424b0ad027b139ea5a0a16c935c054d08d90a393619f662dd9b6b4e61a289b7a7f8de9ca1b47231e1c1f67055aa8e8009fd85f74

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
236KB

MD5
10c8f612c57789c11e9efe3c28085719

SHA1
89fe5ac2017d043c3403143c15bddda504a7c131

SHA256
ce5d70dec0012151bb54bd2ec1728aa2b1798e9b1942c4423b98b3798035a34d

SHA512
40311d1d3440b5de1aea6b84e3bd5e6a8398ece32085cd1f1c5d00b2ac4db40ca0fe198868e183743991c7b26163c18ac09657827d21aed5ba83c92e3ef61788

Download Submit
memory/648-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/648-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1156-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1156-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1464-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1464-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1540-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1540-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1668-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1668-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2684-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2684-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2976-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2976-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3376-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3376-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3560-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3560-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3716-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3716-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3792-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3792-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3888-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3888-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads