berbew | 812bd8e28e28b2a1584f8260ade05355d8cbb60cc235b6755b20df9ae1cb5189

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

812bd8e28e28b2a1584f8260ade05355d8cbb60cc235b6755b20df9ae1cb5189N.exe
Size

512KB
MD5

a23cbaf92c5f67284076b1456af84110
SHA1

0a08230a5f4f9392c842f3b565466194a4878428
SHA256

812bd8e28e28b2a1584f8260ade05355d8cbb60cc235b6755b20df9ae1cb5189
SHA512

b77efd03670dc719075ed6370753d9bbb96843e6f00c2674b8b256076c556a1760f1a3c49fe26e21c25a6ac1853c8f4052ac1a31f67558dcc25d972578e983e4
SSDEEP

6144:SwdUZP8VU5tTO/ENURQPTlyl48pArv8kEVS1aHr:GUG5t1sI5yl48pArv8o4L

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	812bd8e28e28b2a1584f8260ade05355d8cbb60cc235b6755b20df9ae1cb5189N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 50 IoCs

pid	Process
3816	Aepefb32.exe
3060	Bagflcje.exe
2808	Bjokdipf.exe
1580	Bchomn32.exe
2984	Bffkij32.exe
4176	Balpgb32.exe
2596	Bclhhnca.exe
3872	Bnbmefbg.exe
4172	Cndikf32.exe
4604	Cfpnph32.exe
4600	Cdcoim32.exe
5024	Chokikeb.exe
1296	Cnicfe32.exe
3820	Cnkplejl.exe
1132	Cmnpgb32.exe
1492	Cdhhdlid.exe
2828	Cffdpghg.exe
4552	Cnnlaehj.exe
2964	Cmqmma32.exe
1744	Calhnpgn.exe
1760	Cegdnopg.exe
1756	Dhfajjoj.exe
696	Dfiafg32.exe
868	Djdmffnn.exe
2860	Dopigd32.exe
3408	Danecp32.exe
3292	Dejacond.exe
1256	Ddmaok32.exe
4812	Dfknkg32.exe
4896	Djgjlelk.exe
4020	Dobfld32.exe
4060	Dmefhako.exe
1620	Daqbip32.exe
4452	Ddonekbl.exe
624	Dhkjej32.exe
2896	Dfnjafap.exe
2164	Dkifae32.exe
4740	Dodbbdbb.exe
1632	Daconoae.exe
1844	Deokon32.exe
1564	Ddakjkqi.exe
2220	Dhmgki32.exe
2928	Dkkcge32.exe
4580	Dogogcpo.exe
4572	Daekdooc.exe
5020	Deagdn32.exe
2944	Dddhpjof.exe
3656	Dgbdlf32.exe
4820	Dknpmdfc.exe
2500	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	812bd8e28e28b2a1584f8260ade05355d8cbb60cc235b6755b20df9ae1cb5189N.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe

Program crash 1 IoCs

pid	pid_target	Process
704	2500	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	812bd8e28e28b2a1584f8260ade05355d8cbb60cc235b6755b20df9ae1cb5189N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	812bd8e28e28b2a1584f8260ade05355d8cbb60cc235b6755b20df9ae1cb5189N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	812bd8e28e28b2a1584f8260ade05355d8cbb60cc235b6755b20df9ae1cb5189N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 3816	3616	812bd8e28e28b2a1584f8260ade05355d8cbb60cc235b6755b20df9ae1cb5189N.exe	82
PID 3616 wrote to memory of 3816	3616	812bd8e28e28b2a1584f8260ade05355d8cbb60cc235b6755b20df9ae1cb5189N.exe	82
PID 3616 wrote to memory of 3816	3616	812bd8e28e28b2a1584f8260ade05355d8cbb60cc235b6755b20df9ae1cb5189N.exe	82
PID 3816 wrote to memory of 3060	3816	Aepefb32.exe	83
PID 3816 wrote to memory of 3060	3816	Aepefb32.exe	83
PID 3816 wrote to memory of 3060	3816	Aepefb32.exe	83
PID 3060 wrote to memory of 2808	3060	Bagflcje.exe	84
PID 3060 wrote to memory of 2808	3060	Bagflcje.exe	84
PID 3060 wrote to memory of 2808	3060	Bagflcje.exe	84
PID 2808 wrote to memory of 1580	2808	Bjokdipf.exe	85
PID 2808 wrote to memory of 1580	2808	Bjokdipf.exe	85
PID 2808 wrote to memory of 1580	2808	Bjokdipf.exe	85
PID 1580 wrote to memory of 2984	1580	Bchomn32.exe	86
PID 1580 wrote to memory of 2984	1580	Bchomn32.exe	86
PID 1580 wrote to memory of 2984	1580	Bchomn32.exe	86
PID 2984 wrote to memory of 4176	2984	Bffkij32.exe	87
PID 2984 wrote to memory of 4176	2984	Bffkij32.exe	87
PID 2984 wrote to memory of 4176	2984	Bffkij32.exe	87
PID 4176 wrote to memory of 2596	4176	Balpgb32.exe	88
PID 4176 wrote to memory of 2596	4176	Balpgb32.exe	88
PID 4176 wrote to memory of 2596	4176	Balpgb32.exe	88
PID 2596 wrote to memory of 3872	2596	Bclhhnca.exe	89
PID 2596 wrote to memory of 3872	2596	Bclhhnca.exe	89
PID 2596 wrote to memory of 3872	2596	Bclhhnca.exe	89
PID 3872 wrote to memory of 4172	3872	Bnbmefbg.exe	90
PID 3872 wrote to memory of 4172	3872	Bnbmefbg.exe	90
PID 3872 wrote to memory of 4172	3872	Bnbmefbg.exe	90
PID 4172 wrote to memory of 4604	4172	Cndikf32.exe	91
PID 4172 wrote to memory of 4604	4172	Cndikf32.exe	91
PID 4172 wrote to memory of 4604	4172	Cndikf32.exe	91
PID 4604 wrote to memory of 4600	4604	Cfpnph32.exe	92
PID 4604 wrote to memory of 4600	4604	Cfpnph32.exe	92
PID 4604 wrote to memory of 4600	4604	Cfpnph32.exe	92
PID 4600 wrote to memory of 5024	4600	Cdcoim32.exe	93
PID 4600 wrote to memory of 5024	4600	Cdcoim32.exe	93
PID 4600 wrote to memory of 5024	4600	Cdcoim32.exe	93
PID 5024 wrote to memory of 1296	5024	Chokikeb.exe	94
PID 5024 wrote to memory of 1296	5024	Chokikeb.exe	94
PID 5024 wrote to memory of 1296	5024	Chokikeb.exe	94
PID 1296 wrote to memory of 3820	1296	Cnicfe32.exe	95
PID 1296 wrote to memory of 3820	1296	Cnicfe32.exe	95
PID 1296 wrote to memory of 3820	1296	Cnicfe32.exe	95
PID 3820 wrote to memory of 1132	3820	Cnkplejl.exe	96
PID 3820 wrote to memory of 1132	3820	Cnkplejl.exe	96
PID 3820 wrote to memory of 1132	3820	Cnkplejl.exe	96
PID 1132 wrote to memory of 1492	1132	Cmnpgb32.exe	97
PID 1132 wrote to memory of 1492	1132	Cmnpgb32.exe	97
PID 1132 wrote to memory of 1492	1132	Cmnpgb32.exe	97
PID 1492 wrote to memory of 2828	1492	Cdhhdlid.exe	98
PID 1492 wrote to memory of 2828	1492	Cdhhdlid.exe	98
PID 1492 wrote to memory of 2828	1492	Cdhhdlid.exe	98
PID 2828 wrote to memory of 4552	2828	Cffdpghg.exe	99
PID 2828 wrote to memory of 4552	2828	Cffdpghg.exe	99
PID 2828 wrote to memory of 4552	2828	Cffdpghg.exe	99
PID 4552 wrote to memory of 2964	4552	Cnnlaehj.exe	100
PID 4552 wrote to memory of 2964	4552	Cnnlaehj.exe	100
PID 4552 wrote to memory of 2964	4552	Cnnlaehj.exe	100
PID 2964 wrote to memory of 1744	2964	Cmqmma32.exe	101
PID 2964 wrote to memory of 1744	2964	Cmqmma32.exe	101
PID 2964 wrote to memory of 1744	2964	Cmqmma32.exe	101
PID 1744 wrote to memory of 1760	1744	Calhnpgn.exe	102
PID 1744 wrote to memory of 1760	1744	Calhnpgn.exe	102
PID 1744 wrote to memory of 1760	1744	Calhnpgn.exe	102
PID 1760 wrote to memory of 1756	1760	Cegdnopg.exe	103

C:\Users\Admin\AppData\Local\Temp\812bd8e28e28b2a1584f8260ade05355d8cbb60cc235b6755b20df9ae1cb5189N.exe
"C:\Users\Admin\AppData\Local\Temp\812bd8e28e28b2a1584f8260ade05355d8cbb60cc235b6755b20df9ae1cb5189N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\SysWOW64\Aepefb32.exe
  C:\Windows\system32\Aepefb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Windows\SysWOW64\Bagflcje.exe
    C:\Windows\system32\Bagflcje.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\Bjokdipf.exe
      C:\Windows\system32\Bjokdipf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 396
        52⤵
        Program crash
        
        PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2500 -ip 2500
1⤵
PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
512KB

MD5
9b0ec48a04bb93fdc27204dfcd5ba005

SHA1
541dc5a491324e3244b763c0c49d70f1356625cf

SHA256
1d3d1ebaf4aace271ac4c08f61595128da0e26b917c8a98dde1d98cee7f7868c

SHA512
c897432e651bd8120ad8642bdbb0bbb575cb66ccc3194459c59df1aab61dcc88fc82ba995ac7d9765e53d2e6fcb419ef5de1e2eb8fcd6d882e2b28156441e8d4

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
512KB

MD5
cab578a8030023a66684aaec5b9afa1b

SHA1
ecd8f2beb8bea731470051c70bdd16a179827d6e

SHA256
461434b9d99c07bbb9d945d51c2b7f843c31284d56210fe96b832eac78417789

SHA512
b6e245aced398d68d58008eee6a00454ada2336283222e4a0b49304b9050b803d47141c4bbb0ebd3bd96f94f0747eec8ededcd1350452cdb1ef7cf0fc13ba86f

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
512KB

MD5
fe0ed2b6273321644ca520047cbeeb2f

SHA1
a0578da5202b60cb7d1053174e95f30d69e34eec

SHA256
197c13de7569002e8f8b2299f25571bac9055ed9f69b86a9b49e5888943219fd

SHA512
f17563de744cc29dd7ed61053d171d05fa73a9361fd75e0e8b4a0cb5227fd03443626630510a7c6b5aaf0956dd12083885e756fc18f22cb1a70cc9a88875822f

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
512KB

MD5
a247a21eacf7340a25ea6c983eec3991

SHA1
ccf469ef0111eaf8551915c154ba245bf1301f56

SHA256
ddbac0b8444554565dd4e929b5ea88bf46a9c30c8d9caa66cae97e9b2cf47a2e

SHA512
c7f71c8482fcfb8eb5ebb4924a6fa9fae37af9b41871b65ad141b67afda3c52d74a88faa0121790c7d0a68d45ad0081c85246ae3fdab8ee0903245823d82597c

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
512KB

MD5
0683202f9a6bd9d848ea101da599b8da

SHA1
30941076a5761f5e3318655e29ba09afce1a8ace

SHA256
5b7408a11e54c82c4b21d5fdbcd375279e7cb2443868e6d8c31663534cf9aaf0

SHA512
00a1903ae1e3c765975ee906eed9f43b56abf4e48898786f8f1f4be65c6c9a63ab826fe7b18ed46896a3ba2db01e058838f2d55469464f52398f8da56360afd2

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
512KB

MD5
d0f73bc9cd24570c01e5b118c8685a30

SHA1
5151a0df59918d819abb5c2e6d5bef40c974e7c9

SHA256
8bd59159c394bfc7cb52b1a711ef277ff22b786e9b5bebc70bdffcbfefc2ae4c

SHA512
195246b8dd16bd360ac6236f8b0a245c862c6613f4a4d845e0d1e440f20b824d5a3b3f64f953ea9912145387993dcaae0756b0f3569c54e643a647d958246fd3

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
512KB

MD5
7bf97350a9f11d053584a64638693e94

SHA1
1309a883b5c45a9dd74423985ba4b4c711009fcd

SHA256
aa6254581939da3472b34a44fbd74fb805cc5f49b809fff279012ff63390889c

SHA512
e6b327f44f01d0911a1b547e3f2be1e6feb4847d15f5aa43b726f2e0e56df63e7d6946ff4d359feb5d9be24e13f792f6a9c38c59a3cc08e664bf50e285b75d9a

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
512KB

MD5
ffb470596951f86b58fba3a89ec53a3c

SHA1
0a5e2df772ab476eb893661b5e295b028720a4fb

SHA256
783fce88d4dc0798a37230fb50e94dc5fb53ba10e7b93b6ec6a586cfbe9dc4fb

SHA512
3039b31ee31428c71668f6042a06d8879d528b73280f008abc57122f587ea34f9209508690cde60df423ff9b2e35501ebdd9f33a7a25f10d241e06cf85558ef7

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
512KB

MD5
db570a72dee6ee3618b6497eeaf8de71

SHA1
67f0c77f2eb5c4e214998eb3c9ecd030ba6e3985

SHA256
0cad0dd8d466ccb207ebfdb34042714a4f8c7cf4606fb592a5b906d1f689a234

SHA512
6659a533fb60b900a89907ce9fec9560e0a5d61d8a837c36d98527fd78508086afe4f32be42257e15b92f28fb156501308f8b776ecf6f5304bdddecd28868da0

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
512KB

MD5
d49f59b0a9dc998914c66ecef3990055

SHA1
ebdf706b65c227a702bcb3c6dfb4844081d7140f

SHA256
6dc69f0829dc9cc3c4382885281f2509621cbb0cb06761aeaee778ee7c751893

SHA512
822393eab50efae4184d0694b3ea60ca20b49f178ea1095984cba47122b882dd2d6d0e8b6a991d23c8b4776433d2b807aa20d6866701c38100e00c406c3bfafb

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
512KB

MD5
f231dae34273b4df70e124d2c0111739

SHA1
96e801d4b0ea4c8cd983d419bd9e1e6b11daa012

SHA256
80ca2eedb1f6d64fd0e42bb20fc9bdcea05f8be75e4762fff9427f681427e33b

SHA512
50b4d110cf1861bfbaf70d9e5b0acecd465d63c0159e9e3558b9f10170a0ebc369a5d91a6512a1c693e77c24d49e06944f198048772581811c3017cf2122d46c

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
512KB

MD5
aef2fd98127f73b532ca518d46618ae7

SHA1
af097db9bbc21dc5d4c974ce179e1e712bb5b427

SHA256
7b12f861f7d462272ddd2318f8ae5115d7e5e4d4cc1039d33e2071136f5d999f

SHA512
f3cc8e71d21cf88dfd679edee1b87fd37f7c3f69a2de656b89ac557734729d9731e8b3a4bad6c4d80a084390e5bfa8b38c88b1d9fd5e7fcbcf678bad6c2b30ee

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
512KB

MD5
df29ae853182cc0f02a1cb9240168b68

SHA1
7cc7b45b7829236360618628d1366cbc558b7b40

SHA256
a58603717d12d026247ad785ff2edeec12447482171085b7df033bcdab82902e

SHA512
1cfdfdbfdafa508eea4ef54aebca636b1f6ea6b69cf75ed4c0b70f43a2a897caf072b3d1f4139c56297c73cbfae85cf19b9f30c1db7c08328bacbd6a2c5a8314

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
512KB

MD5
a3e202be024769c2620f0450381e1e3e

SHA1
3dc64128ba728723f897ab48209b49e9b5d178b9

SHA256
bafba675bc5a81c21fa3e4f903e1d0a9430d063b5c74350f90576beab063cf68

SHA512
ac3fe0fc4c7e4f83f7c6779bc515463d1e3fb6599b3e21efab3acb7046c043ec71924419859f45d1c782ac1df958a7b4e54d4f9f0993e3597dc97c01dfeddd49

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
512KB

MD5
6382759ca1f9be9bf0163463908619e1

SHA1
adaf83026e24aee8af95c6f2fe50289fb8fc44bd

SHA256
0d73080ec89fb4a51a5d216a4a8f8b11dd15a2eaf9dcf63744013725b1f4ed8b

SHA512
d8c39200fc081f00eda660d00bbd2457ae3dad4b86571796fb9f4949b96bb319658c0084648c7ad938abfcb863c713a2ac67012dc6788b39b6407e29a5f6f98e

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
512KB

MD5
99dab2d1ed432e4a8dfdf18bfa110de8

SHA1
a6cf4e5a59a89d78c31375dcbb9130d048a19e77

SHA256
d0109a72490193ed2ff764bd2a82135542bfa3a5ff46a673675e827f36c1d1a6

SHA512
5c12e4b8e35b6cf8c9081380a395d5eeece41a5e081785e439ab8176d3f316943996320a601f9b1866104933a83cc22166315919ed1535eb0c421bf3d80b4aee

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
512KB

MD5
925a7034f535d640df18bd2a117db639

SHA1
5308616019911402eb81dcae544cd52eadd0b941

SHA256
30f1b2d96f53926a2ff4327396db524c47eec9aef728fa32eac8d7806b6fa95a

SHA512
9d263fa1308ea548dd50eac9b816f7ed41a318ba4982d1213a28bd394aa7afb990ae5420ca050ad366c749503fc0c13450a7bb880df62c9c4a3992485cda6f35

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
512KB

MD5
2c48e9908736729d87caf7cd20e3d7d2

SHA1
21eafd945b0b5a729f6c9fc7184613a2f40e6236

SHA256
c6d64c3867d585caf205ce7bae79c8a198bc2f441dca9475ec5357b739a84f83

SHA512
d1dc84e207b857b0aceda4b797021039d1147784fde4fa4ddb4853224b286dbdacf266b5b9d0da73bdf375b11346d5c54ebac8a7bea4b6a935da6e106fd31655

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
512KB

MD5
055480a91b14dd5146bd79ace397c9d6

SHA1
9063186b4bcf0e076a58e1a7e47bb8a0c663c8f6

SHA256
60c8a6296e3e8921bb38f224219f05c54d3cd3c76f5bc70dfb0995e6e290bf23

SHA512
86c9cafbdffb2200319d8ad7c30a9ffb5b24937309958fef02d8e8316f6feb4a19c704ea2e2f0294fd2c0f2f523309341e84c7f40bccfdb8260429eab7d2c3f3

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
512KB

MD5
48bb8d070dfeadf9c7a46401c564204c

SHA1
bcf5c911dfe4410f13dd126242930b343030eeca

SHA256
1b5d07dc45235586166eeffe23c73bb099839a756d30c5e143385073848af60e

SHA512
ca4597e925e90c756f39f2b1d8ba239541294433516f7df397b3b848d32b14c75f6220ed64560a570bb9096b8e851dcbd4c8c601a6b6ac41c2ba4f2d6889153a

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
512KB

MD5
7a7a3819c53bb10566c74522b7ec240e

SHA1
15d814dee1097b7b05afb9a837fb7beba273fc8f

SHA256
393a1c2ea8ac612072e6f585e447e517eaf581565587f15b1f09b4a86e34dd2a

SHA512
3d5e843b60e6aff57c4b8a903a4e1725a0ad1e3b3565c341758f48b1ad77dc97e260dad21489a5a8482916aaa646d07cc1f0517c0b19c143a679fd1d21132a3b

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
512KB

MD5
3a608f749ba2a6865ed7941557c2d5ef

SHA1
e866833de278d4944dfdd7dc76e25b013a1a6678

SHA256
120b05372516e869e8dd1437b9f5c62638be006b26968e0d52719f6620902052

SHA512
04d07f61f26e34637dc1d7d40f08da6c556cf3c77b61cc73749bf5f0b2514fb829e781d5f242989d845ba71317d1cb48dd30fb8c1f0c0e861af1463c323944e1

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
512KB

MD5
4cf5c80eb529af6684ad6c23344d3485

SHA1
2b0443b637d7c7371411663f15e57d07ff4cda28

SHA256
26970c7c87ad58c43cb865409c79d20bc693ac781951c37f6afab8a06af13a1d

SHA512
01ded0523158be0e50428b531983e16ba05988f82538291d2a1486bef200fc16784a743ee8d112bede6bdc543245c3d5b3f1e865b4795d09ae5a006a2fa28128

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
512KB

MD5
8f913458aad8350d2469952dde34b309

SHA1
44a1022cdf91a24cc89171317d06e0c16dcaf716

SHA256
bec3d8e646cb0bcd8306a05d79678bad709d1f93cfc174c7d405e8b8b02240ec

SHA512
8c882bbe074599500173b6f823f6e260d68925b23917714aeb3447ec0ddacbca03d670440506b9d800bb8e9c0e8dd01bd794fa8c6d13f13faa6b0fdb8bef58f1

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
512KB

MD5
6dfa0f4690a0ca88988e4e049f4fd402

SHA1
6167e917629bbe96191d48a6751fb6c689d3cef5

SHA256
8854b2a9386a71dfca4d30cb49bacb122412eec14f0598475c6e511b7bd2cfe5

SHA512
d5e9b1490544221d892d5c3e0bdd1e19447cd50772dd8b4e791a59e4697b000f2525c22f644d70e9eb9f9eb32f7b7c928c29065c5a3c4611353bb14b0af9e746

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
512KB

MD5
45008886d3a94fa3b50f62d9e900581d

SHA1
92f62bd4fd1907861eaa546f2baed2598e997471

SHA256
1e91f5e017d40afa64f848a7e8d8a01563082afb1338765cf91a71c638f96d46

SHA512
9e89ae2e237dc82ece79b6cd096c8e3e23b97892ac6fa795adfc54eccd7f20a5afe14dc93e49af397acb3207d5a9a6368b295eaeab911d64ec21ba536597a08a

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
512KB

MD5
60d1f760a15a7a8fd49235b9c2bd84d5

SHA1
13be9df23452d141bfec4eaa5fd8bc439b222f2e

SHA256
0d2cf7eeb9bcc57151d5dffce87824a375ce038d73e11554994c5bf7da4d701e

SHA512
fefe6b44c447dc67b13fffe10adbb16c10b911b01fa25e9af97f128ed9bc5eb7256a96e911305e02919a00ebc2cc7b00844d845ec4cc1710ed6a2bc85b483ec9

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
512KB

MD5
243ddd0962201a663aa1c72d98d63e96

SHA1
7625174f751aa7844c4732ac27d05cbd45c1c771

SHA256
ba39e39648aa9d9d32c6a99d2aeec46d258286b364aed8d5f316acd347303603

SHA512
ea521eb543c5b7cbf57013b94b6e9b7485b36af2f877bd320552e53dcfb0c0702c579fbcff41f295dcdf077686ae3a766c56ec9cf12bb7c0e5d3113176411544

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
512KB

MD5
9a47c7679e95be6ec9cf82a2d3f16264

SHA1
52553ca57e0cc48b9d969a338dd62536f5583a62

SHA256
e475b55305f4a18462df6cf643b12e29a7c8a1a0f887772efd8f128f30bc02a6

SHA512
f19548f732386f5517a68ba8e666dd456ad13a46d6278755905b35a9aa375cdc66a0db604828dab8920361a14c5b6f7f1b7b3124b7ef6dc313e0c58082ea12d1

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
512KB

MD5
c90926d4ec1e825bce3d6a2f26976177

SHA1
5fdb78f43e5badda141459593d2223f124aa12d5

SHA256
287d0651f3fc2a8300cefa2f7a5ccc825918c692b55274a59e87f754ba3f8f8b

SHA512
df687bb9dc7b9142943d0ac0e7a3dae37d5c0a7ff7cfb2d44de06c3a64ae9e221647c5c076f193baab4d55f346e3eb861348dd9b5471e563ad3b60a18fcc7646

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
512KB

MD5
c176c8b9d3b9a6eca8909d7fcafb19a2

SHA1
a4c6c70c2aaffa49b4f0629e141867bad0e6eb4f

SHA256
7e8f42ff19a94203c485f8cadcd7bbf00585199f7a55b9748da3cf5cf24796e2

SHA512
de3cce06aeaa253f9232c97016ab32ff78bfca5c0b6ae04720b00e9feee8b04e766e42819d9df10df86c57844f1de5bb7a0b516ec08b995b8aa189dbde8564c7

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
512KB

MD5
4633bdbc8f4f69dbe4698765222c8b1c

SHA1
667fa0b12a23be1d4d37f3454207d196f863deb9

SHA256
faaf4677aeb3de728026801bdcfac9fcfc33cad4006add27bbcd2a666dbef3d3

SHA512
889d2af3099050908d030041bc98b5103f72827b6a698277ef200280047fb8dc26ae4b428827f0feeabb607b273d092d8567389ce7510d0a2c6000afdc606226

Download Submit
memory/624-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1132-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1132-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1256-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-421-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1632-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1744-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1756-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-415-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-327-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3408-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-429-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3656-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-427-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3820-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4060-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-411-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4176-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4176-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4452-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4552-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4604-409-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4604-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4820-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4896-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5024-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5024-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads