berbew | 959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64

Analysis

max time kernel
117s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64N.exe
Size

64KB
MD5

ed338d0e724dc63d217e6f3d77740160
SHA1

e2bc544f723b5709267f0a02f81b506b055e2656
SHA256

959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64
SHA512

d219508bf845b2a37c54e90b504060534b7b2ee455a860926c1b46b9d1c61354bd37dfb4c5dc08195072f41d2f95354a73c11d2700d4687493c4fef9aeec2357
SSDEEP

768:KEqTDYFxkRHog8GN75uO4Y9F7J2LcCHHbIPsciSP5c4/1H56A6XJ1IwEGp9Thfzu:CYOHF5uOr7JCsH/CXUwXfzwl

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 29 IoCs

pid	Process
2456	Bapiabak.exe
4076	Bcoenmao.exe
4028	Cjinkg32.exe
244	Cmgjgcgo.exe
3476	Cenahpha.exe
644	Cfpnph32.exe
4704	Cnffqf32.exe
1624	Ceqnmpfo.exe
3516	Chokikeb.exe
3280	Cjmgfgdf.exe
4732	Cmlcbbcj.exe
3420	Ceckcp32.exe
2636	Cfdhkhjj.exe
1952	Cmnpgb32.exe
4472	Cajlhqjp.exe
4912	Chcddk32.exe
4492	Cjbpaf32.exe
2124	Cmqmma32.exe
540	Ddjejl32.exe
1116	Dopigd32.exe
5116	Dhhnpjmh.exe
452	Dobfld32.exe
3172	Daqbip32.exe
752	Dhkjej32.exe
3052	Dmgbnq32.exe
4508	Ddakjkqi.exe
2000	Dogogcpo.exe
1992	Dhocqigp.exe
436	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64N.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2708	436	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 2456	4316	959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64N.exe	83
PID 4316 wrote to memory of 2456	4316	959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64N.exe	83
PID 4316 wrote to memory of 2456	4316	959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64N.exe	83
PID 2456 wrote to memory of 4076	2456	Bapiabak.exe	84
PID 2456 wrote to memory of 4076	2456	Bapiabak.exe	84
PID 2456 wrote to memory of 4076	2456	Bapiabak.exe	84
PID 4076 wrote to memory of 4028	4076	Bcoenmao.exe	85
PID 4076 wrote to memory of 4028	4076	Bcoenmao.exe	85
PID 4076 wrote to memory of 4028	4076	Bcoenmao.exe	85
PID 4028 wrote to memory of 244	4028	Cjinkg32.exe	86
PID 4028 wrote to memory of 244	4028	Cjinkg32.exe	86
PID 4028 wrote to memory of 244	4028	Cjinkg32.exe	86
PID 244 wrote to memory of 3476	244	Cmgjgcgo.exe	87
PID 244 wrote to memory of 3476	244	Cmgjgcgo.exe	87
PID 244 wrote to memory of 3476	244	Cmgjgcgo.exe	87
PID 3476 wrote to memory of 644	3476	Cenahpha.exe	88
PID 3476 wrote to memory of 644	3476	Cenahpha.exe	88
PID 3476 wrote to memory of 644	3476	Cenahpha.exe	88
PID 644 wrote to memory of 4704	644	Cfpnph32.exe	89
PID 644 wrote to memory of 4704	644	Cfpnph32.exe	89
PID 644 wrote to memory of 4704	644	Cfpnph32.exe	89
PID 4704 wrote to memory of 1624	4704	Cnffqf32.exe	90
PID 4704 wrote to memory of 1624	4704	Cnffqf32.exe	90
PID 4704 wrote to memory of 1624	4704	Cnffqf32.exe	90
PID 1624 wrote to memory of 3516	1624	Ceqnmpfo.exe	91
PID 1624 wrote to memory of 3516	1624	Ceqnmpfo.exe	91
PID 1624 wrote to memory of 3516	1624	Ceqnmpfo.exe	91
PID 3516 wrote to memory of 3280	3516	Chokikeb.exe	92
PID 3516 wrote to memory of 3280	3516	Chokikeb.exe	92
PID 3516 wrote to memory of 3280	3516	Chokikeb.exe	92
PID 3280 wrote to memory of 4732	3280	Cjmgfgdf.exe	93
PID 3280 wrote to memory of 4732	3280	Cjmgfgdf.exe	93
PID 3280 wrote to memory of 4732	3280	Cjmgfgdf.exe	93
PID 4732 wrote to memory of 3420	4732	Cmlcbbcj.exe	94
PID 4732 wrote to memory of 3420	4732	Cmlcbbcj.exe	94
PID 4732 wrote to memory of 3420	4732	Cmlcbbcj.exe	94
PID 3420 wrote to memory of 2636	3420	Ceckcp32.exe	95
PID 3420 wrote to memory of 2636	3420	Ceckcp32.exe	95
PID 3420 wrote to memory of 2636	3420	Ceckcp32.exe	95
PID 2636 wrote to memory of 1952	2636	Cfdhkhjj.exe	96
PID 2636 wrote to memory of 1952	2636	Cfdhkhjj.exe	96
PID 2636 wrote to memory of 1952	2636	Cfdhkhjj.exe	96
PID 1952 wrote to memory of 4472	1952	Cmnpgb32.exe	97
PID 1952 wrote to memory of 4472	1952	Cmnpgb32.exe	97
PID 1952 wrote to memory of 4472	1952	Cmnpgb32.exe	97
PID 4472 wrote to memory of 4912	4472	Cajlhqjp.exe	98
PID 4472 wrote to memory of 4912	4472	Cajlhqjp.exe	98
PID 4472 wrote to memory of 4912	4472	Cajlhqjp.exe	98
PID 4912 wrote to memory of 4492	4912	Chcddk32.exe	99
PID 4912 wrote to memory of 4492	4912	Chcddk32.exe	99
PID 4912 wrote to memory of 4492	4912	Chcddk32.exe	99
PID 4492 wrote to memory of 2124	4492	Cjbpaf32.exe	100
PID 4492 wrote to memory of 2124	4492	Cjbpaf32.exe	100
PID 4492 wrote to memory of 2124	4492	Cjbpaf32.exe	100
PID 2124 wrote to memory of 540	2124	Cmqmma32.exe	101
PID 2124 wrote to memory of 540	2124	Cmqmma32.exe	101
PID 2124 wrote to memory of 540	2124	Cmqmma32.exe	101
PID 540 wrote to memory of 1116	540	Ddjejl32.exe	102
PID 540 wrote to memory of 1116	540	Ddjejl32.exe	102
PID 540 wrote to memory of 1116	540	Ddjejl32.exe	102
PID 1116 wrote to memory of 5116	1116	Dopigd32.exe	103
PID 1116 wrote to memory of 5116	1116	Dopigd32.exe	103
PID 1116 wrote to memory of 5116	1116	Dopigd32.exe	103
PID 5116 wrote to memory of 452	5116	Dhhnpjmh.exe	104

C:\Users\Admin\AppData\Local\Temp\959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64N.exe
"C:\Users\Admin\AppData\Local\Temp\959e98098ba705f3575c76555981482c8b13851b6e8975fa18e135d0176d8e64N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\Bapiabak.exe
  C:\Windows\system32\Bapiabak.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\Bcoenmao.exe
    C:\Windows\system32\Bcoenmao.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Windows\SysWOW64\Cjinkg32.exe
      C:\Windows\system32\Cjinkg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4028
    - - C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:244
      - C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 396
        31⤵
        Program crash
        
        PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 436 -ip 436
1⤵
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
64KB

MD5
a4385d874ef3515b9c11bd897f380cff

SHA1
4d1897ba78751855149cf96e877838ffa109d110

SHA256
9f24a74e7ad6c23a5151643385ff8be65ba09b621c4ee8ccb03ebe0074ec3703

SHA512
e6be0d9e434dce3108c14caa2826816bad5dcac235447395f175becf22e735b3668d7e4d2a1c35fa6aaeb37c9d2601a972a6f143e2ec3191dba54a77383fd699

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
64KB

MD5
5bb6591c5c75ae0ebc114b147f3c65dd

SHA1
80a9a2b2bcc1cf6b144619d15e7afa554f4baa47

SHA256
a9114fa69f70a70767948dd73940214c1bb09a8dce1ac96b9660c4feff7bc10e

SHA512
7073ca1754aff84ef1e4d3c57d2d75e118bff4b2160ae5d21f83e6ec31954166f732b50fdb6cd997c894316de876e8d4e1be2fab5d63955e9fb744662a52de56

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
64KB

MD5
98604842216596782561ab720dbdaf22

SHA1
a90bd4d5b973ee509c3ff2ff578efe9a03d098db

SHA256
cc7ec1ca8a3c679c6c330b4cc1019580c8e2a762a83caf18e1eb9ef0df78708e

SHA512
2570190f63bcd741f0d15e3166688c0c9a93ba94aaf8d7dd8ffbeee31e670ded8f6494a8fdbb80f79a8e8dd21d6bc70b85ee421611cce730287f0d8c46d2c4d6

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
64KB

MD5
69dff911cc7feb75dd18c2f8e8528b9b

SHA1
3f0f4a763045913406bb5bbf643e4b94300c23f9

SHA256
ed6630681c60d9d90fcaae3c5e0f078fdbda3bcfe997ced28c94e8aa15f7747b

SHA512
2d902314c9774eeec5abb8a80034c4022d74a75e2972970cb416b81c0e5b43418ec643028ed386c32b1680f1e12605a1d8440af5ee86cb9edbe0d0ec61c80233

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
64KB

MD5
e80c8c752f5bcb9ee17642a0fc3cc650

SHA1
44ed32cd9f03e784cfb7b2bac1ce169503b9c29c

SHA256
6a4299434bafa66e6def76663d840d4dc1889c6cb8885f0db989216ef1a7082a

SHA512
cc1e7d23fbb11a212d2691b5595871334873c43bdc16a4950abad6d4d9f1acd1895492075eda8390e4bb510101eeba9ea05b9f7438d30db928cc62e4d85a31f3

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
64KB

MD5
46a12f4e0172ab36444b7ca16bce0f8e

SHA1
6521b2270b2c720e46bbaf3b968e06b1e7f1bc2f

SHA256
299e001f0eba918d821129642be9a7df21a65214629ff88c0859c0a375e32694

SHA512
77205af51ec387ebca45abaaf69824fdef9545bc95fd4c05869425c47f1d098b9f67aec0e7ad0eb7e622a9510be2b248a8211155c5253b47bdb10de736f56d6a

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
64KB

MD5
8855c7522ef36815211b795e96c72323

SHA1
a86567764a6134ef4f135ff1b52b966acd1dc9a3

SHA256
e4f9d73ad18a2efbf2eca7d2237d6d4202c35fc7363e68fb66abb26714e0eddd

SHA512
2e5b514cb74ef994d3aed8297c33282f4b1f806eb92601bdb9dd299fce190d284ee506c914c790214e032b393d040e4c3d44decfe0a97ef4afb92a8d719bc811

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
64KB

MD5
0700dd419981b02e555350a50d7eb278

SHA1
760f71e9ef0aaca46cd672bf408993d1725878ff

SHA256
20db19da8c9a4ca23d0862d6d551bb56345ab6b60f005ed99885ff885493ebfb

SHA512
74dc750e39be1d041badfc6589aea82b1264cdb12c3d155d29db59be7fd09dad0ef792bb118dc2f30f422c5ccbb3a93e8200fac7d8d329924ad2c2a68ce6707d

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
64KB

MD5
7b3d4d25649bc8a2a1d293b6ac9b2fe1

SHA1
9ab0a95b78dcf8a07f2565febdb5a55b8196b6b9

SHA256
eb7ac7119cab2fc9f94fbb612acefdb98f03c14f6e1eee929742c9322b7e2edf

SHA512
da2b59626328d8d56ce29127c639db6866255217f2d31334451641867b9d2e320ac64c506679acebf343fd47ad53730e371096763b57944d20f06835f8caab49

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
64KB

MD5
9941690e3b7af6250cd1717c05d7f8ff

SHA1
1099c5a313fe21bf596af84ee228369e4ac93dc6

SHA256
233780c81443a216bacab87e76bf76e1d7a66e9712f7ad37bd84151f7e6a5a5f

SHA512
c9ad066960b16f7c598d37200e60fcfb9815296a0d015f5bc75535236864627148bac03ea040fa805721ee8f32ecc14e82958fb5414be4a6620e0aee84daa68e

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
64KB

MD5
08ba640cce448dbec1221ae35510b741

SHA1
86861302d5debd7208801ce007e2f19f41e57707

SHA256
666e83ba347de272375dabe92211bed13166543d782d4ed81540513cde20250e

SHA512
7db5e9c8e2af1abb82d5d503719d48ad0958211aff4f5cd6fec4a9da7b77f558db9ea1ed77e9bbbd0ba312fcb282c7a2aea7fd36e9cdd3c4804fe486aad4a9e4

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
64KB

MD5
721328f3006efbab4ada6b61a8af55df

SHA1
ed4fae3d210f63bb26acd148564deb6a45a5d207

SHA256
293c9ac7a47648816a44fc22447e77e9862e667f790fa7cda0f88fa2d981b67b

SHA512
0cec6616c878460d8dffac23a0a68b84721ef9a89726277af058ed88da7687b45e78e934ef2f72a08933c229facaebb476a88acfa12ba36e5d164d3a2f6cfdaa

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
64KB

MD5
4de02c0d8f74f9ea4e6d04dc6c186c36

SHA1
606322781eeee5e709b26525275030e8d437bb76

SHA256
231f78d7f1fdbb22b5fd5ec70415fc65a0dbc91cc1d8cdb2f4d3c8cf637cd911

SHA512
177641e94860d224e9eafd5f77a5c8788b7105f0407c9dcb24f9f9e52396552789f516448c9087f082736f11077e224aff08aa9382782a598adf787697f52c20

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
64KB

MD5
0c0df4aa90b98178e410288a86d8a405

SHA1
8a6bc764f25491b20ba9d4038432cb0089ddf7ff

SHA256
b45c9af80d7983a58b543d656723a50994f0b4fc830fadd546896f53f515ad2e

SHA512
4aafe729b3d3a6f9ad4734334eee9dd52c4e360481c9533cf03e5938bf3896675a8e99a9f88d1a4e13b01e5330613ae5baf55a001bfe0deecc0c391d99079ee9

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
64KB

MD5
b395d20acb7c91ae2f989897f60e7171

SHA1
8e974a421172d66b785324f857c02ee45e6bc353

SHA256
f867f0d3a30a61f044748781d1a909c281b2c998088c8b0dc5b81b6ca7372e9d

SHA512
3a907799cbfcff09a693712ac5c2f6216edcfbdcec00307fe3fb4a081fe9bb9c3762e98280df9961d5ed0967e5d0d5822166c2506053c6268f6e6e2984c8f973

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
64KB

MD5
8bbe73d6930a742c1fb2d31ce53c0471

SHA1
cab7f04996446b9c828abf457db2ec186a458af8

SHA256
c47f7df328f43d577626388052b8e816b74ca2ef001b86bbefdfa530398b31b5

SHA512
a100ebe501336cd8b50c8718fd9e46edaec3916752118916bd28599c720ac2812159ce45f8fc719ba33cd67925d4c255c0893b092163bd963c6edbde98023734

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
64KB

MD5
908f6b92f2c6b3d82427d8079c74ccfc

SHA1
a35a434fff754c6265452bb06a96e2887bf9a19d

SHA256
2fcb1f87c58a27b2172db51851cd4ce8d34d0e063023a8ab17d4915b319888b1

SHA512
a90d9f6408d09bcc9b2bc6cca40bf961ec326b6f94a2a6e2aca8627d3619c13ff9a6846c89e61321e65b9fd1e302601fe0eb08edfa6c90d33d819bbcc46c4f00

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
64KB

MD5
3f1132acd452bb5cbc68f5d54bb0db2b

SHA1
f59716679c3171008eee8357b57b309f85d36cb8

SHA256
91a9523c0a9281369f59467107b7797b1efb6471d63a0c4db3d3831c37b7e35d

SHA512
1da739afd6497c20eaa0434a8dbdad5c165e965cac28eb34b5047c5f1cf92d6851067b07ae4bcc55c6e2de5b00dcb2ae4ca1e76928affde07fe23af876ca9e52

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
64KB

MD5
91cdc7951576fb2612d0df3ac5e25f9a

SHA1
060b819f7784a7c71dbe8fac1a5b5307d09f167b

SHA256
12a076d89bd3047886538e742f3dddeeb0247e748cd7e63974740c7b713aebd8

SHA512
16f34a31616c653dac4a1d9781008332ba3df973a0bfe7c248255d6fdd0a31883c6682fad219995a51ec68d210655adfeabd4c8e70e671a3deadab862a3970d9

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
64KB

MD5
ee1f41c7f3deeb0bd850d6e7b1bf143e

SHA1
8861b67c6371be3249ef6f13e7607a76a65fe1b5

SHA256
815e5716e7d239d6784654fc2a027dbdae572288249a4fa8c32a1319654d1ff5

SHA512
b2523453e710cb9639131dbfcdb239813454821bb175741fe666b2bddacebadfee0b9d68cf862b4767bc49599e93b32fc54588935d29d010b11dd7044f1c69bb

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
64KB

MD5
c194ddd0d3128cdf7dea65e2149c2f42

SHA1
04634822f67ba73c15927574d4079dc5092a75ef

SHA256
89768980f71a1cd1a266b79d5a624b753df6b506598015782a33b925f6609797

SHA512
94ed14884d2005eb60c0bd29a35dfb03e8e7337ce6dc9e2c93dd849df4c7f7a81984fb4ebe0555a77424c636467367b6e1d1f40490b4f91118923ea93b0d4172

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
64KB

MD5
61e6aebce2ad1fb44ac05dc2599f00b5

SHA1
1190d0b6a68e458fd6d056aa4006be619c111838

SHA256
b26db87bdaa5a5a9fcd654b2df3e52048f2e1f85b2ecd6e16bc2e811bc116f26

SHA512
2fd4c0770582361671d1fdb9cfd6afe34472483c88bd1b4b4ebeefec83e7665e73bd8019d2f725148c75f3a5aaa39b1f1d23701bb232c200938c54c992e2a803

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
08d04aa3a0bb6a59ffa8625f13d49c91

SHA1
0bf34f5a9c1d7d325b0fef2d989c37e8abc25d5d

SHA256
afb884cd3aa81c057f597da9ae2ac31defcb14a67a563e07e9828c1b72259c98

SHA512
168c28da7cb7194ccf1da1f9d9dfa38b380ca71b0f0b0940db6f01318043e4fc6c4c2d923c1d69a876940ad571def3426b6e51d6803b828de121c3fc14acf596

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
64KB

MD5
e25a84dbd3d3698ee600c90ade5b587d

SHA1
f19a280efb9cc7639e067782cbf5c09a934a2c56

SHA256
47669c343aa2d657d7ea618b88d399f10483f029b76009c5ed22a3476d50843e

SHA512
3a061af04cc3faa180ac8d9d5fc240c96229200717bd04eb81ca4185cf533cd2b8ed3dae608a370af829dc6b0b8b936159cea871486bd1846e0271f1f029d5b4

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
adbcd81ce46b33e59468173d447e3e34

SHA1
74d17f60147a2b2d15a93dfc6aa727224cfa5674

SHA256
def8384567cbca16c95459487c8edebda3613598986dcf78d62fe823d6063d56

SHA512
8247807d5670445345f5c657c9d2f6831d2dbf45bfbcb22a2f6a7bafbeef243d71304e18bed66ef6856204f0aa0e2b15153f66b6eab88441e9eeab5b9c14f729

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
1d3da94cb0f05458062b01b10884846c

SHA1
a95e82828a9822bb5db732ceb908734ace6b489a

SHA256
170f1ebb3eddffad3b540b77994695f2da631f98c3a4fdb1b7464f4751014a0f

SHA512
480cddc083c9d137bcb1184764aa2c8157ab8dd9b0da217af6d39b6cae1ff8c1cbffaa649d9ce065a1e6251542d5f8a5e7ba1cc3ec5558b45b34408653765eb9

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
64KB

MD5
b9744d099b3464ec2d9ea0a54a23ebe0

SHA1
b791cfa77895f5f5dd0eb4b5c630e501496c4f74

SHA256
ec52720b08eba37b75ce4266d4ef0e9d3491ab5cad670709698a34292bf3bd65

SHA512
254877abc1a4bf8ed88dbb5dac41e8c178cb39c864d1b4fec7d4a03fa8ebc0e8e618bdb3e1e7c87a9e5404e732fee27ff3a91b0b6b9216fcc47afe5575602dfc

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
64KB

MD5
c20a65de34fb90bb6a833d3b0ad7e645

SHA1
50b0b85bafd0347e8f870adae0f50d5cae128331

SHA256
ef21b51255ae65753fc4e05d93fd05be4769948ca999d93d323af83440a18382

SHA512
2800ed38709b1b189779b68a2b5654397781be08e96823ab29e0e58e7768a65a6f472b25b959cb32c7a9dd001a71becab09806c4f3acd31fc7bdfbc177557f02

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
64KB

MD5
88c3d72d7d823c94c0f668787628a3cc

SHA1
f8495111feea8f4101c3666654a20530d161e0a7

SHA256
ccb06942d5cf3696ba1cddba29b8d9d2372c3f82d06c372b6c005f6c9d742a73

SHA512
8c7c36c227e057ec68617d419f49c593a325d1da31dfbd376a1d25d48f5842ac5ba5eca39f4114dfafea028be55184b94a82d29c539bda16d778888623608231

Download Submit
memory/244-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/244-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/436-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/436-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/752-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/752-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-253-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2456-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2456-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3280-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3280-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3420-254-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3420-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3476-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3476-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4076-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4076-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4508-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4508-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4732-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4732-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads