berbew | 9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725

Analysis

max time kernel
116s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 18:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725N.exe
Size

64KB
MD5

bcbc8bb5d3219362a7e58b6ac06e2c40
SHA1

7d094e31bfb5106e268ab454de7c82d34dd761cd
SHA256

9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725
SHA512

a5c3ae22d6d54ec729ca9e8a27cd57b9bbdb8cde08dd777ec057376fcc55cf71cda72ffa9d303f636c34df2561c3eee93ba7aaf4dac0e5f1c8117c7204e81860
SSDEEP

1536:IlQoiVjDNmQhzVnDXPD8dvZG4tFqbgyTZgNtv:Iz2jT7nDXPkZZtFkZgT

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 29 IoCs

pid	Process
760	Bfhhoi32.exe
448	Bmbplc32.exe
1616	Banllbdn.exe
3936	Bfkedibe.exe
4764	Bmemac32.exe
2348	Bcoenmao.exe
1244	Cfmajipb.exe
3204	Cmgjgcgo.exe
1248	Cenahpha.exe
2436	Chmndlge.exe
1348	Cjkjpgfi.exe
4108	Caebma32.exe
4988	Chokikeb.exe
2784	Cjmgfgdf.exe
2192	Cmlcbbcj.exe
5004	Cnkplejl.exe
2104	Ceehho32.exe
3504	Calhnpgn.exe
2988	Dmcibama.exe
4068	Ddmaok32.exe
3172	Djgjlelk.exe
3964	Daqbip32.exe
1460	Dhkjej32.exe
3744	Dodbbdbb.exe
4860	Deokon32.exe
3240	Dkkcge32.exe
4940	Daekdooc.exe
2668	Dgbdlf32.exe
3376	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725N.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725N.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725N.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1872	3376	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 760	2884	9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725N.exe	82
PID 2884 wrote to memory of 760	2884	9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725N.exe	82
PID 2884 wrote to memory of 760	2884	9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725N.exe	82
PID 760 wrote to memory of 448	760	Bfhhoi32.exe	83
PID 760 wrote to memory of 448	760	Bfhhoi32.exe	83
PID 760 wrote to memory of 448	760	Bfhhoi32.exe	83
PID 448 wrote to memory of 1616	448	Bmbplc32.exe	84
PID 448 wrote to memory of 1616	448	Bmbplc32.exe	84
PID 448 wrote to memory of 1616	448	Bmbplc32.exe	84
PID 1616 wrote to memory of 3936	1616	Banllbdn.exe	85
PID 1616 wrote to memory of 3936	1616	Banllbdn.exe	85
PID 1616 wrote to memory of 3936	1616	Banllbdn.exe	85
PID 3936 wrote to memory of 4764	3936	Bfkedibe.exe	86
PID 3936 wrote to memory of 4764	3936	Bfkedibe.exe	86
PID 3936 wrote to memory of 4764	3936	Bfkedibe.exe	86
PID 4764 wrote to memory of 2348	4764	Bmemac32.exe	87
PID 4764 wrote to memory of 2348	4764	Bmemac32.exe	87
PID 4764 wrote to memory of 2348	4764	Bmemac32.exe	87
PID 2348 wrote to memory of 1244	2348	Bcoenmao.exe	88
PID 2348 wrote to memory of 1244	2348	Bcoenmao.exe	88
PID 2348 wrote to memory of 1244	2348	Bcoenmao.exe	88
PID 1244 wrote to memory of 3204	1244	Cfmajipb.exe	89
PID 1244 wrote to memory of 3204	1244	Cfmajipb.exe	89
PID 1244 wrote to memory of 3204	1244	Cfmajipb.exe	89
PID 3204 wrote to memory of 1248	3204	Cmgjgcgo.exe	90
PID 3204 wrote to memory of 1248	3204	Cmgjgcgo.exe	90
PID 3204 wrote to memory of 1248	3204	Cmgjgcgo.exe	90
PID 1248 wrote to memory of 2436	1248	Cenahpha.exe	91
PID 1248 wrote to memory of 2436	1248	Cenahpha.exe	91
PID 1248 wrote to memory of 2436	1248	Cenahpha.exe	91
PID 2436 wrote to memory of 1348	2436	Chmndlge.exe	92
PID 2436 wrote to memory of 1348	2436	Chmndlge.exe	92
PID 2436 wrote to memory of 1348	2436	Chmndlge.exe	92
PID 1348 wrote to memory of 4108	1348	Cjkjpgfi.exe	93
PID 1348 wrote to memory of 4108	1348	Cjkjpgfi.exe	93
PID 1348 wrote to memory of 4108	1348	Cjkjpgfi.exe	93
PID 4108 wrote to memory of 4988	4108	Caebma32.exe	94
PID 4108 wrote to memory of 4988	4108	Caebma32.exe	94
PID 4108 wrote to memory of 4988	4108	Caebma32.exe	94
PID 4988 wrote to memory of 2784	4988	Chokikeb.exe	95
PID 4988 wrote to memory of 2784	4988	Chokikeb.exe	95
PID 4988 wrote to memory of 2784	4988	Chokikeb.exe	95
PID 2784 wrote to memory of 2192	2784	Cjmgfgdf.exe	96
PID 2784 wrote to memory of 2192	2784	Cjmgfgdf.exe	96
PID 2784 wrote to memory of 2192	2784	Cjmgfgdf.exe	96
PID 2192 wrote to memory of 5004	2192	Cmlcbbcj.exe	97
PID 2192 wrote to memory of 5004	2192	Cmlcbbcj.exe	97
PID 2192 wrote to memory of 5004	2192	Cmlcbbcj.exe	97
PID 5004 wrote to memory of 2104	5004	Cnkplejl.exe	98
PID 5004 wrote to memory of 2104	5004	Cnkplejl.exe	98
PID 5004 wrote to memory of 2104	5004	Cnkplejl.exe	98
PID 2104 wrote to memory of 3504	2104	Ceehho32.exe	99
PID 2104 wrote to memory of 3504	2104	Ceehho32.exe	99
PID 2104 wrote to memory of 3504	2104	Ceehho32.exe	99
PID 3504 wrote to memory of 2988	3504	Calhnpgn.exe	100
PID 3504 wrote to memory of 2988	3504	Calhnpgn.exe	100
PID 3504 wrote to memory of 2988	3504	Calhnpgn.exe	100
PID 2988 wrote to memory of 4068	2988	Dmcibama.exe	101
PID 2988 wrote to memory of 4068	2988	Dmcibama.exe	101
PID 2988 wrote to memory of 4068	2988	Dmcibama.exe	101
PID 4068 wrote to memory of 3172	4068	Ddmaok32.exe	102
PID 4068 wrote to memory of 3172	4068	Ddmaok32.exe	102
PID 4068 wrote to memory of 3172	4068	Ddmaok32.exe	102
PID 3172 wrote to memory of 3964	3172	Djgjlelk.exe	103

C:\Users\Admin\AppData\Local\Temp\9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725N.exe
"C:\Users\Admin\AppData\Local\Temp\9dd1dccba27188bbd085db6be083201711ab6d2be7665e6cf3510e6ee9d3c725N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\Bfhhoi32.exe
  C:\Windows\system32\Bfhhoi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\SysWOW64\Bmbplc32.exe
    C:\Windows\system32\Bmbplc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\SysWOW64\Banllbdn.exe
      C:\Windows\system32\Banllbdn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
      - C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 408
        31⤵
        Program crash
        
        PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3376 -ip 3376
1⤵
PID:4304

Network

DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR

Response
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR
DNS

133.130.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.130.81.91.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

4.159.190.20.in-addr.arpa

dns

213 B
157 B
3
1

DNS Request

4.159.190.20.in-addr.arpa

DNS Request

4.159.190.20.in-addr.arpa

DNS Request

4.159.190.20.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

355 B
5

DNS Request

197.87.175.4.in-addr.arpa

DNS Request

197.87.175.4.in-addr.arpa

DNS Request

197.87.175.4.in-addr.arpa

DNS Request

197.87.175.4.in-addr.arpa

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

133.130.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

133.130.81.91.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Banllbdn.exe

Filesize
64KB

MD5
4ad75e30d18f75b1ac7b1e7be5461dca

SHA1
d1cceeba056e1a73c44d5e42ca37eca79c2eb42a

SHA256
282a4ad19bf63e1c9b9098e9be4a7fc9b30e5bdf3d9b53a563e34c3daee0a866

SHA512
73712ef12ed9253c050a1d166fa9fb72b9be1c836ae9c37afdde2b0de623b74efa4eacfac472887f23fc95568e8ffe288f630941439145fe98b98d9ab8ab59f9

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
64KB

MD5
d730987a9cfae4d94aac42f99a946857

SHA1
18471da231bc76f7e6026e226417af5ae2676267

SHA256
90d00d45fcadb0ab9be4c375ed1a8ee341889462108305b107dfde63992ee4fa

SHA512
dd84aa73c268d763f22e1ea2dfc9a615667263075fc303f31a722739fb323eacc40c48b1c81bd3e3bf11b367a477fb264aa5ea6462931fece9b89b25cd681539

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
64KB

MD5
e26902dfb37de892fdfe858aa6f27d72

SHA1
9ffe6050376f10b6991939cbd38de6980198ea38

SHA256
e3e335b1bd851ec6185448fd06ba1a945abcb4b3e9ffe235db3595aa390b9ef7

SHA512
ab9ed6d5380be5199fdff36d173091e8a5313384eba7f43dfc5c1eaa25230942438c3bf98ecb8c39c9d6b00fba455c4901272bd55a1ce89ef274060b0ce228ce

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
64KB

MD5
1fb47e45bcf86008af46f4126165d481

SHA1
9004d337e5c29ad51b8575723d42d895b7c44c5b

SHA256
30dc2fa52aa4c4e416609d4f04ea0bf747711de7476c18f529a4efd70faf8abe

SHA512
225fa7ba321e11354e70ee45b7742815ce34e9c069d6a821f08d403452b40ad6bb0edc9853d5aba36609f1b897ebe261a746b3425777e1d25cda9eb9fda439cf

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
64KB

MD5
30e8dea02169654e8c284f919bbb7e8e

SHA1
e090cfa7e9d15afef9149c31072148e90102d7da

SHA256
bd384d58ee79f67246d4bf25b93755e534d26e34c52e9eb4b44c7a19afa36cf9

SHA512
c3842f9f756be844f6e3322e779e6c6e10a73865c88e3fba5b28354b2ef768c528c5ea5ea1342b5fc6f7979874f9c46007eb1240125b291c09e146de4742c145

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
64KB

MD5
e70424a5153cf3c692bfb8aaa7455d16

SHA1
85677dd5afc09dda68f31b219e14ea49abc401cf

SHA256
a173f7b18509ce40bbdb7ef7858783a34c00f5f76e4d9a8c0723a92e7afa902e

SHA512
8179e75abe9bee15b8003771d5b1da61ac36fad08d9f58567234e855e2ef8dd6701c174841d9795cfe162ffe6c74a355cf60678b8f0955eaae7ed85670e5e63c

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
64KB

MD5
91994497fcabc7197dbe75510088fbdc

SHA1
212ab0753a4c59d4089f95c1a1448a2cc3527369

SHA256
2f5ad832634d87eed54b5a7cd42b838081608ad24ea3f1e5670d0d3bd148aad5

SHA512
62a65ed44b723bd14923b10a09e58d64f4facd1a54131c38a1a8a14b7a48a68b038428e2cfc0cae4afdb70620a1002da36557fd46bd72d38dbf5b49b8f00ab5f

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
64KB

MD5
3d243a8a03b43c7bf60ab0af1496735b

SHA1
a0ee889c634d0155fccd184f359c93b70ff2c760

SHA256
175ba50df6c7b6be6efa0ff448ac2bacb740ae34312d612e6dd384df1db56696

SHA512
48ccab685091d62b70815f739a0674159bfd253bf128aefbffb48c67887a160dc365249c94f095527f9ed04b1f0e622cb59e56c7a672005f13d612572e0563d2

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
64KB

MD5
7b8d32568bc8ef4d423b1b2d68bb48d1

SHA1
32d9d7b1b83dbc9053bd6be40c9cb0b53176bd5d

SHA256
b21c858506f153c9b416e876da0980ddf935389637722369c4c9ca88304785c7

SHA512
0a40be22facfa6e64f57b5687ab1efda9dc9b93c646700cee2634c2059d7af8472f3319b78f7966be94483542b3f8fde861d721a2dd461e7c74c4faac7b2abb5

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
64KB

MD5
56ebbf4f9c95d943ce60c2f8c5e412d5

SHA1
5abdda5b26968ce0aad7589c12d6466c3ae7f342

SHA256
21be52ca6b1e627c387091a45ced20b5a7c58049a828b2bce26ebf91c71cb7b7

SHA512
32938ff709bd52f9645e145e18cc7ec43d1fe3e147a48dbba10975bd0a56ddec1efc72b600ea937519362fed774e747062387301fd151a405ec4119b88047fb2

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
64KB

MD5
96d0803d4d2b23331d39d194172c4a97

SHA1
d3dfdb4f281c241fd51491bf7f2a7b0fdd55e68d

SHA256
1154d90204e63f4ca47fb62303bd03d0c57518e8a76fd6765d0497640c262576

SHA512
8b25ace16e796f3597f6f4062639cf7bd91a35350682b67d2fc64a66f8c6212d7471970f35119f3bc58badfc8e22f20df0cca57ff0836973e740f9df65c1a520

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
64KB

MD5
1046db952eedf8a71f902af5e5e59ebf

SHA1
a6af6e1ecbd90757d2ba4050c161e474be14539b

SHA256
307dd6cd86d543be1e2fdc321a96680eae08247ececcea3ecd28d7858e812d7a

SHA512
99710814219ecb8f2be64998760f567ad988cfe72ab9d4a3baa45e48f2dd73b8f2dc9df70f94f200840d2d6a1fad11f78431330e9e7d426e45bc8b4f49f17ef5

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
64KB

MD5
198459be68f12d1a2336dc3cd83d02c8

SHA1
e3f8d88a10cee6704bb02f3a00ce2ccc31bd827b

SHA256
09a9a643a9e9804ad2e9c27291ac284c0c96a468841f29043ab6b13a2f6c49bc

SHA512
58ff5eeff0fb4605f9d6bc7eba446a6fa3378ee6e0a0e075c3fb3e1e3471d6fb6fec4fbf28b863ea55776d412a57a5de420d354239bcc3643e28903ac2bd038a

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
64KB

MD5
385c2c17b2ac0f1b9fbf75856237191d

SHA1
29acb392dccd1a39b4dbda678b51ab7ee09d4140

SHA256
5ae5e6249adb16fad2467979c5eef166afc326a7b8fdabfeb44eaf182b41ea64

SHA512
0152a4471a14b877bb8ed887133a746b5e7a7dfe5d7a3e016209f8e7b8e435cb9ab873e92550a172d7a31c734d7a95e686d80a8799fef2bdd48cfb073ebcb2e8

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
64KB

MD5
c625bb8e525bdd9879ba0653d2f0d754

SHA1
6bea8e60b4e6a39e84ab295f93c34776a994f96f

SHA256
396d907c4f46d73ae6960832e4b50eb74f82890ad1b5b95d3b294707534d0a91

SHA512
f27e449339d97752bd92096812d8a65ffad6b696e8bad369fa3989858c4370ada4ca8638ff1bb79db81c70e4500a32dd9347dd1987926314726fe5d6a2aa8009

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
64KB

MD5
606c2108f15550693dd7294e99f62451

SHA1
10027110270f6654b022f7075b7c2ea753565666

SHA256
e46a1a5a0e2eec3cbfd8d9dec8388aada5d9f9cfe7c39389faa302c665925515

SHA512
50c05d767e4aeae5c48b12015f3cd3927b0621051fe5fcb8bada843c0bfcb10f480e365f9b342bdea9f3641f52ef05d045fdc69b932b76d3a399790295beb484

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
64KB

MD5
3accab4717a24c6f6aeed47b45fa954a

SHA1
12cf38b607d241603b5dc56c5c96b18441c57432

SHA256
1a48908d9a28687177643543b089555e42afd9fadcd4fca486da82cdf1533b01

SHA512
9540bfc601bae0c66e76ccfac8bcaa7c2227652de1c86fceca027e3a7477be8077716a316705d3a66e8d8465f2d158e7c6a4b62cb8e2059b5a7ee77f525e92b8

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
64KB

MD5
3bcffc6a674e77fbca37ef4e79d349b8

SHA1
90323c6930b147593e570adc3a6f621890030f29

SHA256
badcc155c521b2662a8aa7ea427f3e741fd86de830bd545f4a4ecd7828aea703

SHA512
d044809aa3c27a8aa8dc7ca83a064cdfe100f12864bacf4cd11284389cb71f2e2e207758e28c551ec20b2b27f0df72c2b109718d35e6bfc8ad1004fd02c1ec9f

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
64KB

MD5
14478d104d7237621a39c0bbc8d698e5

SHA1
3783508c940ecb1c2a5b3ee608e5b317f553752a

SHA256
c36d4fd0915fe2f997e393fc083117bc4ff9431794f3879252ec16f16242ee1f

SHA512
1fe756b09b5a69467024c1157ece77420323adaf22f1d540bc8b06706f8e8766200aaf574f6037460e2d1225915e35e40c5333e0e096fd85004cce92a5574bf3

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
64KB

MD5
0d8f608f629fc5750a97a1a8ab33c2b5

SHA1
246924bb1048524e6c43460782b81cffd30bac49

SHA256
4d98b332e13bd024e4731afa38eff94570b55c2272a448aa3d5d35c0f5c2b9d9

SHA512
05878418129f9b9d41868614a9bbc9667646a6718e873cea8de158dc53e1d9f5add392960cdbd31a7ee77186935d0a860c5fda6acf395e997f62c37737e56bfa

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
072b7d4363317435376a544aa509634b

SHA1
e5e2e92c71e6b840f6514b132b10ea6797bf3183

SHA256
695451404640bb02ba09190a6a245874de1d4baa9f4bd190b0799cfd69e15c12

SHA512
eb5c63322eab334f8826ddf615a8ed7fdc4ac50fe8ff4ceb75d51b6c9bf1e1de1a65dc9ebb2e14666fc03649a428f938450f70a7e24c6bab1e25bad8fb1c66f3

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
64KB

MD5
6e0760cbdf0b9544a542e0599dac3c4c

SHA1
9d22787a657e2780a4ffa611dfeeaa5e77319fd7

SHA256
9509d9732c79e0cb907248e7191abcb4a878fa44fc566b924dc50977aa307374

SHA512
fd2159b1dd0b85824798328251106b36862d89ca91806f5ba380ac5986b43512d4e00261ff6ee9c40b561fd707fb0c47ebbc3f80f25e1a33d4bdff96fd95947b

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
64KB

MD5
31cdcfe94e4b98de838b2b1decc67ede

SHA1
e30a938821761d7e088353bc28400c363a9a5f3a

SHA256
f3714a4a025f75f77dfa7544651e5f3184cd4bc2b967ce05e7d9a5d71e5b9ab3

SHA512
f87437e2363276b51f348da9c3ee3f3b092b633aaed1a4114f67e94acd837d99dfa2dd6aa518cc654997b755a169d7d72665b27ee11ef68a8e08d83ac66d8266

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
3a0c03327363890b2f010f41adaf2c89

SHA1
bfad4d8e8d6be6b49b2fd755c5a72c6198f836a7

SHA256
eff5a106516a925382280c3ffaadbc59545a836bf35ee1eff75ff0400e8ece9e

SHA512
98b9ec580cd6d16bbd113be231c65cd40e676c13d1f1f690596a495fa906cea0287175f8fb10b5f0932fb7ea1ec711e2588cfdb6404d717dca473d985984d32a

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
64KB

MD5
9bba40f4dca36b3d4ef5903e0b990338

SHA1
330df9357d231c7eddf40c636843754d32c2a4ca

SHA256
095d2f529b44263f17be5ffcb3aeb4c32c5c20bc820e59ca1277b1e520336799

SHA512
074c1f25c8c2760af497cbea2efc2b893cabbddbe23a9bba8a3312bdf1c165dde0e3bf318759c41423762235292542e761a8921d65136d8f6874fd4f7b698adf

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
64KB

MD5
432b69c58cd7bdb6ba0e03efe7f7c932

SHA1
2c154fff6811f67a1b3f93e8dc276f7a7f3475db

SHA256
ccc1837c96a5247e8e6c6484af126a05f1d748d840407364734d226b56be910d

SHA512
4728852a657c44408c20c32048c195674b55d1d228d396fbb713d97f89e8b7428628d86721a65834b3a6c093836fb2896b0a8f4401d7aaf7c3a24822c06a2be8

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
64KB

MD5
ba9e7472c98fb3eda11d2fce961a3751

SHA1
66499057f8cc25620ed002f1f448bf0c473b1521

SHA256
45b7bfb564f956fd699c53f917ba253ea756676fcc51346e569a51f98e01d402

SHA512
6e1491103d1d9695cacb0f789b11461b84ac0ec3c1ab780ab8acdd2dbabcb2c7ac9e2e733dc858978e1cce2e8bb7105ebe8a5ea805bdf95b0f1e95ebce4a12c9

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
e39cb59808f7492afb25773e3f83cff6

SHA1
902a282646e03cd9733267c42048c9f65d37e144

SHA256
20139d9932739713f7e822184380262365a2fe0507dfab527b83902d12612da3

SHA512
32c71fc0c90e335431ba1e4259b89a82d5354e797faa36ee704516dc01069f2805dc31d44f49ace18c35a2bca2e1ca3fa6acbe41d72fc3e24dd19c7b89d9c66e

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
64KB

MD5
3ec8f3db3e9083d57cfc4c2d5ef04473

SHA1
7486bfc71a8d3d79d39c846c5cb4fbb710c3428d

SHA256
06455e0bcb2a3bc6e430634d1ffa74f79817c841f239dba89bb180fd466f57ae

SHA512
0d25ef7bc6c59ecc2a6810e2b2281c9c3202f42aa9388534522fc437534a51122afa7ee91f04481720604a04844cd176e1bf388d75dfcfe726b41cbc52bf0a99

Download Submit
memory/448-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1244-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1244-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2884-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.