berbew | 3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe
Size

93KB
MD5

bc2e58df7692849541ccf8c77d597b10
SHA1

b170b6e787ad5046aec039db109dafaf529210c9
SHA256

3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704
SHA512

e75c22265c69a9a503f91ae2d4b3f14dc2a0f337762edccf37f94166c9c53c00c9f0b6c1dfb6a4b83688a977584c053d9c520b51210d8a3e4b7a91c13cc16ff8
SSDEEP

1536:gD7iSnKOaKBz0hLKa0Xjw66A0rS6W1DaYfMZRWuLsV+1J:O7iSNBz68c6p6WgYfc0DV+1J

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 26 IoCs

pid	Process
2680	Bieopm32.exe
2656	Boogmgkl.exe
2732	Bbmcibjp.exe
2596	Bjdkjpkb.exe
2624	Bigkel32.exe
2464	Bkegah32.exe
2840	Ccmpce32.exe
1404	Cenljmgq.exe
2716	Cmedlk32.exe
2044	Cnfqccna.exe
1912	Cepipm32.exe
532	Ckjamgmk.exe
2376	Cnimiblo.exe
1036	Cebeem32.exe
2948	Cgaaah32.exe
2168	Cbffoabe.exe
960	Ceebklai.exe
2372	Cchbgi32.exe
2248	Clojhf32.exe
2112	Cmpgpond.exe
1692	Calcpm32.exe
1980	Cegoqlof.exe
2508	Cgfkmgnj.exe
1636	Dnpciaef.exe
2304	Danpemej.exe
1640	Dpapaj32.exe

Loads dropped DLL 55 IoCs

pid	Process
2084	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe
2084	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe
2680	Bieopm32.exe
2680	Bieopm32.exe
2656	Boogmgkl.exe
2656	Boogmgkl.exe
2732	Bbmcibjp.exe
2732	Bbmcibjp.exe
2596	Bjdkjpkb.exe
2596	Bjdkjpkb.exe
2624	Bigkel32.exe
2624	Bigkel32.exe
2464	Bkegah32.exe
2464	Bkegah32.exe
2840	Ccmpce32.exe
2840	Ccmpce32.exe
1404	Cenljmgq.exe
1404	Cenljmgq.exe
2716	Cmedlk32.exe
2716	Cmedlk32.exe
2044	Cnfqccna.exe
2044	Cnfqccna.exe
1912	Cepipm32.exe
1912	Cepipm32.exe
532	Ckjamgmk.exe
532	Ckjamgmk.exe
2376	Cnimiblo.exe
2376	Cnimiblo.exe
1036	Cebeem32.exe
1036	Cebeem32.exe
2948	Cgaaah32.exe
2948	Cgaaah32.exe
2168	Cbffoabe.exe
2168	Cbffoabe.exe
960	Ceebklai.exe
960	Ceebklai.exe
2372	Cchbgi32.exe
2372	Cchbgi32.exe
2248	Clojhf32.exe
2248	Clojhf32.exe
2112	Cmpgpond.exe
2112	Cmpgpond.exe
1692	Calcpm32.exe
1692	Calcpm32.exe
1980	Cegoqlof.exe
1980	Cegoqlof.exe
2508	Cgfkmgnj.exe
2508	Cgfkmgnj.exe
1636	Dnpciaef.exe
1636	Dnpciaef.exe
2304	Danpemej.exe
2304	Danpemej.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bigkel32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2744	1640	WerFault.exe	56

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Clojhf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2680	2084	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe	31
PID 2084 wrote to memory of 2680	2084	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe	31
PID 2084 wrote to memory of 2680	2084	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe	31
PID 2084 wrote to memory of 2680	2084	3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe	31
PID 2680 wrote to memory of 2656	2680	Bieopm32.exe	32
PID 2680 wrote to memory of 2656	2680	Bieopm32.exe	32
PID 2680 wrote to memory of 2656	2680	Bieopm32.exe	32
PID 2680 wrote to memory of 2656	2680	Bieopm32.exe	32
PID 2656 wrote to memory of 2732	2656	Boogmgkl.exe	33
PID 2656 wrote to memory of 2732	2656	Boogmgkl.exe	33
PID 2656 wrote to memory of 2732	2656	Boogmgkl.exe	33
PID 2656 wrote to memory of 2732	2656	Boogmgkl.exe	33
PID 2732 wrote to memory of 2596	2732	Bbmcibjp.exe	34
PID 2732 wrote to memory of 2596	2732	Bbmcibjp.exe	34
PID 2732 wrote to memory of 2596	2732	Bbmcibjp.exe	34
PID 2732 wrote to memory of 2596	2732	Bbmcibjp.exe	34
PID 2596 wrote to memory of 2624	2596	Bjdkjpkb.exe	35
PID 2596 wrote to memory of 2624	2596	Bjdkjpkb.exe	35
PID 2596 wrote to memory of 2624	2596	Bjdkjpkb.exe	35
PID 2596 wrote to memory of 2624	2596	Bjdkjpkb.exe	35
PID 2624 wrote to memory of 2464	2624	Bigkel32.exe	36
PID 2624 wrote to memory of 2464	2624	Bigkel32.exe	36
PID 2624 wrote to memory of 2464	2624	Bigkel32.exe	36
PID 2624 wrote to memory of 2464	2624	Bigkel32.exe	36
PID 2464 wrote to memory of 2840	2464	Bkegah32.exe	37
PID 2464 wrote to memory of 2840	2464	Bkegah32.exe	37
PID 2464 wrote to memory of 2840	2464	Bkegah32.exe	37
PID 2464 wrote to memory of 2840	2464	Bkegah32.exe	37
PID 2840 wrote to memory of 1404	2840	Ccmpce32.exe	38
PID 2840 wrote to memory of 1404	2840	Ccmpce32.exe	38
PID 2840 wrote to memory of 1404	2840	Ccmpce32.exe	38
PID 2840 wrote to memory of 1404	2840	Ccmpce32.exe	38
PID 1404 wrote to memory of 2716	1404	Cenljmgq.exe	39
PID 1404 wrote to memory of 2716	1404	Cenljmgq.exe	39
PID 1404 wrote to memory of 2716	1404	Cenljmgq.exe	39
PID 1404 wrote to memory of 2716	1404	Cenljmgq.exe	39
PID 2716 wrote to memory of 2044	2716	Cmedlk32.exe	40
PID 2716 wrote to memory of 2044	2716	Cmedlk32.exe	40
PID 2716 wrote to memory of 2044	2716	Cmedlk32.exe	40
PID 2716 wrote to memory of 2044	2716	Cmedlk32.exe	40
PID 2044 wrote to memory of 1912	2044	Cnfqccna.exe	41
PID 2044 wrote to memory of 1912	2044	Cnfqccna.exe	41
PID 2044 wrote to memory of 1912	2044	Cnfqccna.exe	41
PID 2044 wrote to memory of 1912	2044	Cnfqccna.exe	41
PID 1912 wrote to memory of 532	1912	Cepipm32.exe	42
PID 1912 wrote to memory of 532	1912	Cepipm32.exe	42
PID 1912 wrote to memory of 532	1912	Cepipm32.exe	42
PID 1912 wrote to memory of 532	1912	Cepipm32.exe	42
PID 532 wrote to memory of 2376	532	Ckjamgmk.exe	43
PID 532 wrote to memory of 2376	532	Ckjamgmk.exe	43
PID 532 wrote to memory of 2376	532	Ckjamgmk.exe	43
PID 532 wrote to memory of 2376	532	Ckjamgmk.exe	43
PID 2376 wrote to memory of 1036	2376	Cnimiblo.exe	44
PID 2376 wrote to memory of 1036	2376	Cnimiblo.exe	44
PID 2376 wrote to memory of 1036	2376	Cnimiblo.exe	44
PID 2376 wrote to memory of 1036	2376	Cnimiblo.exe	44
PID 1036 wrote to memory of 2948	1036	Cebeem32.exe	45
PID 1036 wrote to memory of 2948	1036	Cebeem32.exe	45
PID 1036 wrote to memory of 2948	1036	Cebeem32.exe	45
PID 1036 wrote to memory of 2948	1036	Cebeem32.exe	45
PID 2948 wrote to memory of 2168	2948	Cgaaah32.exe	46
PID 2948 wrote to memory of 2168	2948	Cgaaah32.exe	46
PID 2948 wrote to memory of 2168	2948	Cgaaah32.exe	46
PID 2948 wrote to memory of 2168	2948	Cgaaah32.exe	46

C:\Users\Admin\AppData\Local\Temp\3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe
"C:\Users\Admin\AppData\Local\Temp\3bd43c16abfc10d7e5a70aa5b3c3a21435600371f1f3918ba6be922e3d1b7704N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\Bieopm32.exe
  C:\Windows\system32\Bieopm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\Boogmgkl.exe
    C:\Windows\system32\Boogmgkl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\Bbmcibjp.exe
      C:\Windows\system32\Bbmcibjp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 144
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bkegah32.exe

Filesize
93KB

MD5
eeb4efb67b55602176ceecab6a0e8b1c

SHA1
9104ea00915c42ea42644074e8cb8f1fe0dc1c9e

SHA256
d73952a1e79de070709565e5055b549e9845250a98d5f6543ba059473e2b0cff

SHA512
17fb702690d122bee71602ef6459156f8efe3f4e9a876e4582b47dbf79898ef7e6892c93d5b9e0f452df4cbd4db478c1bbca8f3f04aa138eabdc1c24024e5741

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
93KB

MD5
66ce0fcf7d246d2087a99a908c2d59c1

SHA1
a3c1dc89d15bc15b594736cc620e1e26cd891c45

SHA256
f62148c18972bd76171dc130d60548635785a1576e0c958c1b9b0e0c1d70b2df

SHA512
8e76b394310d5c28448eea2b3b09db062bd1417ffe40b45764445c68ba9c85e2c3b41363e19dcd8efe9ea117bf3e958fcebabe172ba714d00b58c26cdcc56be5

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
93KB

MD5
7cd0089d45fa7a3a11c5a2ca2757de67

SHA1
78fcdc65e050e08f4f7de1e66532ce98c655628c

SHA256
f9271be65eaef184ca5682641dbd2756a15beac22c692f0b30bcf62987ee772a

SHA512
0b21b0809ddf70d4cf8fec0512f353b17f6a0282a5a550d6cee2ec61b423b7c108b61e2184d4914bf8dbe5b80759615cee378cf90c43ff3bff013e1e4ad4218a

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
93KB

MD5
ab22bff88773563458c8f5697cccb001

SHA1
395dca0dda1ecd700c112f826034468a1afc2481

SHA256
1f77a71dbf2a3c7810bfb3ba7fc1320d33d65f69c61a3e8a1dc62513f0b762db

SHA512
9201cba3d70f38a055bb1c0d32d03de9b90960d0f63e827f0ae1bdd8d296fc0fe7613d135f76030fb0876e108f1f598c862f1d8358ef3f4d915141510a145b1f

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
93KB

MD5
4e6335b376ffc7fbe2cb680c919650d7

SHA1
bef9f3bf9660f20a14d6cb16e0e7f1f1d4dac05b

SHA256
097dc78ad4a425a718d605639a07d41989c179251af9201f5454f05baa583213

SHA512
4c8208cfcf1d4403104a2054b687be27961189ca1ed5e6517c43dc5f53e0c566652a5e082a07f4b3225969dfd3746913cb87c0c99531320e04beae01e688a3cf

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
93KB

MD5
a2a34efae2fa9d69a12015184338adf6

SHA1
714d7024846ad2a2d8d38283b9ef07b45ff43ec5

SHA256
d7a6e8756963379712ab0a45016b84aa114f562178b493607a5650d42beb9d07

SHA512
74ea19e17176a83613625c2ec73386bff2b049365068de4e9bb6e04297f3055a67a381e6bece116a293271a8dacf3400012c28356ecc66a7882cad1b764d03ce

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
93KB

MD5
ab79ce6693feeea0ae861cf4a1eefc97

SHA1
f5a87b217b4bc2cc3800396eae1abad0cbf2cdfd

SHA256
6cdd62606ebf85dfca93851dbb73205c749e697fb5ad4b4121dfcf11676fecce

SHA512
d9b8d03f557468eb78b05954632fe1e47ad30f9a8f5b80de9c918e39b0d97800bb7520ae37bf4ecf677d4ddf17ff2c733a1fee9e18a89f9377fbb999bc94c340

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
93KB

MD5
abf823c6f85d605bd246cc9d9b580e17

SHA1
4c5d2a800399519534dda302ae99ae7f3360d43a

SHA256
8b19ee2bde3ec0beecb7723e679920e32ed4830d61bfa4a0605110621a391695

SHA512
61f67bb9ac98a3e5aa0b47b8cf513dea2b4c0ea5127e2d78a3dff05344cae687095970b27972d2da4081556215e727fdc38ac225cdd09145733bbe79fff1627c

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
93KB

MD5
3da29891a90b7c4880ff1298d90b384d

SHA1
c8421baf29208305aa1d9bda3c06c92e7d9bb3eb

SHA256
20969ed9bf06572d648d3684ba921e8d4ea8c61c30a9f1a6a8857a1c584ce6c2

SHA512
0cde484b4b5c131392f63d68de4cc4664afce1bd04bb1f77d682cd89d3d11783aae2060cefead8c9a57b88aacbee6c3bda5ed1350328718f24ce769442d77a47

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
93KB

MD5
6fa2a521002d62b654d04e5ef3468e6a

SHA1
cfd9670a9c7efa69de859a254817d012e16b220c

SHA256
b5229d2ca3af7b486ba46566e23a4b467d814c07197c805651fe13123ef6b682

SHA512
63ad4d347d638015b1d02e44e169d37b8b7881ac9ec634c13e567a52d93caee5877fa2a752968ebbe4e18cd7a39bf30ca24721b0b9f3daa3836d38c99f465af4

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
93KB

MD5
47e7db2a72a3b6e00d05b641b21f5fce

SHA1
0551bddd8e5a589f3b863cc646f75473cf9bb28a

SHA256
db71492de664f60200b31385f5b3c94e1b09bb94d7b7b3c573e010dd6b3fa08e

SHA512
011e6b8dee53fbeae0a0ed642caa6bdc625f666f251165e08b3445afc7b31aef03ee51276616aef20d2d8df1a8e1452aa1ed275b5c2ff0b4c9dfe9cc81af6944

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
93KB

MD5
edd44ff9c20446abe510576274a6e3b2

SHA1
8b1f1b6d1b2db10c2212c5cfd9846a267480a472

SHA256
8f20b89d78e9d45966ae39301165c2750c00cffbfbe4be0ad318f6e328657358

SHA512
911c31fa67b5b022eeaea3d90feeb8381a11ec835fb1b088a0b7e2d8db437d6f5d5562f9f375917f008f3c7d52b46ce86be6eddd0a0e8c4ae2da2ddf5e31f6cf

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
93KB

MD5
99ab9f37ba70a878fc4a3c96cce41261

SHA1
aa7b353fe0b91bca47c63e4d3241035bb9af81c1

SHA256
1c5b67e7f1616476bec0d701ddb23fed5ba4ded138523de338c7d56e9f4796e7

SHA512
ee12382528e0789a8adbe2cd2912c8c086cda53ba881d9c8bdf559c1edf9e31aca4cb05ce286945a8b5eda1431f0ecdcaefe387dcaba2664f13b2b88b889a172

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
93KB

MD5
72d90cc2b8aacb2f7df5e2fe9b88415b

SHA1
e6f7ff2020fabb6609593842febd6219bba6bf5e

SHA256
a8eefc96cadb4909bfd29fd2357fce266ee0ff56819a1b85402e8566e9816fd0

SHA512
adb3546017d96646bdc577694a6636c8109c09edc5b10ef0a12d1bccd9cf17734c80819f6937eb578a8d253f9fa540a6d7531e489e7e04db90318ade9469a7ed

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
93KB

MD5
65ec457e95f96a527cbfd1e1766acc91

SHA1
54ed3b711bd9ac4b5f0c019a6619a6faf4beb291

SHA256
24bd62fb7165f3ac319ae87a9dc2e1267711a74123991a15c305df12cda9e24c

SHA512
38a42922ee87b65a2634eec6e6aa4a6b4b47e1c144da0c74b6109ab694b8200871cee3599b4cef978e61910c7054458cd7ff08011530f8135e7819e32d4572ef

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
93KB

MD5
2d76499f1c65b9ddf716155830302231

SHA1
725aa5a582cb58c049a81f469782aabbee8f43f4

SHA256
d2f33d1fb931a8ef32a2ed13a6585789f8279483b8903e9aace579974cfbb16e

SHA512
b37bafeaa93416d48c28bddaebcfd13f39873bb155d4c61f2ed70dbec1f2afa043e5c4544f8853bc66fbc65a1b0328b14996c5137b31caf2570b0fe356b94657

Download Submit
\Windows\SysWOW64\Bieopm32.exe

Filesize
93KB

MD5
db1994e4f2b5b262fb4f82e0c5a6d163

SHA1
323ec3d3962d4c05304b769867c496debcd96b81

SHA256
67bb6f3bb97feb6ed13bff5f5875ce311e460cc7c9beb6e73d8cdef322a1bb86

SHA512
ed0039017686992b00a7f748878d418d22afd04e3ca9647b8ca01c9ca67a3f22d5e37b2ab7d17d85c23c335693ccc9753b42a36e32d097541b5843a27904b395

Download Submit
\Windows\SysWOW64\Bigkel32.exe

Filesize
93KB

MD5
d1506e4e5daf3a15e9c4e47edb469e4f

SHA1
ef73c9c827136ffa825f1b0c5a6033696e1a1c72

SHA256
23a2cfa263703d3a8e9aaea55dc50f3f769cc3f9917fcf9e5a1b4b54f3ff6a72

SHA512
cfb7e483bc425246eeb05c1c84ebe15de70a6bd4e86097e05eb15654a9c910f8f4de46c145e0514533d9e76513792df48bde5bf630d98901aa90483670e4fdf4

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
93KB

MD5
79174934d2b9c369cf8ac3f3cb945e78

SHA1
35bfc0a4476d904c3f844cb20f03f8a262cc6e96

SHA256
7a378daa0a4fee21de92b0dae1cbf09a1141ba45ba9de084afff89f8ee4461aa

SHA512
6849b2f9c6fa08315164fdc0393a4d586a30c25bf51e635df90d2c00198a88e2e4fe87e7daf41a89455f0b819e1ef0d0caf0276d94f49f4e01916b8a6675b03d

Download Submit
\Windows\SysWOW64\Cbffoabe.exe

Filesize
93KB

MD5
865114afed21fdaec0f0c17b2f205c76

SHA1
09b6cf0634684711eb936d666b6ac11d250db020

SHA256
8421c5182f653857f0ba60b1af51c08e81628ed9678749ba974e50a146ddae7a

SHA512
a3d888e24deaf6c46050eaec423d2f0ea4d139e6ec19bb0065627f6a4b83d71e434ea3a1624731ac8799d8cea2a6a40aaa57e6ef3d086389d19d7a4b04a87104

Download Submit
\Windows\SysWOW64\Ccmpce32.exe

Filesize
93KB

MD5
d9806965cfe81e492ca7bff5080ac6f3

SHA1
29cada61d289370284f5662280b585b44f8a931f

SHA256
c9c5ff2ce70a62e11ca8c8c24353ee85e540b05b802cce13a3b3fe7fa84a3f03

SHA512
379ef6bb6e6267d266d0f83a056b465dac2855ae920cfcd5fd6a7b6bc138123b45f9a0637e7708a155191f748ce8e775fcbda405057789022788b33ffaeb3894

Download Submit
\Windows\SysWOW64\Cebeem32.exe

Filesize
93KB

MD5
7e6f3438e81704be796cab71ea532008

SHA1
674f9674a4b6124defc2c01955e17b81109965fd

SHA256
bcc6147103172f040e1ec603d478bf0116328e321878d55567290225fe629290

SHA512
c14a706c59f50f7911b0143dd9e582cc01aab06dc6f2d81c3e8d72172d2b42bff75afe30ca61507ca3e234feb883998c44f6cd129acf27165becc0fe5282da7f

Download Submit
\Windows\SysWOW64\Cenljmgq.exe

Filesize
93KB

MD5
4dc7a4210d27fe66895a34c92c21ff3c

SHA1
ed7f22b329dc1c81ebf733a5ba69532e34710d87

SHA256
16b23da0b6d340d1bd1eba6ced67b48cc3d43c002efdbddcbaa7ad514f265772

SHA512
a56082e0b43c2d94a409a6cd8877bfa607fec881821df109731c82df0721e2e309e7a17255897355383fd86b1af0a649d0aaf043be19581e260361a2340ddf7e

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
93KB

MD5
922fd33959b5595e3c1b30f742085706

SHA1
b2fb1f983957dc811d73ffa0940fad4b07686b3d

SHA256
5542966bb717cdc170fa90705181f171e565ad6e2ebb662226c7fbd66cb0ed6d

SHA512
851b12e9bf5943ba4fc7b3a2ff19e3836fc34c6ffb34f727fe9cb9be27e9bf01ebd7d1fe07a67cdd6d919b5c5bf1fb93f1f857c77dbce7efed0ae7146e320ded

Download Submit
\Windows\SysWOW64\Ckjamgmk.exe

Filesize
93KB

MD5
141dc0c5a6177cbac9738233cbaf5d8e

SHA1
080c7480db34ff5eb6ae52489e2b15fd59e9c1dd

SHA256
1ee8591efd32563f1d0db885b080a6a8dd31ed1d1b26de38c8e0c5d6b15d12fb

SHA512
6861341db30a3f54f3bf8781b526593cfd809b4175b382da36059e904c70bb04eeeee0ebf770181f23d339769621d3d12fc37e7b13f198a18271d601b99b9ec3

Download Submit
\Windows\SysWOW64\Cnfqccna.exe

Filesize
93KB

MD5
232eed9d2c6ffd03a2f2afff4da73cbd

SHA1
aeb28cd59d2adf57b8da07cebd24035a0be20835

SHA256
f9fa030ba477d5fc9270961ba0551da1da39e8198d9c4d327ebf85f12b6df97f

SHA512
239b4b7b5b0c043deaeb8d24a4a95ca9ab4efe4d2c4874598a12cfab52f900b90cf1af7bf83f1f39288bf511d47ebfbcb4241615f857f1bd541f9d1e8931fccd

Download Submit
memory/532-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-119-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1404-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-112-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1636-303-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1636-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-302-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1640-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-268-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1912-160-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1912-155-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1912-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-281-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1980-282-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1980-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-146-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2044-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-12-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2084-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-315-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2304-316-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2372-243-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2372-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-187-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2376-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-86-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2508-292-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2508-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-64-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2596-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-74-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2624-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-131-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2716-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-100-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2948-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads