berbew | d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe
Size

96KB
MD5

bb1649ec58cb3690008eb6e2253b1452
SHA1

4da112fb6627a5407110fb5c96e8d5ce622a95ea
SHA256

d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f
SHA512

4b0e39a35007cefa2d6d7ce5ed3096ba473499ff5f5af52da7f3f070e5ec9aac62f10a32d8d823fa562baa8b47a38799074e34d9fc8495544345b227a6ef31eb
SSDEEP

1536:IxHE+4P/zTdI57LQaL2LbsBMu/HCmiDcg3MZRP3cEW3AT:I6P/dC4ba6miEH

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 30 IoCs

pid	Process
3872	Belebq32.exe
916	Chjaol32.exe
4996	Cndikf32.exe
3520	Cenahpha.exe
2200	Chmndlge.exe
4828	Cnffqf32.exe
1456	Ceqnmpfo.exe
4352	Cfbkeh32.exe
3408	Cmlcbbcj.exe
1676	Ceckcp32.exe
1468	Cfdhkhjj.exe
2400	Cnkplejl.exe
4564	Cajlhqjp.exe
3388	Chcddk32.exe
2184	Cjbpaf32.exe
224	Calhnpgn.exe
3424	Dhfajjoj.exe
2232	Dopigd32.exe
4972	Dhhnpjmh.exe
2880	Dmefhako.exe
5008	Delnin32.exe
3768	Dfnjafap.exe
1344	Dmgbnq32.exe
3348	Ddakjkqi.exe
1984	Dhmgki32.exe
2192	Dogogcpo.exe
1732	Daekdooc.exe
5068	Dhocqigp.exe
632	Dgbdlf32.exe
1816	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4452	1816	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3872	2112	d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe	83
PID 2112 wrote to memory of 3872	2112	d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe	83
PID 2112 wrote to memory of 3872	2112	d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe	83
PID 3872 wrote to memory of 916	3872	Belebq32.exe	84
PID 3872 wrote to memory of 916	3872	Belebq32.exe	84
PID 3872 wrote to memory of 916	3872	Belebq32.exe	84
PID 916 wrote to memory of 4996	916	Chjaol32.exe	85
PID 916 wrote to memory of 4996	916	Chjaol32.exe	85
PID 916 wrote to memory of 4996	916	Chjaol32.exe	85
PID 4996 wrote to memory of 3520	4996	Cndikf32.exe	86
PID 4996 wrote to memory of 3520	4996	Cndikf32.exe	86
PID 4996 wrote to memory of 3520	4996	Cndikf32.exe	86
PID 3520 wrote to memory of 2200	3520	Cenahpha.exe	87
PID 3520 wrote to memory of 2200	3520	Cenahpha.exe	87
PID 3520 wrote to memory of 2200	3520	Cenahpha.exe	87
PID 2200 wrote to memory of 4828	2200	Chmndlge.exe	88
PID 2200 wrote to memory of 4828	2200	Chmndlge.exe	88
PID 2200 wrote to memory of 4828	2200	Chmndlge.exe	88
PID 4828 wrote to memory of 1456	4828	Cnffqf32.exe	89
PID 4828 wrote to memory of 1456	4828	Cnffqf32.exe	89
PID 4828 wrote to memory of 1456	4828	Cnffqf32.exe	89
PID 1456 wrote to memory of 4352	1456	Ceqnmpfo.exe	90
PID 1456 wrote to memory of 4352	1456	Ceqnmpfo.exe	90
PID 1456 wrote to memory of 4352	1456	Ceqnmpfo.exe	90
PID 4352 wrote to memory of 3408	4352	Cfbkeh32.exe	91
PID 4352 wrote to memory of 3408	4352	Cfbkeh32.exe	91
PID 4352 wrote to memory of 3408	4352	Cfbkeh32.exe	91
PID 3408 wrote to memory of 1676	3408	Cmlcbbcj.exe	92
PID 3408 wrote to memory of 1676	3408	Cmlcbbcj.exe	92
PID 3408 wrote to memory of 1676	3408	Cmlcbbcj.exe	92
PID 1676 wrote to memory of 1468	1676	Ceckcp32.exe	93
PID 1676 wrote to memory of 1468	1676	Ceckcp32.exe	93
PID 1676 wrote to memory of 1468	1676	Ceckcp32.exe	93
PID 1468 wrote to memory of 2400	1468	Cfdhkhjj.exe	94
PID 1468 wrote to memory of 2400	1468	Cfdhkhjj.exe	94
PID 1468 wrote to memory of 2400	1468	Cfdhkhjj.exe	94
PID 2400 wrote to memory of 4564	2400	Cnkplejl.exe	95
PID 2400 wrote to memory of 4564	2400	Cnkplejl.exe	95
PID 2400 wrote to memory of 4564	2400	Cnkplejl.exe	95
PID 4564 wrote to memory of 3388	4564	Cajlhqjp.exe	96
PID 4564 wrote to memory of 3388	4564	Cajlhqjp.exe	96
PID 4564 wrote to memory of 3388	4564	Cajlhqjp.exe	96
PID 3388 wrote to memory of 2184	3388	Chcddk32.exe	97
PID 3388 wrote to memory of 2184	3388	Chcddk32.exe	97
PID 3388 wrote to memory of 2184	3388	Chcddk32.exe	97
PID 2184 wrote to memory of 224	2184	Cjbpaf32.exe	98
PID 2184 wrote to memory of 224	2184	Cjbpaf32.exe	98
PID 2184 wrote to memory of 224	2184	Cjbpaf32.exe	98
PID 224 wrote to memory of 3424	224	Calhnpgn.exe	99
PID 224 wrote to memory of 3424	224	Calhnpgn.exe	99
PID 224 wrote to memory of 3424	224	Calhnpgn.exe	99
PID 3424 wrote to memory of 2232	3424	Dhfajjoj.exe	100
PID 3424 wrote to memory of 2232	3424	Dhfajjoj.exe	100
PID 3424 wrote to memory of 2232	3424	Dhfajjoj.exe	100
PID 2232 wrote to memory of 4972	2232	Dopigd32.exe	101
PID 2232 wrote to memory of 4972	2232	Dopigd32.exe	101
PID 2232 wrote to memory of 4972	2232	Dopigd32.exe	101
PID 4972 wrote to memory of 2880	4972	Dhhnpjmh.exe	102
PID 4972 wrote to memory of 2880	4972	Dhhnpjmh.exe	102
PID 4972 wrote to memory of 2880	4972	Dhhnpjmh.exe	102
PID 2880 wrote to memory of 5008	2880	Dmefhako.exe	103
PID 2880 wrote to memory of 5008	2880	Dmefhako.exe	103
PID 2880 wrote to memory of 5008	2880	Dmefhako.exe	103
PID 5008 wrote to memory of 3768	5008	Delnin32.exe	104

C:\Users\Admin\AppData\Local\Temp\d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe
"C:\Users\Admin\AppData\Local\Temp\d30f71b73a1f95c0ecd10b9106257474a5932a9584408ca463bcac0b2abc8d6f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\Belebq32.exe
  C:\Windows\system32\Belebq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\Chjaol32.exe
    C:\Windows\system32\Chjaol32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\SysWOW64\Cndikf32.exe
      C:\Windows\system32\Cndikf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
      - C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 400
        32⤵
        Program crash
        
        PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1816 -ip 1816
1⤵
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Belebq32.exe

Filesize
96KB

MD5
463e9653d0cabf7a1ca6b925dcd087a3

SHA1
fb4ed94a33b5edd861e9eacee07922d20306a608

SHA256
cdbfa75220703aea3be6cd4180baf8a6c972e37b0fdcbe1c62036ffecbc3b520

SHA512
ea98b5a39242ee07b723677d48d8518b4b2e9ae4d3984139382228861c767b03a5336a7e940e3bd51e0688d466f85110f38dc35fa3bfcdf9a24c0ae594bff7ca

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
96KB

MD5
9a1f4dc8e3623be016f10296756a5393

SHA1
639cba44c9eb7567f65889835e52f4133188e16d

SHA256
b8eb678ad8ab1e16c9af43e579ac154ce233b12cfed4575243f62595f8613f8e

SHA512
2ad7e46d7774128f65e707ee2ffb4bb3bef67860143986fdf8e9198ac44ba16d7f40f240c949bec0e00107eaf1ed5cf6057df20650359485d333225f420e851d

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
96KB

MD5
68c52bc235852efd35acf15e2f781f62

SHA1
2c0a3122fd96574852d9250dae9bbc562e52b758

SHA256
392c8dc80e52e387e1c7d7cdbed5953e19dc3bb114f9c7dd47784c0d67a9aad9

SHA512
15ed91792d49536f6f6aa36dc781515b68b1676145aca46dd9418747de964f228ba703dd33e11715f551a6ab376b53cc78fcba245fef582daa9fc84eda7f9409

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
96KB

MD5
a31ead44c5a1c9f20d29ca39ed7a2efb

SHA1
edd66128b53583ae5d28c933479a17e2a3e028ff

SHA256
46db464c1c080c9e0ec5cc64a40d112eb8d7170ae5b1605eb71b8d7950cf21c4

SHA512
30b641573b808bf44910944aa35eb847a3171a3232654bc5168d11e728278e81525b3afa9bcb204874e152a124a8863315c541c47cfac884e6dcfe69fe7e37ee

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
96KB

MD5
08005eb6886a47f52b7b8412a06482b1

SHA1
59c569c05bfadadbf3679f552aef813adaad7110

SHA256
d4540a4abef289af053c5d64e60b3fa9e80ef14035fef12483b72c4da3b77da9

SHA512
07625cfd8ac2798a22238f3c0aa3309a6337486540f6dd1345b8cdd22710c870951c6232d176c645a624a3813c5298776135ec96191d07db555ba9c04feb1e75

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
96KB

MD5
0aa72c7dcce03a416ed4ed0f5392f345

SHA1
b943ba81545a1894d8ea42b245da95adb84471bc

SHA256
9188302be63cf8606878f57b1955c8b7cd6b9566b86158e21a734e2991dff1bd

SHA512
b21e8df6abadb5c98748db1e6cc84915e639533d106ff86d5b2f5281f148b6db0b3633bc4f28a00fee31a09fefe9b4c8f3d802dfcb3efea2740da6e8e9436edf

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
96KB

MD5
a9c089f942d68014df21582b4776d09e

SHA1
18dde1a5f66e43423d93a003df973c4ab2ce61e7

SHA256
a24665e08d797d2e60ed0a4958c61c8ef9c1409e98419f9dcb056b3164811676

SHA512
e001472b5b202889e633b7b6d551895af471a5be35bf7ccc449331547cbacfceb06a16fb723f3d283fca47aedb0a76428350c3103af32ac8c360e97828ccd94a

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
96KB

MD5
3a27c6cc151ec3c8c80bfa1e7abf8cfa

SHA1
20d88914071fdc39b88a2b12cb053ff28cab8115

SHA256
ba8ee34cbd14a5c1e88b80f0b304ef6ab266400a106609d3aa8571feb056e9d7

SHA512
c651cd7486cf0631654b7f46706efef4c08475922a4f2dee4b69e1728a030442e51348dfb385926021b20d3811ab7058e9545b77211bc136807ceffc9faf82e2

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
5e792c2dca82522aa1e02a485b98f26a

SHA1
686cbd8cec3058775128b8ef392c6a7b6ab97807

SHA256
153c97c94540899140945d8538abbb0ebf37f9b30a5e57cab6bd38e0f901df4c

SHA512
b0c12386c7a07574a0a74bb66402f077b5dc08298d6b12181388de3088d6b560a0eb8f4628d1e0907cd811cdb972e0ca92cf262b8da4ae35df141f970d033520

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
96KB

MD5
3eba0d81d8d3614cee360367b6357bc1

SHA1
b20a5b5cf980cf66610fd321a8df0940f49b220a

SHA256
e3af370ee801951edcd0cfbdaf206a6257371c5a8604239523e300ece4908535

SHA512
8b0a293bd55ccb4cd1fd0448ea17bb1220038ff96527aebf560750b166c7aeb0d00db20f2d60fcb954e4c855e0fac96e4d62fbf867f27b02a17abec48c9c1215

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
96KB

MD5
07c0dcedde0240152adf401a25a59b12

SHA1
9116cccef8a06b9db01a030850de7de40d80c714

SHA256
b3c46a309a9abf6e3f328b1947b3c47f6fc360625275287d5d0665c85ce9b045

SHA512
9fc74631fcbdddb8b69638777160f3f6de8be9466fb0a51f15273f18065b839893c3c2ca98fd28fdd16cb04a0f08d2a8929cb865537ac409bbe4532ebfb6c9b5

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
96KB

MD5
60765ed61228b763ddfb73237706965f

SHA1
868e4b22637faf48e92d1045c0d5570ce72f04f2

SHA256
241b8eacf623d59ece84a26ab5c2cd9204bee40cc583378bce3149c6e40ce3a0

SHA512
0eea4798851eda20504cd0e621570f3b1ec422edba73a6dc96f2eb86b6a9b1f54647caab0a5f60d7bb39182dcf262ca53bc2f2ff5a20c2e0d934e12fbccd4d3a

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
ddc36b8802515d42a0ad2af032d42d04

SHA1
ad790356f769edd2372769c3ee4e3f9a6ac11664

SHA256
902841b2f84802a5076d22f2f9b4ac79fab9a5a8554e883213b0f64deaaf54d8

SHA512
a8d4aa8aa01ba39f97865a0a78dbcf05acf2d07b77f35537148e61410874e780bc0e7ec0e40661377c921174d1a2f341d26031d9b3a42871ffa9b823e614494a

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
96KB

MD5
4084881c441e43f573b5a047c13a3513

SHA1
5c8cc31e0da54d59a94a0d198db9f25091ac9ac1

SHA256
becca816516b0a49298e3a752910766bbbc8c0db42043b15319869beff49deca

SHA512
2961e06dd61d986448ef403e9d326894b2fd272e48682bcda2b356af8e96c4618c4fcec949adbb08241eda36089cde04853568cacd6317f402f57173184cba21

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
96KB

MD5
60c5128d70029c67caa8dec97d5b4b3c

SHA1
1956c6a5feb6b3472fc77c8b447557e514e927b6

SHA256
e5dad14bbe8ff0a7621ae7d05bff9c3746f62a58b0612e6b2a503a46a8ae45d6

SHA512
0b8caa92f9c04090e0d05492ca69e5e97964736fdba2a51364f0cbea689587d3fb56cc11ba7dc4c7ed6ce5386ad96b8561f301340c7a8239c75d96353e37afab

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
fd88e8251b4dc7b172df7799c7bc82bd

SHA1
9725a22e0793f462b656668098fd85a699bf6144

SHA256
10f5a6752c7fdafaec37df3ea51ea311c5c729b9b10604af10c40ff261fe7aa9

SHA512
63cd156bc3f5627deb07b421102c9ce6a565c37299a0ad6c93183ecf69d6f33029d12e0473993bee84e6da17ae5813ceba0bc136e787603e35bbb779b4ad735f

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
96KB

MD5
71163ae60bcd53fc505f5b486baccda9

SHA1
56f969798b67cb672212dcbed0cefeed11ca6814

SHA256
583e6be15303f918d8f765589afba88bfe466508fc1d3a338c7fa24605820851

SHA512
ed68f545987d957f830d2e9ba402360e8fa90575fc7caad94570b047f967df6413b3e71097d9634db89e1de38ab03a78971a14f9441ec9cdd6e66247ab837125

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
e4c51692e4361c6d2d6eccbbb7409142

SHA1
63ecc78190e30232e44fe38017aba27229ddd21f

SHA256
e77c9dd47e1731c348af1ec8d111628e8fb1716592c9f6197b8e3c51d50ab136

SHA512
572cfe8b87206e9a17f7eb05a2ce9aef1a0a5779b89fa401b137fea3ed86814c9f152f681632a63b796c708e0d3fee84682cc76c06e404439b19079a1dda33a6

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
fff43ca54c2481c950e7bc7ca04b5edf

SHA1
20fc2b8aa4af629e32893b67dbf840591f214859

SHA256
2fcb2e1aa1ff6240624687e1f3d3563b3ad7c2975357bc0ead5cd054531af781

SHA512
fd18169627bdd2e06720419e3a2c38db6abd5410702eca6eef785d82eb092e31518391989d4a1ad80cff33e0cc448517dc1d197d10c92b668847aeabcc989391

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
2c116b0ac93b96ae773dd7c40a0da371

SHA1
03ab629b84432866a5cfec755b6c07effe3ac102

SHA256
0a5ca40c63aa8a004ea08f40945c9906dfd84e2479c0cc48af53083f56b047c3

SHA512
e9a7b319f99d4b264b0eae8d7bfb1777ad09e36467379f243d9b6f18cbb63982802e1a77bf9592b13bfd12a2246ae2eafe7265580d0f180eefdb707940450a89

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
58d7fec87fbd62c73971180617f738c7

SHA1
681a35100eca2815e4f7d8f8238981aa63b0f00a

SHA256
53f34bc099a01737b032e236ae5b722a5358750edac1e48ad9ea4dbe97ab1032

SHA512
593db6b68390dd11e3ffbb88a085f0f347346c4bc3011d134e4b553a48a247661d2e2ff0e688a5ba12e84c16de21a8a83f1506637c369ccf4dd7ca2aea8002b7

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
50d3e85a357f6ef0caed28399d607def

SHA1
9d9fa7910733cccd51ef33499f9bcf10bd290e31

SHA256
54bec70dd9e2a3f38369f90ec6a00e9b7a8683afa46bc9ad7295c17c8b4b665a

SHA512
1d3c186e18f5b891df78bad9f92f1f156c5519203d44d3afc54a9b09618c0090538b3ca7452b4d68c4e64aca8af7887a7291b803d1e810a1b1d7f663a4640d35

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
96KB

MD5
25fd08cbb960c4b2132fe3014f42cb5b

SHA1
a69bbc9b01768b65309a9c07d6ee6433ce789c67

SHA256
e68bb3f54f8aa04803b1fc631ab4d90d7a8875db1afb225bacdcfe7b2329beaa

SHA512
1827676306abe10995d2050521c35f789d96041c2b218d33dbb71997ca34125e8ecef77665d4549fedb78042967aba89f2b2620800c1c35136d8f8e6d88af893

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
96KB

MD5
aeb1787b412dc79085891fc17064ee47

SHA1
d77c196eb2c019d1e2f25324f031025020f13221

SHA256
87461bde3ca087ed487c9290c1518aad8ab08c6e98a14a2060caf0303aa4f58f

SHA512
19919fdc4a333fa2c0eb7be9e659f07cb2cfd8a01756cdbc21b2ff55836a5fcbec8258452a2e3983977d010f012c027c214a037487966acfe01c410d08d71323

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
96KB

MD5
1c3b377e76a4c342e4188161d259d681

SHA1
a5eb9390bfe8a8a5a68fc8f859a44ec41e8c0e0f

SHA256
033cecf273d97f7872f19d37ad487a0a0452d12aca867bb6564cd701aeedae4e

SHA512
8eeeaa42c966d282d2d4a94867b9b8aa4cf3c2748b4c672fdb39c3914c860d6184b57efc49e2a779837c5dc2ca126e59ac2d7bb5a2e84f3b313a30021f4c620c

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
8340d0b89be9b34d801ffd3ca57e200b

SHA1
db0e33f3748b0526d096f524bdddda653f22ac46

SHA256
8332763acbec74ab4f8bad87a118ab8404a1cc448868beb6c21d1be57e4866c8

SHA512
9a1b776fd28b731665981ba0904c6d97c564f9d147dfe39f9b573c05a9429d27d497a22013ad681c919a25eb2c878546c879de7e4403d61708952f3224f049c2

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
58b05d31a669dfb134bc766498c28109

SHA1
18c040525c5f5f1dbc1b0cf94ce19e7c2e3da4aa

SHA256
59d0d051f87542c83c9301edac321d1bde118a739eff77b6b010ab2c1ec4b033

SHA512
aa201f95dc567c8f17ac6e6d08163b3225b957fb58d995469a64249a63bf8ea5a3656b42764bad688795b211911326d4d42bc30a073119d7f46b2cc97ce9d376

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
516dc3b93261539806ebb35b41ee83aa

SHA1
cfd132fe537fc5b434b1c6ef07417b8f2ff07467

SHA256
37012a307c35d02afa69ab405fa853e535eea12ddfa583d410bdb4ab5dad121d

SHA512
6bd3a11b017d5bca46e8b3b12d776e8eb7c3c2d453636c95922a1b71aa67f23c57e38b38593f6e2c7e79ede64a2a483fc18b9b4a30e8b71dbdbf37326e1585c6

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
96KB

MD5
9329a753334af3867289cfa37e21ca3b

SHA1
c7dd02899df7382ced9a3d8febef69303909bf13

SHA256
dcfe2a1c2065792c058350340eefdd406b8039218e9bbce7bbf0ffe94a5b376c

SHA512
89cff0459599f6b33fe1ff361e602d1650d7eaf3e35472ae4175df01dc43eba249dce2e4b0a9f63fc703e5932c4862cdaee0bab078764e0b861b29e93c8fe336

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
96KB

MD5
25ec1886c0780531af29947dbdee2896

SHA1
8db66c9aaaa88cdb5f7fd5142fa609a9f2c296f8

SHA256
f6f01a475d9cc990797022fa2b0eff57aea36f931a535817f320e4163651a7d1

SHA512
5eabfea92094ce9cf6d561a1fe1dc3a5665233fdf6208f887f0327a00d40a62eab02565bb08cdf8470ba4f8fabc7c159ebe57b106a35a0db56f22ef0b551512b

Download Submit
memory/224-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2112-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads