berbew | c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108

Analysis

max time kernel
91s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe
Size

95KB
MD5

051f263c0d956c30b73df56c2ea992d2
SHA1

fca3c683424639b054764b337b64f6b2b8ada542
SHA256

c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108
SHA512

f818961c6118f572c9ab1835a26e310a6e44e68df1dbc563b32fafa908216edfb4a00306340b3842dc4493c81df3439ad89f4caa60b28da3dcef8e3775e47082
SSDEEP

1536:UOpgkSO/SehPm72Rh9lcw7Nu97WjliyDccbRQrSRVRoRch1dROrwpOudRirVtFs+:U4LSq3RhRJu5WjsyVeOTWM1dQrTOwZtB

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 49 IoCs

pid	Process
1352	Bjfaeh32.exe
2132	Bapiabak.exe
3576	Chjaol32.exe
2680	Cndikf32.exe
208	Cenahpha.exe
4368	Cfpnph32.exe
3636	Cnffqf32.exe
4264	Cmiflbel.exe
4480	Cdcoim32.exe
4476	Cjmgfgdf.exe
4152	Cnicfe32.exe
2636	Cdfkolkf.exe
4376	Cmnpgb32.exe
3184	Cdhhdlid.exe
3908	Cjbpaf32.exe
392	Cegdnopg.exe
1344	Dhfajjoj.exe
2412	Djdmffnn.exe
552	Dmcibama.exe
4392	Danecp32.exe
4520	Dejacond.exe
1436	Dhhnpjmh.exe
1736	Dfknkg32.exe
5100	Djgjlelk.exe
656	Dobfld32.exe
2944	Dmefhako.exe
2448	Daqbip32.exe
4696	Delnin32.exe
4660	Ddonekbl.exe
4444	Dhkjej32.exe
2436	Dfnjafap.exe
848	Dkifae32.exe
4072	Dodbbdbb.exe
5052	Dmgbnq32.exe
116	Daconoae.exe
2964	Deokon32.exe
1124	Ddakjkqi.exe
3516	Dhmgki32.exe
3280	Dfpgffpm.exe
4028	Dogogcpo.exe
2216	Dmjocp32.exe
4936	Daekdooc.exe
5092	Deagdn32.exe
1296	Dddhpjof.exe
2624	Dhocqigp.exe
4720	Dgbdlf32.exe
2720	Dknpmdfc.exe
4400	Doilmc32.exe
2916	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cnicfe32.exe

Program crash 1 IoCs

pid	pid_target	Process
4984	2916	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 1352	3336	c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe	83
PID 3336 wrote to memory of 1352	3336	c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe	83
PID 3336 wrote to memory of 1352	3336	c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe	83
PID 1352 wrote to memory of 2132	1352	Bjfaeh32.exe	84
PID 1352 wrote to memory of 2132	1352	Bjfaeh32.exe	84
PID 1352 wrote to memory of 2132	1352	Bjfaeh32.exe	84
PID 2132 wrote to memory of 3576	2132	Bapiabak.exe	85
PID 2132 wrote to memory of 3576	2132	Bapiabak.exe	85
PID 2132 wrote to memory of 3576	2132	Bapiabak.exe	85
PID 3576 wrote to memory of 2680	3576	Chjaol32.exe	86
PID 3576 wrote to memory of 2680	3576	Chjaol32.exe	86
PID 3576 wrote to memory of 2680	3576	Chjaol32.exe	86
PID 2680 wrote to memory of 208	2680	Cndikf32.exe	87
PID 2680 wrote to memory of 208	2680	Cndikf32.exe	87
PID 2680 wrote to memory of 208	2680	Cndikf32.exe	87
PID 208 wrote to memory of 4368	208	Cenahpha.exe	88
PID 208 wrote to memory of 4368	208	Cenahpha.exe	88
PID 208 wrote to memory of 4368	208	Cenahpha.exe	88
PID 4368 wrote to memory of 3636	4368	Cfpnph32.exe	89
PID 4368 wrote to memory of 3636	4368	Cfpnph32.exe	89
PID 4368 wrote to memory of 3636	4368	Cfpnph32.exe	89
PID 3636 wrote to memory of 4264	3636	Cnffqf32.exe	90
PID 3636 wrote to memory of 4264	3636	Cnffqf32.exe	90
PID 3636 wrote to memory of 4264	3636	Cnffqf32.exe	90
PID 4264 wrote to memory of 4480	4264	Cmiflbel.exe	91
PID 4264 wrote to memory of 4480	4264	Cmiflbel.exe	91
PID 4264 wrote to memory of 4480	4264	Cmiflbel.exe	91
PID 4480 wrote to memory of 4476	4480	Cdcoim32.exe	92
PID 4480 wrote to memory of 4476	4480	Cdcoim32.exe	92
PID 4480 wrote to memory of 4476	4480	Cdcoim32.exe	92
PID 4476 wrote to memory of 4152	4476	Cjmgfgdf.exe	93
PID 4476 wrote to memory of 4152	4476	Cjmgfgdf.exe	93
PID 4476 wrote to memory of 4152	4476	Cjmgfgdf.exe	93
PID 4152 wrote to memory of 2636	4152	Cnicfe32.exe	94
PID 4152 wrote to memory of 2636	4152	Cnicfe32.exe	94
PID 4152 wrote to memory of 2636	4152	Cnicfe32.exe	94
PID 2636 wrote to memory of 4376	2636	Cdfkolkf.exe	95
PID 2636 wrote to memory of 4376	2636	Cdfkolkf.exe	95
PID 2636 wrote to memory of 4376	2636	Cdfkolkf.exe	95
PID 4376 wrote to memory of 3184	4376	Cmnpgb32.exe	96
PID 4376 wrote to memory of 3184	4376	Cmnpgb32.exe	96
PID 4376 wrote to memory of 3184	4376	Cmnpgb32.exe	96
PID 3184 wrote to memory of 3908	3184	Cdhhdlid.exe	97
PID 3184 wrote to memory of 3908	3184	Cdhhdlid.exe	97
PID 3184 wrote to memory of 3908	3184	Cdhhdlid.exe	97
PID 3908 wrote to memory of 392	3908	Cjbpaf32.exe	98
PID 3908 wrote to memory of 392	3908	Cjbpaf32.exe	98
PID 3908 wrote to memory of 392	3908	Cjbpaf32.exe	98
PID 392 wrote to memory of 1344	392	Cegdnopg.exe	99
PID 392 wrote to memory of 1344	392	Cegdnopg.exe	99
PID 392 wrote to memory of 1344	392	Cegdnopg.exe	99
PID 1344 wrote to memory of 2412	1344	Dhfajjoj.exe	100
PID 1344 wrote to memory of 2412	1344	Dhfajjoj.exe	100
PID 1344 wrote to memory of 2412	1344	Dhfajjoj.exe	100
PID 2412 wrote to memory of 552	2412	Djdmffnn.exe	101
PID 2412 wrote to memory of 552	2412	Djdmffnn.exe	101
PID 2412 wrote to memory of 552	2412	Djdmffnn.exe	101
PID 552 wrote to memory of 4392	552	Dmcibama.exe	102
PID 552 wrote to memory of 4392	552	Dmcibama.exe	102
PID 552 wrote to memory of 4392	552	Dmcibama.exe	102
PID 4392 wrote to memory of 4520	4392	Danecp32.exe	103
PID 4392 wrote to memory of 4520	4392	Danecp32.exe	103
PID 4392 wrote to memory of 4520	4392	Danecp32.exe	103
PID 4520 wrote to memory of 1436	4520	Dejacond.exe	104

C:\Users\Admin\AppData\Local\Temp\c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe
"C:\Users\Admin\AppData\Local\Temp\c93bb7b6be4b9d553ba6bbd2811d6cb871f9989459c777d3caa45990987a7108.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\SysWOW64\Bjfaeh32.exe
  C:\Windows\system32\Bjfaeh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\Bapiabak.exe
    C:\Windows\system32\Bapiabak.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\Chjaol32.exe
      C:\Windows\system32\Chjaol32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 408
        51⤵
        Program crash
        
        PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2916 -ip 2916
1⤵
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
95KB

MD5
37476f6170b4fe47de1fa8249d30e637

SHA1
b524defa79b52f95d041c4cd39dc9dfd065d6987

SHA256
a873b3bcbf5f3383df0b8d91e8ef0b0a85b9cf8e599da6b305b0b62aee8ea853

SHA512
7e11238b8b74122da016ecc28cfa60c3c7ee226e0b033aafdfb53558cd23929c3af27763dcee80058d1d16589d0cde5f459fc1fb914292e82e2d8a760eaa73e7

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
95KB

MD5
b913b4b9a3fb92e10c7f5f7f34d32e18

SHA1
f86672e1f2dd4b67e3634184b7ddd8eb79380b14

SHA256
580f4913fca75f5440fe6b3b1cd42d2f9a6fcb6ea9a8d0da3e3cc4e19555240d

SHA512
c4bbe70f0352958fcd554cb84b9ccf4ccdad028b6014e5eb23c36802249cae920f7ef1424d56d4ba54ea381752f52c1c5285fa54b31e90c6be3c0245dc08d39f

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
95KB

MD5
ece557e2bf35ba505dff95a9f6666439

SHA1
f0edb07db39465bb917dfbc700ad3d3ae7a66843

SHA256
3ee6c5b15b27cd623ac5524bfd98a02609f30c356600f3c42e4fa561a7986d23

SHA512
28f2c974e8f905984922587d553383732522ec3ed4a2e6f06af880a44bfcf6f9f6b28a67dd6ca02a17652814f30e5432607ebab7015123147feefb32d6f6795c

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
95KB

MD5
116fe01d18cd9010a6b45bbbfee1082b

SHA1
c39eb8cfd4158c8dd45fa7cd9ddb4c6cd50fc4a8

SHA256
d63281b206ec6d19c63097317cb2058b00d63c6527cd642e5ee2fabc50d1cb99

SHA512
d96aecb75fa07f3b11e07861514404339358b66531d549a34b7b202b74006d861cf8dd4e328a8b20705db682db603a9211d6a29d01b5d072d39818dfe7becb00

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
95KB

MD5
ae38cd4f3035bc3f5d73beb5b765d4e5

SHA1
d31c9342725673e78c426c41daf5d7407c8b1757

SHA256
0fc5af61121f3c8a1e06ce5964400f5b80b7120f7be1450cabee2307f28ab82c

SHA512
058407ff26b2f0e1e6a1f5a881e6c3ceab2d0eda15c628b38ff5c0c1d8531db24f4a29c7719386ffd19d656beab84e18ffad085435aaab5ce0cd6630c724f339

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
95KB

MD5
ad02ad3ab472b51386c9f48d52a8d655

SHA1
ade7c559b1e11245908e8a802e1ee5c46ee77e6a

SHA256
2e81a4af10281be3ccbc94706985a24bc9579509af0ecc718179cbeae9059422

SHA512
77021853ca260d20671466ebfa7a6c524dde87a8fe69e631b79bc8612a16f88f06f97020f6549082ae16a97021ad6d8eccfe7042294349904ded796575906ef9

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
95KB

MD5
55cb3406d418fddd74c93672533efc2a

SHA1
258b0af0509855e2633c310a1f4fe6c419ab877e

SHA256
ce57fcd25d4ddddb0dcfc9895ed629ef59d472c4d9a0635cbfc6252c68d9d57f

SHA512
4f9c03c23b1d1eeb743bb4fd169e8b6fda79bbef86678705571d9c349d4d97330f77f691c4e33404e54264c202b5ce67b6d86a4cdae164ee0c8391abd2d08765

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
95KB

MD5
e52862e8ff48fc7f9d3e3e9aa77c01a9

SHA1
c8ccac3345fa45f004897aa766b99bfec8cf2e03

SHA256
f8fe1b765d10963d43347e8a74c836b9c8d1d8d311047af1cb754bcbb77f42dc

SHA512
9cbec0ea29fbd982859785074073fca78811212f992a2e210fdb8f1607a146dcc946624a1b785232a0b506780195edb3c1a080691d5da582ff131b80824bb191

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
95KB

MD5
46cb990b15f3225de60aee29879ad640

SHA1
cbe01d7ba37dd2c7e5ce13d12f7d2bef52fb9812

SHA256
152dc48c117ef1d4334e1861dbdeba1eb188191c9d8db74f83e7bf4b2da1739c

SHA512
4c93263432824c9136ba9070e8fb66386d6369f7589dec90062f465418ff1ef2c8b971fd6596d4b965f8ad8e41fcde483bbd7c23ad8cc73985e438930b653097

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
64KB

MD5
4772e3d4ce714db3f39c4322b643636c

SHA1
1a629ea734daebacca08e7163162de5440188a8d

SHA256
f54f7f94b511d308529d7246f2f14765727c51d1cf1fbf671c10fcf00ab87f59

SHA512
c29df6beeaaf933dc11481e48d44fbe1676f3cc5de51119f86f75ccfeefaa8a4a3286f769a3690ba3dbba225e0f9d3d10ae0890190ee1e38fa311fa55ceb3ac6

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
95KB

MD5
0b05dce7ddcfd2685255c2dc68ba5085

SHA1
db5a5646db809e2dfadd53f60d894ddf98480645

SHA256
1caa6c7f76059e9e19587101f6f5dca9f3f291a7296cfe103a4f6c5a577dfac8

SHA512
0a98a6c4ebdcc62d1fd60a5d2fbc6ca5e5b89bcf590b2fd11faa22ba5abfc44f514c58b56e3ec032ff57ee60344458ac9b27153de4e88c2954c23098ecec70da

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
95KB

MD5
1e6be1c8c965ba06766aa53e417097e7

SHA1
f70b7ca19ec670a13ae9cb59733bb01cbefa5525

SHA256
079072d2d20a679504a94489d82a1a1a74dd10d6e606dd82b1e41054973e5cec

SHA512
c0845bfa9e15752e0ca33ff5ac2d0a3875d4abb1ed9920d1a73ac1f056857ef18441bf9392a7714c0a6dc2980c133e6d7b252c16400f6a7176e98fddcb23ddae

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
95KB

MD5
545275c25f527d4059a7d074d71cf978

SHA1
6f0f9ef5d8c8723dd281f95af0709830436774e4

SHA256
f653606a0514a4723586aba5c3596fed85041444ec4c4dc60c9c84c4309a7736

SHA512
62973ca714e0af6e3e53566fc857aa873f94ae2aff647354327357731bc1d7ca624da5d1197aed5faf6583df76e738f448b6ce204906143aaf69ed72227c0cc9

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
95KB

MD5
6f8c05d1f6629bbe79c2fd512e881cf0

SHA1
5cd5761b999131b45aa20dae86639ab834faa9c9

SHA256
c3ce8d3c2d9286c7f47d55c3d79fa271395202515dc20330a19d640e5005974c

SHA512
9e669e26c1bb01356300f8bcbde47a7384198debf59e7f38dd2a68e36fd1072b3af0539d2f6bc3c39846e989a6e45e5ee06b3cf04002fdccf945a1b2d8f0db65

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
95KB

MD5
3ec1c1d9294466a3890a0db6ba9bed29

SHA1
bffd79fa6a378916df346ce5571a07e2282bad47

SHA256
8d33bfe5a554f4e6a065957f2ee0a342ba0824c57cb5ed7d8322324d4977c39c

SHA512
f6d17396b4bf8db4488fed602684f654ebf911e15d16cc957fa729c12974235444878c4fcd01761e0b257bcb8cda87e3b93e75a6451422d9e19e8ecd32029515

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
95KB

MD5
6c87c9ba8df20cb68372c8364f932fe7

SHA1
dc690e07f53a86716bccc704e679bd2b6f98d691

SHA256
0f0a0b51407f8d13388c12190e7d6415585f2ddff21cdf5162d605e2ea829af7

SHA512
0de8c60bc6c7e2254ffab71b927aa4d63851d5b151fb845d6acf3001eda44dd7ed6d3b7c8a54d074016904cb89fb6766ca7a14b44b4621cfc03a389ff08e0268

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
95KB

MD5
60bf48a3c52db0f730adaae1cd3c3bb1

SHA1
7b4ba2a7457288e0bab76cfd7997db569bddff3b

SHA256
fac4047cd77e181d8363abfd1b4534627843631569d68eca198cb622724b8adf

SHA512
87a6692f5f65ffc5a4e677d8df3a152ad4d5c127829da8ff37abdd8a3686bf63e10289097f5daa1f51e81255f9874a74e45d7d29c2926f227ac4c499465e4ebc

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
95KB

MD5
fffadb659f5349bc9f17b9e8d15fdc88

SHA1
e643fd448482948ced22031cbac89161985aa573

SHA256
3fb9b7ca5518e85a5118f1ac584015af311d91bf0caf3dfc2e2f7391fa980720

SHA512
a64b6528a81f7bf9a5ac73565da9af618ed4a4c9405d8e97be979ec75b46fb39022b8dfcbdc59ad4bfc69634ee8b61aa2ddb2f66f0f9cf14f3cdd481b4d1c4e2

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
95KB

MD5
ef5c3c5cf503106d64dd0fa56ccfff5f

SHA1
a848f73ac4cf28206945891989e301e42e19e266

SHA256
e37ca84239f4c001ab50fd1598f437d70a03bde9cd26982503c903b1ab1d69f1

SHA512
d049d25ce85f09fd3f9317a2166514fad294390a0c6c3b10fa4ce3f074e5c4a08a0d914fcefa7619d82780998dfcf521302db39ff41dfdc6d26f936800be8b9c

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
95KB

MD5
c001457864675ffbfc920e94dc6466dc

SHA1
16a9fcf17278e9c0b6a57ea3867b4268b2ad401e

SHA256
a7d5ec0c7cbadfe93e41644fa2da0a380785be9b42347050e009cd20897cf367

SHA512
7f3e3bacc05cde90b4d4f06507954960d6b7531bac37b8a6503ac6fdadaf835b586632c06582940b4e2095c9d64df55a1f4e20099900262b930a16a95576955c

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
95KB

MD5
6ff61b65f6b5a57e9ada11d45b250fb6

SHA1
bb0cbf4f1c611653726c042c9f2f5c44d7e67a27

SHA256
1bb0c4361e7506fbd3bd7ef236a59075a0b6511f979ee11a1d471c7ead919166

SHA512
4b2dbb2f57bc911841b474c2933af0ae41ea1b9c4ecb26d579d0fbfc2256d845ecf0a3df84cce8bd9c0009548ac9a023f2020b58911b8749811a8697d6def529

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
95KB

MD5
ccc155ca21ec3f7ab6112022c9cccfd2

SHA1
0a8c197ce708eafda0539e4a0291e0d83f7c537e

SHA256
e64708c87c5ff01eeaf588c385ff6b190d4bb02938ff178b0bf4a28a22a33e4b

SHA512
dc747d80eed087b8f8d4d16bfb92464bebfa244067bb4b1f5653db0ec3d06c58cb476e18c475751cc32aebb52c8847f2f76d4e9fbf512e74efa098035367dbb0

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
95KB

MD5
783c6cc230168575bbfbcd8eecc642ee

SHA1
7fe58953eb8378868a43c88a74051b24c3930b5d

SHA256
fd628f7209ed8bedb8b667725b63f182754a8db3567fdd149aca3fe3284380bf

SHA512
195aad9dbc95b2b564b661e12a61ca7415193b78bc874fb85b6d50c59ef69fbefc2598200ca7e9968b197f60dee5b87775c465a33d274751495e89c41b8c306a

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
95KB

MD5
c0962a812e9115e5bd96902dad29efda

SHA1
20bd477cc080b1587a98e5fc97a29420d9d354bb

SHA256
690e7e857db62eab5fb79b61fb260e175be7e1d3a72b59042c05813564372a23

SHA512
488637eb93a6587210b2f45aaadcd43e237f27c0f0a4047b179b72cab071e041b48d58df5e9f930bb1a129ba624886444e6fbccd9d753b7405f8bac2110dd057

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
95KB

MD5
0db3226c1daf6c3d8eab5420ab7f44e8

SHA1
150d2c0f8769d3facd3c519762b8bb0842403380

SHA256
8c22892a7bc2914993ddc4af76e132dfd451f244645d3784d75aaba86f61285f

SHA512
e3f23f29717012f1e9c3fb771c9375c377c1ca148cc2a5768cafb56e85beea420438da6af1a49ca0e023c73f4cddd5e6740b4cba52b3b10eb4a107302d250afe

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
95KB

MD5
71b30f6d0955c1cfb895e55d15e62725

SHA1
839d3ca6176a144a42bda983d0d4e2a41d65d2f5

SHA256
bb07459fc9fae04d3423f126c4836dbea1c3ff569c9acc63ca3f74aa3d9b2fd4

SHA512
e1dc8f97518595a5f68122269251f87ab9bd840502237997e1968fe2adfcbba7fd8e44e56ce0e551e3b374f4bad2c4bd778d23ad80c2ea0e50f255eabef46f3c

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
95KB

MD5
9adcf314b652713627533db53e183700

SHA1
43a9d7b90a26ff8afae1875df29ab0caf583ac6c

SHA256
58cb94d877022d71519ccdf2b4b8383f7bddb373c107c958c32c805acacf1adf

SHA512
dda43fb91fbce92b6725085c9544fa883345d3cc0f973339061163e5b693c24bac2e79021f9de3f7654c501a19bb8f1ba7579cc5f61c6f8945bd2ea3ba2176d1

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
95KB

MD5
ee461f5ede229ec54f43e783e3e199ec

SHA1
b147ec72216c7185c5e8e05b481e76f2222f7b51

SHA256
7f33f53dccc2a64bf7cba8396d3ce895aaf2fc660dfecd6aa4094779f76d5582

SHA512
2b6ca43850412bc48403860a158cd641a8864ba8b2fef24535346b89ad312e923dd03d0e7b3ba474c15825034ddf6226ef34a90a301581db59791df0e7f2c07a

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
95KB

MD5
6fe8fa2307f5d124cb58796db00439c3

SHA1
7643f3aa4ce0ee338b256a39afbc800c1d3b176d

SHA256
dde2597d535d5490b637714c19df8aea5a3c70b54db6cef013ba32e53714d35b

SHA512
8d379badd1749fde859a9152581c91a937b0da40d074217794130c3650ea04fd73704e43f9b794b51425f205ca85eee665e736c0924cf89a3eaefb9cba128d7a

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
95KB

MD5
96dff00a756b599233715e77a1fb6b94

SHA1
a2723e529484ea0b3830966dfe245e96a6c807d9

SHA256
ca9a13860982fd2465837455cb39b4d8d530cd705e11a3c135ae04d733a8e75f

SHA512
a47cc228bc32802a38e0bf78332c3d9591ca40fabdeaf15312ac7724c4ff6cfb099ab963614d8a78690b2c3e34f2ca0218b053ef955d7ead08fa7e23930682df

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
95KB

MD5
d5f46010fc822bee4000572a7f575bdb

SHA1
13557430f5dda63f59f3fab47f2081b9b92280a3

SHA256
0e694ccd307362d3accbec23fd1f7929af115a8ff5d5acf62ef0906a0643e9a4

SHA512
05c30667a325a8cd4cfeec36f92eda81965b9cb242c86477e69ed852f847649868271d5e01ea33f255b1258759db2f947386322ce0a45c8d693069ae42a704c9

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
95KB

MD5
c9daf8762b32262a63536fdbe59e7211

SHA1
0924b17cb6a5d97241d002bfba3a4c2d6c1d04c1

SHA256
abc2fe16ccf803465a0cdb71ebf8664e430a5ac828d6404dcd15250693f0396c

SHA512
dff8cf5b9f15627ff120b3dd2b34f32a4e5b4855abe3cd9fb81cfb1146cdcfc0563ad55782372d382d316eb88eae27a8aaf4262b866dcedefd6a67e7235e2c69

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
95KB

MD5
4150bd99005dadf157ff68c0910672d9

SHA1
767f1ffce117bfa8248cd71a1e4da9a1a551ede1

SHA256
35cb3119a1eb8576e73fddb252f8b0d4c161c65243adfb309553f4b7bc5596ca

SHA512
30db8ba76b2c42672a4a9f75f06d28e149aa2707e74615e024884b7771d14a22bfc798bc69628de6594f1f1f2ca708b70c22c2fccb4bc24660f3ac9b96efa752

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
95KB

MD5
3249137a9712117573061dc928fbcf7c

SHA1
924d0d9667fa5f59c73b598c44e1f5a9b5a2ebee

SHA256
08beca5a01a557f4906e2071ae37b58bcc0a960cb6f8502e9597a438f0e33b60

SHA512
334f9a90f7d4f8d23b2135ebcdb461542bede531f888ee32b031f8ecc5d17e3e7abe21672932a0c530b9f2d8b4c84d75e58d882bfe452d67771d4356b6745faa

Download Submit
C:\Windows\SysWOW64\Mkijij32.dll

Filesize
7KB

MD5
a77034592f05b46df864bfb9665f44fd

SHA1
f0ab9e15aca05b02a9a107d2853a082ad6fee9a2

SHA256
22d73302c392d2327042b0155a072425a837a99d79b569318944b0bdf62431c9

SHA512
ee28a4dace76d2c2e92814c6a1e498736c8de808e23658497c337dbf04a8860fe52d38e56958eeaf34acb9dbf5bd26d18cbb859e6aeb1b60bfdbaf3e5b9f7401

Download Submit
memory/116-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/208-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/208-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/552-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/656-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/848-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1124-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1296-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1436-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-203-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2412-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2412-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2916-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3184-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3184-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3280-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3336-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3336-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3516-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3636-147-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3636-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4028-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4264-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4264-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4376-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4376-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4392-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4400-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4480-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4480-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4936-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5092-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads