berbew | 501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383ca

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 19:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383caN.exe
Size

64KB
MD5

d3ae05197a51219fdeec2805d8bb0190
SHA1

ad13fe232d87088dc3a69f750fd20abbb45f7082
SHA256

501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383ca
SHA512

d5e50f668e4370612dd9552bbd45e63061f3b0dc118884490060f1175a42e957b248a5f8155ff274d2cd51d693b3378756084c4d6041716f6a3d8c358524a1c7
SSDEEP

1536:gabjyEsMQmL64Xi7788bT+iJYr2Lc2+lWu:gaPyEsMQm+4y79bThJzc2+L

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383caN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 27 IoCs

pid	Process
2444	Bcoenmao.exe
1816	Cjinkg32.exe
3060	Cabfga32.exe
64	Chmndlge.exe
3788	Cjkjpgfi.exe
1124	Caebma32.exe
2172	Chokikeb.exe
2008	Cjmgfgdf.exe
1568	Cmlcbbcj.exe
3476	Cdfkolkf.exe
708	Cjpckf32.exe
3956	Cajlhqjp.exe
4860	Chcddk32.exe
3028	Cjbpaf32.exe
512	Cmqmma32.exe
1408	Cegdnopg.exe
1604	Djdmffnn.exe
1320	Danecp32.exe
1868	Dhhnpjmh.exe
2560	Dmefhako.exe
4800	Dhkjej32.exe
1136	Dmgbnq32.exe
868	Ddakjkqi.exe
1352	Dogogcpo.exe
1976	Deagdn32.exe
3080	Dhocqigp.exe
732	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383caN.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383caN.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2032	732	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383caN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2444	2856	501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383caN.exe	84
PID 2856 wrote to memory of 2444	2856	501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383caN.exe	84
PID 2856 wrote to memory of 2444	2856	501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383caN.exe	84
PID 2444 wrote to memory of 1816	2444	Bcoenmao.exe	85
PID 2444 wrote to memory of 1816	2444	Bcoenmao.exe	85
PID 2444 wrote to memory of 1816	2444	Bcoenmao.exe	85
PID 1816 wrote to memory of 3060	1816	Cjinkg32.exe	86
PID 1816 wrote to memory of 3060	1816	Cjinkg32.exe	86
PID 1816 wrote to memory of 3060	1816	Cjinkg32.exe	86
PID 3060 wrote to memory of 64	3060	Cabfga32.exe	87
PID 3060 wrote to memory of 64	3060	Cabfga32.exe	87
PID 3060 wrote to memory of 64	3060	Cabfga32.exe	87
PID 64 wrote to memory of 3788	64	Chmndlge.exe	88
PID 64 wrote to memory of 3788	64	Chmndlge.exe	88
PID 64 wrote to memory of 3788	64	Chmndlge.exe	88
PID 3788 wrote to memory of 1124	3788	Cjkjpgfi.exe	89
PID 3788 wrote to memory of 1124	3788	Cjkjpgfi.exe	89
PID 3788 wrote to memory of 1124	3788	Cjkjpgfi.exe	89
PID 1124 wrote to memory of 2172	1124	Caebma32.exe	90
PID 1124 wrote to memory of 2172	1124	Caebma32.exe	90
PID 1124 wrote to memory of 2172	1124	Caebma32.exe	90
PID 2172 wrote to memory of 2008	2172	Chokikeb.exe	91
PID 2172 wrote to memory of 2008	2172	Chokikeb.exe	91
PID 2172 wrote to memory of 2008	2172	Chokikeb.exe	91
PID 2008 wrote to memory of 1568	2008	Cjmgfgdf.exe	92
PID 2008 wrote to memory of 1568	2008	Cjmgfgdf.exe	92
PID 2008 wrote to memory of 1568	2008	Cjmgfgdf.exe	92
PID 1568 wrote to memory of 3476	1568	Cmlcbbcj.exe	93
PID 1568 wrote to memory of 3476	1568	Cmlcbbcj.exe	93
PID 1568 wrote to memory of 3476	1568	Cmlcbbcj.exe	93
PID 3476 wrote to memory of 708	3476	Cdfkolkf.exe	94
PID 3476 wrote to memory of 708	3476	Cdfkolkf.exe	94
PID 3476 wrote to memory of 708	3476	Cdfkolkf.exe	94
PID 708 wrote to memory of 3956	708	Cjpckf32.exe	95
PID 708 wrote to memory of 3956	708	Cjpckf32.exe	95
PID 708 wrote to memory of 3956	708	Cjpckf32.exe	95
PID 3956 wrote to memory of 4860	3956	Cajlhqjp.exe	96
PID 3956 wrote to memory of 4860	3956	Cajlhqjp.exe	96
PID 3956 wrote to memory of 4860	3956	Cajlhqjp.exe	96
PID 4860 wrote to memory of 3028	4860	Chcddk32.exe	97
PID 4860 wrote to memory of 3028	4860	Chcddk32.exe	97
PID 4860 wrote to memory of 3028	4860	Chcddk32.exe	97
PID 3028 wrote to memory of 512	3028	Cjbpaf32.exe	98
PID 3028 wrote to memory of 512	3028	Cjbpaf32.exe	98
PID 3028 wrote to memory of 512	3028	Cjbpaf32.exe	98
PID 512 wrote to memory of 1408	512	Cmqmma32.exe	99
PID 512 wrote to memory of 1408	512	Cmqmma32.exe	99
PID 512 wrote to memory of 1408	512	Cmqmma32.exe	99
PID 1408 wrote to memory of 1604	1408	Cegdnopg.exe	101
PID 1408 wrote to memory of 1604	1408	Cegdnopg.exe	101
PID 1408 wrote to memory of 1604	1408	Cegdnopg.exe	101
PID 1604 wrote to memory of 1320	1604	Djdmffnn.exe	102
PID 1604 wrote to memory of 1320	1604	Djdmffnn.exe	102
PID 1604 wrote to memory of 1320	1604	Djdmffnn.exe	102
PID 1320 wrote to memory of 1868	1320	Danecp32.exe	103
PID 1320 wrote to memory of 1868	1320	Danecp32.exe	103
PID 1320 wrote to memory of 1868	1320	Danecp32.exe	103
PID 1868 wrote to memory of 2560	1868	Dhhnpjmh.exe	104
PID 1868 wrote to memory of 2560	1868	Dhhnpjmh.exe	104
PID 1868 wrote to memory of 2560	1868	Dhhnpjmh.exe	104
PID 2560 wrote to memory of 4800	2560	Dmefhako.exe	105
PID 2560 wrote to memory of 4800	2560	Dmefhako.exe	105
PID 2560 wrote to memory of 4800	2560	Dmefhako.exe	105
PID 4800 wrote to memory of 1136	4800	Dhkjej32.exe	106

C:\Users\Admin\AppData\Local\Temp\501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383caN.exe
"C:\Users\Admin\AppData\Local\Temp\501db1c3e11a6d3785490e493a7135c1fa540fc9221d2f41b5144b7cba2383caN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\Bcoenmao.exe
  C:\Windows\system32\Bcoenmao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\Cjinkg32.exe
    C:\Windows\system32\Cjinkg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\SysWOW64\Cabfga32.exe
      C:\Windows\system32\Cabfga32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
      - C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 404
        29⤵
        Program crash
        
        PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 732 -ip 732
1⤵
PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
64KB

MD5
2490d31d831cc583ccb8979ad99e2e9e

SHA1
e726d6fd88ae1c7fac81b3dfcd042cec4dcc4a84

SHA256
10de8216dda168a16c39e64cfbb3ab11371ef36d4ece14e94bbc7b940a182ef2

SHA512
34708983aca0d4ab038d368a67d24f514338439c4eb9c5ccbcd02dd18913b86ce27ee90b96b915232b4eb96f36ea85b6052de602414589927a9e42cfa33db04a

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
64KB

MD5
130447a95d56b103064052a7d55d66de

SHA1
863b5fffdc725b927d0bf35f555889704bfd3805

SHA256
262d4248f93e4915c9b3a3b4e5ab3bb8d34b0a44c312ddddee3dd08ace92a83a

SHA512
c6ac6474c48204311a6f62010c785950883d98b30e4040921d0e246f98ca96409c901f50efedeb3f197b2c3b0f923fa4a29ab51d0f7dfecb61a433ea527ae419

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
64KB

MD5
ad2ffe034d38ef660059a53283e56291

SHA1
833c37412d35837d12bb4b78f3c9c5990993cfe0

SHA256
5252a295eb370a86f3a37197f80c3da1b45e9c825f88d4765c0fdc20fb3a6585

SHA512
bfa3b57eef0e9d425a55bf0fd7fe53a4d980d8641fbdded89a904d0a04b930e6393e39fba588b16cc7b5089e49d2b4265ba56961ed3921739066ede5a40c1071

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
64KB

MD5
12273d0a54d1e079680bd0e213c3511d

SHA1
b70e6531f526a15f1413a1d3b1ea45b3917bfae6

SHA256
49592cd744ac1589c7eb9436867bf4f45e4f593993f371d1d81a7f3314ed99c9

SHA512
d0c00bcbe6542de58c413d0d55471a9b7b37625835da1272c8e9361ad1ca448e8474dc6be60f62fea0236d36f340a0be9750103be9af3be2c3644ce1f17bf8a3

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
64KB

MD5
cc8c49833866fd00e9a26777d7b282ff

SHA1
861ac43176c136d2b1a443084e8dcdbb374057fa

SHA256
dbb9ef4b0379d517ea37d65058ff59f9042f5b488f0f57621864ae805aaf951d

SHA512
fc88e8b532d0b1bdd5a333d587af7083d2137886ed3fb85e1bfbd642ce1bc3ce7cd8efb5eb9679297271de386819d6e677eb4355fef2d49dbcbff83138fa8e21

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
64KB

MD5
5219bd8678674ac1a8b53c06f348363d

SHA1
0163bf8ee102f10fcbb5f16594c2070da76f6cab

SHA256
ef323cc2730fe704aa37da4fab78fc386d72ee5d206174f0382e322e630bf108

SHA512
b274d3a388db2d9b75871c3652f60dd754080201ac4bd07022f7bccfcff10015662c896af6778b6dafa7be20404685fe3050dbd508282b82f6b2c3d289b1caef

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
64KB

MD5
424786cea0c2998d1499d55c7e7ce2f6

SHA1
aea8b9264b180dcf456987cab0cd09e073827432

SHA256
69f16be92c827d327e551d112f325cbd19d382246e79efcbde356742882d4571

SHA512
1b3312e0755637a48220917d93cfee49a80511b36c2bdccf5b65a9297623f470f9e77b08b85b92881c1c6ad70adc01b926aac53f0508f5e3f4aeb7c6f891e94b

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
64KB

MD5
1f4dcf66562e6780718c64e83d17d4af

SHA1
8c978d3c266c399b678e2f5658e04abf92810b8f

SHA256
032ce8c11b311d55b0cb73efee9cc22d3b1a9702ff106c44b3bc6f3cee420d02

SHA512
faa4570ff1711711bde88c6f9a65272d9c5ac8753b093982569872497db2568073e2dc4ce1498cbce5acbdf8aaa41c53ee63308d7c8d4e596b46d350d0b5b541

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
64KB

MD5
51e154d9a592f802b112e4936ac2c4b2

SHA1
63ee83bdd98fd1db9e1596ba56c54ca004d5746d

SHA256
c9eb1c16b19ab907d2cf210532c59ea6a0ac4cd17abdfbb6580159779809c9c9

SHA512
28ed4d6aa1dc1af962c7088dc862931c4f3dc3afd8b160746c821364b6b471ea7fa230f0666ea369d1bdafe23f7f7642b95516a1b74367930fddcfc248cafe4c

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
64KB

MD5
37447ea1d06cb3d59173ffe08bb2b269

SHA1
958af621f6a1329f13a3cd6a9dcce218c4d5df82

SHA256
91c777cdf1bbace55e7f5a578b1b54bb7d198f6d39b0c02d2e54c38a78e35a66

SHA512
2a687a6d9a05a4ac4e80e005c85134b36f2dabba81772d7eccd51e7e20049cf74fbe29be2eb3aaddee6f6061ca9081d230e0c41ccf22e76b12ae04cb4559f789

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
64KB

MD5
28948de24f430e7341f8a1ea89550dfd

SHA1
a9671c375ec0d952c7b98f0f72640bc2d946ac03

SHA256
b42a6da03d3d728e1dc7311e8fbfd9a989bacf5d2abe34306fd40014a9a7857f

SHA512
63e5c66fa39eb032c6e0f9f72e9a09cd5f87e2201b7b847bd6349e72f719fa6ab455d5a0f06a1ee9a1b2edf3ab393ff9d4ad29b79fa8d5bf39f2a081ad8ef6f8

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
64KB

MD5
d5a935dbfda6332ab195cc878e033f8b

SHA1
2a218edfd4a9479fdaebc90217227e4dec3177ed

SHA256
0cf2525fb652de7dee5e111e051a94d75678e644a9d68e1586b871813192f337

SHA512
15d1defaf2d6a8618d0349c99d7c71bfae34bfec39a0a6c9e91c94949139fecd70ba02eb4e0817f578bb79c9be1e23fdb9077f5ea7ed0bd2d7d3309777e9b966

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
64KB

MD5
b95f9eaa362d536868718718be9acf6b

SHA1
706a76a3703ea481746fa2e2cd74f35c21e7a262

SHA256
d4e73612373fd63cce8b32219f400c5775f3b604f692f16d1c9000283bef8368

SHA512
f21458ec08c05d4d2cd7a1a9b3519ca02ca06868543aa162a5bbf9e7b5bca32c07c3b85f141cd527dac94af656479528b4791c8076c974d7ac5ab4595555a3ab

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
64KB

MD5
2e438f5a341465277fd90c20c752222c

SHA1
e0ba28b10421190616cbfe8e747044c064133ae4

SHA256
1a0c96406a967454d79c5fed417360689b2891ded333df7e814863baa8543472

SHA512
172b704107f87522ab979479886bb00071a90e431d9822116788df46b59b21501978be1c9af7fe0917352c0f96ca4ce09a7d0b704abcb29a3bbe38910f7fa395

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
64KB

MD5
062913190dad8b0a0c75b3ab6e6ddb9c

SHA1
16c608899e324a80d718272f0ec7ba6765a0d528

SHA256
e055a5b1a9e336379600f7b1ddfd2e72d43e5922fa2a2c4cf267b0dc7f72d652

SHA512
b296b8992f95d54dba6a47fb8132e39558e43a55bcf13a575e61d9a5b3da965c7507aa200f456ffc8a24633a47f1b7580258c02faa5cfd37fbc919e2fd216ca5

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
64KB

MD5
da0e4ba94d71f866ae34a8c27bead5df

SHA1
eb573ad3f640b3b639c82ed1cd7214e81cc68632

SHA256
4cdacf2458a1fdb9c577f33694ee4bad94ee688a50182df3ae770a6c1a75b8ef

SHA512
f13252f3b0ffff0445cd1013083ee6fabbb54c3d38fee3ad33af3dbf90a8e4c2c41feb787cf25481e6509bc2905a93f8ae44ac8788b15b3eaa8e4829dd4d605b

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
64KB

MD5
7e2c14273fd1c06e8676f0e717233aec

SHA1
ace969fba105592381d1d3c7f457335e0368066f

SHA256
301844c213452aa1248fa959fbbb8c5d8e46f5904b6c09fd47038a4d95bdf794

SHA512
4cc40b6260bb43aa64dbcaa7acd382603de2720c3502ba863b36a8bdc17e408f74222f9c64b80e211c81f873cd4e4566764ec83bbc11389344aa808d70b0aff4

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
64KB

MD5
ac11b8cf8147c8666ed7e535ea25af0e

SHA1
d9d80f260d77b962f0cdd421eb3a81bcd3e1f7db

SHA256
846093dceeaf49f571254aa171e7d81f10a9499dbdde6b240acee989d852c80a

SHA512
762e729997bac694acec43fecc0891f784d2a8a2e9b7ab63662683120bd17aa22567c2f611f6e1d353cc316d42e6f3d5e0f39fc1bbdfeb4e74a090ab908d0475

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
64KB

MD5
3c985f71ca4ac8502786d61c1b75c723

SHA1
fac14e8775450946d40c260b7f20e11ed1777e20

SHA256
5895a6cfe5db3e7cc525b026d35da35f73e04889702e2d8fc9e9b38e89701bb9

SHA512
56972fa3a416fe8c2cf9491c5c0e611f4d03961c955e2fcfc243020aa69dfde97a7247f8ab6e1bab0a92022f45bfdcbdfb7bf77cade1b8acc8b461d3a8f517ab

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
64KB

MD5
290f4594dcf2c3b42a9b909f4e45293e

SHA1
20006aedb687231505874f9fadd7bf1c1f0e9a96

SHA256
dc988faa1f7571cddf814ae3499932f8978f8d4477173a1a7ad26dca1095f025

SHA512
bdfaa8e8665710cd86082a875ed6f8ce0756cc917422ff5d4ab1b38db7eedf27b36b12d71d59f765d5766c28914586ea07956675e6b0cb24f0e2d5873fbd3388

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
f11111c6f64f1f23cc2877425ce64137

SHA1
1a830477b2a3b066ea81b48f8c623e1ad3aba0ed

SHA256
3133d9ce26b35379685bb3fe3283290ec9db70789715e3da525e007d2e9e812c

SHA512
e0010d7be34bfae80d605f9328b5b0866fd52391ba0e7df4e98b6fbaf340a6bf218934f12a688e5e45685a5adcbf128bd45bc4c548f89ee09cb36146dbdb50cb

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
64KB

MD5
99606c6d5a119cea2100d053b6ef46fb

SHA1
df74548f49af010af047cd45074540165e430f29

SHA256
fc6d2c596a79472c1fbf7e761dcf403278415efa3f91a31aeb9d683644fa6257

SHA512
6a77f42861b35a007fe818ad3a2fa47c1f1abd2abd89a6f204f5c3a8b6cb8c130544b276e547ab9434f878ba669e0e4602d7cd520f1772fdf5040ea59dddd6c5

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
64KB

MD5
98ff323fe1dde055ee3c9e3c481fead2

SHA1
5881e8e0f161d66c9dde2a4617d8992981464c09

SHA256
98fd0850c3476d82c2c60596ee884c2e45f02a684168b9e39f43984e9ff71c5f

SHA512
ce6bcc099535d04c1775961fac3930f726533dfa8a5a6d8f949d2e25ce79f153adde23eb5b397f338fd0c100613d2d8f9dba3e24ec33e30e7886841fa8e701ec

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
64KB

MD5
af694cb5263478cc3527c532b23f404e

SHA1
f0c0dd0c7802f78ebf3d72df634eeb8126f63781

SHA256
aab53661a06ce518ee0f34b305da0d4098615af9395ad0a1ff1222c9f10573e7

SHA512
2a77c42580d3e9384394a9f3e0c4503cc573a050090454a86b514867c12eef9d8488d8705fb0ca40f1f2e3c64abc04f9b0d65ef2849519500ec3adc29a465688

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
ac7b045e7d4ae17487f9a1e68e1df991

SHA1
9c60b2110749effe34adc10df74cf2b7c36891b6

SHA256
0218d83c33758706f5b56cbda4a24c43c934499f85aa39479c41c800b7d97bb5

SHA512
15db43b7eff18de28036a9eb75865e6f77b43c3bf2519d6265969ee8b6055019762577f82b4d7fa396d6b7908e933ae1e59c48657a789c97704d533e8a8ce813

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
62b87708305ccf5a5f64b43eb7840ccc

SHA1
5ceced27ad8811499a3a3386ac8491c837604549

SHA256
4f76a7a01ef9c2726964edae1bc20ffbe508222abef4f0badb3a61830a8dad74

SHA512
019d14c6087f22305b216be38948c3bf42758b638009b6db04419b845ea2fcb73fc48db8e56d7a63cd5b6657fa87fd4b2a0d43c27ef7e30cf9c2323e9ccafd1b

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
64KB

MD5
f9d9d9168b6a177f57d84dd1552088e0

SHA1
d81480cc1a5f527a760dfa15fa89efe6e5a2e3f3

SHA256
54374177a8be33a8a8bb08f44e6be95f6ec0cf0e4e4c9df7ab8d7136762fdeb7

SHA512
a1d35e58fc8091cec762d1370dc49aebffaa789eb6e0ce0f84ea755af55808782066582aaaff879df353ba03a85993a52fc0a4c13a7e2815c846afd96b666911

Download Submit
memory/64-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/64-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/512-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/512-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/708-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/708-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/732-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/732-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/868-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1124-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1124-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1136-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1136-222-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1320-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1320-226-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1352-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1352-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1568-235-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1568-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1604-227-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1604-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1816-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1816-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1868-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1868-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-237-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2444-243-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2444-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2560-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2560-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2856-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-230-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3060-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3060-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3080-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3080-219-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3476-234-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3476-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3788-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3788-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads