berbew | 6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8c

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8cN.exe
Size

97KB
MD5

c9462c074ff5db46f9d37347dfd7c9c0
SHA1

599f81cea962ff1eea611dfafb5f6c4d60be3986
SHA256

6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8c
SHA512

2668da66db10cdcd6823064d2156c509da93c7e164c766d59c0663d8ab1d85a0660bcccd4fc4198467db6d879234e1686c201a06ef88b0dbee152d4ae6dc6b29
SSDEEP

1536:oZJjT4LgC299M8Iw6gNjCXrs4Ho1PCJM0pFhakXkbh2M0psDvJXeYZ+:onT48w82gNjFAMosDJXeK+

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8cN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8cN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
2012	Caebma32.exe
4920	Chokikeb.exe
3512	Cfbkeh32.exe
1712	Cmlcbbcj.exe
1580	Chagok32.exe
764	Cjpckf32.exe
4628	Cmnpgb32.exe
2484	Cdhhdlid.exe
2724	Cffdpghg.exe
5012	Cnnlaehj.exe
2708	Cegdnopg.exe
3304	Dfiafg32.exe
3272	Dopigd32.exe
1084	Danecp32.exe
368	Dhhnpjmh.exe
3840	Dmefhako.exe
4456	Delnin32.exe
4396	Dkifae32.exe
1496	Dmgbnq32.exe
4428	Daconoae.exe
3968	Ddakjkqi.exe
2824	Dhmgki32.exe
3624	Dfpgffpm.exe
3936	Dmjocp32.exe
5100	Daekdooc.exe
2768	Dddhpjof.exe
2024	Dknpmdfc.exe
4644	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8cN.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5016	4644	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 2012	4736	6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8cN.exe	83
PID 4736 wrote to memory of 2012	4736	6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8cN.exe	83
PID 4736 wrote to memory of 2012	4736	6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8cN.exe	83
PID 2012 wrote to memory of 4920	2012	Caebma32.exe	84
PID 2012 wrote to memory of 4920	2012	Caebma32.exe	84
PID 2012 wrote to memory of 4920	2012	Caebma32.exe	84
PID 4920 wrote to memory of 3512	4920	Chokikeb.exe	85
PID 4920 wrote to memory of 3512	4920	Chokikeb.exe	85
PID 4920 wrote to memory of 3512	4920	Chokikeb.exe	85
PID 3512 wrote to memory of 1712	3512	Cfbkeh32.exe	86
PID 3512 wrote to memory of 1712	3512	Cfbkeh32.exe	86
PID 3512 wrote to memory of 1712	3512	Cfbkeh32.exe	86
PID 1712 wrote to memory of 1580	1712	Cmlcbbcj.exe	87
PID 1712 wrote to memory of 1580	1712	Cmlcbbcj.exe	87
PID 1712 wrote to memory of 1580	1712	Cmlcbbcj.exe	87
PID 1580 wrote to memory of 764	1580	Chagok32.exe	88
PID 1580 wrote to memory of 764	1580	Chagok32.exe	88
PID 1580 wrote to memory of 764	1580	Chagok32.exe	88
PID 764 wrote to memory of 4628	764	Cjpckf32.exe	89
PID 764 wrote to memory of 4628	764	Cjpckf32.exe	89
PID 764 wrote to memory of 4628	764	Cjpckf32.exe	89
PID 4628 wrote to memory of 2484	4628	Cmnpgb32.exe	90
PID 4628 wrote to memory of 2484	4628	Cmnpgb32.exe	90
PID 4628 wrote to memory of 2484	4628	Cmnpgb32.exe	90
PID 2484 wrote to memory of 2724	2484	Cdhhdlid.exe	91
PID 2484 wrote to memory of 2724	2484	Cdhhdlid.exe	91
PID 2484 wrote to memory of 2724	2484	Cdhhdlid.exe	91
PID 2724 wrote to memory of 5012	2724	Cffdpghg.exe	92
PID 2724 wrote to memory of 5012	2724	Cffdpghg.exe	92
PID 2724 wrote to memory of 5012	2724	Cffdpghg.exe	92
PID 5012 wrote to memory of 2708	5012	Cnnlaehj.exe	93
PID 5012 wrote to memory of 2708	5012	Cnnlaehj.exe	93
PID 5012 wrote to memory of 2708	5012	Cnnlaehj.exe	93
PID 2708 wrote to memory of 3304	2708	Cegdnopg.exe	94
PID 2708 wrote to memory of 3304	2708	Cegdnopg.exe	94
PID 2708 wrote to memory of 3304	2708	Cegdnopg.exe	94
PID 3304 wrote to memory of 3272	3304	Dfiafg32.exe	95
PID 3304 wrote to memory of 3272	3304	Dfiafg32.exe	95
PID 3304 wrote to memory of 3272	3304	Dfiafg32.exe	95
PID 3272 wrote to memory of 1084	3272	Dopigd32.exe	96
PID 3272 wrote to memory of 1084	3272	Dopigd32.exe	96
PID 3272 wrote to memory of 1084	3272	Dopigd32.exe	96
PID 1084 wrote to memory of 368	1084	Danecp32.exe	97
PID 1084 wrote to memory of 368	1084	Danecp32.exe	97
PID 1084 wrote to memory of 368	1084	Danecp32.exe	97
PID 368 wrote to memory of 3840	368	Dhhnpjmh.exe	98
PID 368 wrote to memory of 3840	368	Dhhnpjmh.exe	98
PID 368 wrote to memory of 3840	368	Dhhnpjmh.exe	98
PID 3840 wrote to memory of 4456	3840	Dmefhako.exe	99
PID 3840 wrote to memory of 4456	3840	Dmefhako.exe	99
PID 3840 wrote to memory of 4456	3840	Dmefhako.exe	99
PID 4456 wrote to memory of 4396	4456	Delnin32.exe	100
PID 4456 wrote to memory of 4396	4456	Delnin32.exe	100
PID 4456 wrote to memory of 4396	4456	Delnin32.exe	100
PID 4396 wrote to memory of 1496	4396	Dkifae32.exe	101
PID 4396 wrote to memory of 1496	4396	Dkifae32.exe	101
PID 4396 wrote to memory of 1496	4396	Dkifae32.exe	101
PID 1496 wrote to memory of 4428	1496	Dmgbnq32.exe	102
PID 1496 wrote to memory of 4428	1496	Dmgbnq32.exe	102
PID 1496 wrote to memory of 4428	1496	Dmgbnq32.exe	102
PID 4428 wrote to memory of 3968	4428	Daconoae.exe	103
PID 4428 wrote to memory of 3968	4428	Daconoae.exe	103
PID 4428 wrote to memory of 3968	4428	Daconoae.exe	103
PID 3968 wrote to memory of 2824	3968	Ddakjkqi.exe	104

C:\Users\Admin\AppData\Local\Temp\6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8cN.exe
"C:\Users\Admin\AppData\Local\Temp\6b9da768366ef822186ca5ceca866439742186415491b081e91a110c806d3d8cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\Caebma32.exe
  C:\Windows\system32\Caebma32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\Chokikeb.exe
    C:\Windows\system32\Chokikeb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\SysWOW64\Cfbkeh32.exe
      C:\Windows\system32\Cfbkeh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 416
        30⤵
        Program crash
        
        PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4644 -ip 4644
1⤵
PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caebma32.exe

Filesize
97KB

MD5
63c0333b5db576bed4a3b9e0386d6e73

SHA1
dabae332cb20c783285e67955abb9dd83fcf217a

SHA256
833cf8daa24f503632a8dddf21a06ac97ef1655c59d329f192e90ff322725da1

SHA512
c8da600c7015830f7e4f40f53ba5ea3dc7ad76487005795892a45cc8d3bb4091a745343af00e9842bae84fb5b2072f13dfecb9c7a21f39b0ddbc679a825aff37

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
97KB

MD5
fa87fd581414c80df3b7e23ee6ffd1ad

SHA1
4252175dae5af416b4c5c1bcb0c2926e94b609d4

SHA256
d10fdec7503aef8ebeef056bb076fc2589403d950f707369d25ec9f18d6cb0fd

SHA512
517ce7a71e39f233e209fc34bb156d4d01274598ed8958c609bf0f8109afb1a80d434ace7a2c37b5d0dfc950e7016e19c0e05b6d0059d4d5e98fde7e34b253f7

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
97KB

MD5
20269c32eb9721ebb86e8c2bad5398c2

SHA1
2f5d29f60090d1c1091b75f8c1791391074b367e

SHA256
123a3fe8491dd0025bc941347e0dfa10329a3025e9b87b4def273dec756ebe04

SHA512
fd5b60ac644100e045050709841eac9469d48b0b9192e1b27b22e474e40fd496d8c0a740b2cebf54dc0bf2dceb87d76f0128b2e0ad0dc4b8f193777918fe731f

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
97KB

MD5
d7f7fdd8ea0c3c77091ab8bb2c5770ab

SHA1
776469a078a4e07efb3b0237a97e13ee8333c664

SHA256
339987a477693f78d4474e486b6f46fb2da2fae41b1cd1cf01ecb81bae5c8406

SHA512
93e3b02b8ddabc4fae9c144e490e14addcd1991c144da1c84319f12c520c2bfa61facdeae13a3dd36f66359841cf3586a9195a695c9988c163c9cdb800c0b240

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
97KB

MD5
ce049e24bb6410712e775eb1c2c68d6c

SHA1
31bab8053a14e05bfdb8bbb15e28e54816517456

SHA256
e4ae362c73a6860f975f740a33f4f9de368df39fee6e31c9c953f49a15a07070

SHA512
62632bb235c2efdbdd5cd12066a50236a11cf89216f80a1ea8932b2864709f4ef5def4248b66007365a9dbaa2d10038df20b48e160b41201a019751a46c9b793

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
97KB

MD5
41bf1458022c6c5fd56d8fc013804402

SHA1
650611dd5522e68faf426fa0db4ea9108347757d

SHA256
918fed3d88a35db94fb7bd95d899f42c3cb82050f58c00e0124e6e05141531bf

SHA512
c3ca38e2249246a017dedcfe8507355b2eee56d0b340a34e8e0b2bdf078e190a72cae723fc03ac0695c806ff007f1ca933576d0a2bba6e86528e20ae5a07f8e3

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
97KB

MD5
70da9e50dc9e3698f406df1f595e1d4b

SHA1
0bf59da912d23776a5da29a6e74eb765391df1ab

SHA256
623cddf7444555846424ff42aa5643fba2301918479ae3b807e1b355dde0cf27

SHA512
85d973528a81d627fcbf95fac43f2026f72442acf60134c9fd63ea50a6e6195e482c436f30060d12680ffe815a13c97d67fde0fec4ee56e4cb8a0f336d3cd387

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
97KB

MD5
da8c7d2a5d0b96650f70eb7f4524db43

SHA1
64f297a37573eeebd3772028aa5a8def0fdb3d8f

SHA256
a0da951ec3a6fc641921d0d26c6b3f6e2fae6bbd249c5ee0bbb0dc4af4322616

SHA512
f702ec3999d7f68c3bf5acd56ef1c1bde82268786cdb7e87e477564494cec2cae242d4d43a5963a6ec35b716af4861d74a36cc9a8d049f2e469eda8ca2a8cb03

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
97KB

MD5
f5649428b62a8cbf08b558da6cdd24cf

SHA1
582dc5e9d84314499ad2ac08938daf8dd7ccbb41

SHA256
267b11e450f373dd3ab49fdf0d9dffd53b63492337700c5d57aad2a64db0f3b8

SHA512
5a923f4d206ea0d5c212651bf597e06303e03b5086d647e50ee1b66beee8343f21c52e52ced07318916309e8dbeaa673c899fd3387252e394984f1b65afad655

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
97KB

MD5
2a6c9fb49fac5e2569a845333ab6413a

SHA1
a025c319e75682b24eeb47d33e4530a2c5c0c895

SHA256
a50cbd360d094715538e37449ade8e0a3b8cf10dbab4e0656ed38afc383a0775

SHA512
29fd8be06eb6be764cbfdcd77909af0b64b5fe73607764b96313d998fc4d7a24d642dae616eed381f1f61e5c6db788110df26e7f8d57eacaf0cd7aed1fda89ed

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
97KB

MD5
40940ca0d8607d4d9ec4b499a62fed7f

SHA1
183f0b73c89d6d24b3338694ea567b0ea80b9dfa

SHA256
f5550240d9493eeffb89e947d48af85606c6f25a948a94af4c9c80225cc757b9

SHA512
d224a893ef2bb78e76ec9b1918290e0d6f1547f7e8668d61a7f4b530517ca957f07f318e5085a4e6bc8617b782333b8d870c71cfc487f1a2fef91650dea1d6dd

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
97KB

MD5
13e51c03f86824a4414e1713457bf853

SHA1
176a703ead86461f2e606daf7037e07f08f386c2

SHA256
56bdb0b1a9af7338aaf90ff2f677541a2a258961c030c0942509e9d87b237d85

SHA512
219289ae0238b01473410122a40fa35a82d72def63f08e166fd2ad213ac60e03ce08d7202e22edfe02850745095b36636210c146d3449869ca17c1486ad824ac

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
97KB

MD5
9200750f901acdc5e179871c6b7a4efb

SHA1
2ccd5c087fdbf622af78af4ac854c2ce182ca2d2

SHA256
8081e99d3fee0707678b2633b5aedf829aaf796d143b069e554467d401bd95a1

SHA512
83f70bdbeb8c083b7cbb871ca4679aaab64049ca0d86becf3b3b5b7ef33a08b440ce8adff8351ea0d60895402e2ca40deae6e31f7ec2be4c006f9526c73b95cc

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
97KB

MD5
55cc5bae70ae169345b2f28bf5ce4015

SHA1
caf68a3759686cd8feef86354138d84ad446c1cd

SHA256
17488bf6cabff07df909c2d0e6444f4e8919d420519bf528b6fc4205edf58352

SHA512
a80f15c8238a18b2f952fc34471826c18d0d435e5cf6d78fe837bca0229f6422d54ce836e74a2c79598aaaa623f32a1a6974302db2e57c93272a64a99b5953b0

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
97KB

MD5
d262133d54e5d2b162bb231eb84a6d36

SHA1
2719622d5556bbfe90692c639e9ccb393a06902a

SHA256
17c4d9c15b5609ed3d7a12fddfd0f1479efbd12f1ef20333b45984cacaaf7695

SHA512
32634a8f14232944eb274952e77c5016ca5c62c0f76182264a75e7a1294022abee5f5a18c23bd649819fa83541b25328eea0beef6597542825b62c6295713cdb

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
97KB

MD5
6d141fb05aea38e7465010bdf384c226

SHA1
f07499d156d6188901ca2458a9d42c1c1e235f9b

SHA256
9b9785c9a1d9ccd935d29d45c22787fef1143b23befd52a8c593796ca26aad0f

SHA512
5594252d4409fe991b3979c088bcdc06bd8ec64a232a028ded7bcb757bb800c1901de283f6f872b24e7fd0ba61ac436c42728af814f36c6f76d03ce88b0e59d1

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
97KB

MD5
99a6ee0e8eed5616578aa75903ffda79

SHA1
148368a9dfa6d5f0fdc52d897c5d244ccb1f9593

SHA256
ab6aebbb9dd6feff455e3552e44ee853116eacad2a891d8a7908e5f1f61001be

SHA512
74adc1fb2ab8f5d38c9988d2bce6a1ce09d266e85e7a84cc6db097a7f40a316e60ec0ba29ee6f5e39a937a41038b7b878ad9106f7dee27e9a7893cd54ef5edf3

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
97KB

MD5
b73652de4c92ff70031cf489f2540379

SHA1
2b04931d99afffa437289b161f033e50bcc081a3

SHA256
b360ccc91b09c7442ab3af4bed6355a52e164c7d5db0b4fb8306a461647eae79

SHA512
b81e1add739438e9dafe21593792876dbc6c434ea23e4eae3e8f44988017bbd89bae3cc184369301eae26c0315cc9d135751d7a7bcd12e26613d1343e50795c7

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
97KB

MD5
3d3e9e9fbdd76d1b25cbe8507dc4bfe6

SHA1
6d9bf9fd9212e6c50fa2f137cbde157a9268d3d9

SHA256
f7f874e90f65c2c7e1c71e6f012c160e6c846f700c7146fd85c204619e366b13

SHA512
88d9adc69808d1a224b73d03886a061e46f3bc4852e4d7bfa8b0e5bc313cbdcc69431b36197be3dcdf51263177fa4601f8933300280514c1251ef2bbb6fe0e6c

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
97KB

MD5
9eb763afd84fe6950f104968bc2c96cc

SHA1
5ef2544d6563dc2c76354627c1802738b3defe7e

SHA256
91348108ff6399fc2f3cbda8ecbb79b1a1ac63ffb41ebd372c2d2f81dd1fe94c

SHA512
7c3ce39596f457c97e40daaaf4b33a6acda26e106ee6c975e31f756def66d256dde10938015602d1ef20032b2aac8c100f2f21b7d2b5bc8d5144e509bd4868f7

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
97KB

MD5
c11e82c895f3aeeb0789b44f857b3da4

SHA1
3960a37352e38eb1227dd2889df0897855c31691

SHA256
384572547149a039bb0061b9ac85192546926f16837a40288bb503a8e0124c88

SHA512
8b36a5a08acccfbfa435a1d9660b12a5a139eeec1ae3a897535046950b24215bb9aa75704c5da6e247ad7c666979286d4b2ba90a6a0825ab0b37893501db199a

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
97KB

MD5
0fa528caedbb5b4dc90a154f6206922a

SHA1
5ea274aa6f4044d993e3b4c03edd853a1340c765

SHA256
096a9bb4de7b3e444ad0391efb2b0caa9bb09874fde2c42b5a4b44d7a190c6d4

SHA512
ead4ecb34afdca68c7703fa6aa6b81cde6b8832f3970d06edd0ea7cd4727f3f1f73e9e22a699c4d34d1dcdbeceb673dfbbc5c221017c02ed99165c6b1abd152d

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
97KB

MD5
4e046e9f273be88a5006b524ceb91b67

SHA1
6f61b0d98d06f1282831058bfca54ec753166e6d

SHA256
4a4d41e77a100c5883a83cf21faa56f190166fb3d407f905213c7d46cd891bf5

SHA512
347ad781a05bdf41327d66db8484fe8d5c00db39a3014253c02997c3d9baf946ef9e7336210e42680e12e53f22835ae4486a06c63293c6c5a66ea65da058a423

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
97KB

MD5
bd8cbe6e2c0d295b85880475ece0cdc2

SHA1
902a68cb75e8b141e229985021b52d677f8fe651

SHA256
875f8ddf96ab8d3e6550248851da4a1ee86a43565240704cdcdd530e4955ede7

SHA512
be5e5c5109f263b887a68227f7b122b12b41fcd7280663c554d976854a4c807f79ee0081591bd4baaf79ef408858681a365c061ddb47d51c5425ce8513ef2142

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
97KB

MD5
e571860dfc84b50fa083a77f39407398

SHA1
584a8c44ae2453e38020ae4156935a6329d4147d

SHA256
110ab9ed4369346ff80c6ecc700eb64fded3410bb3eb1d2724a2885c66e29ab8

SHA512
a7f39654e621a5b065c6e0cb44ab26a8409789c24c6bef391dee96199a63f17c8be5ee548fb0cfa4b28f0e2648bb36a86c555e8102a97f3b63b116aed092d92c

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
97KB

MD5
391b614ff9e96a284945c6b77c49b332

SHA1
2a7c421b84b542dc3e2fdae0ed7b00e0bb779e5d

SHA256
371e745c83365d9ed47cc2cb2ed603672200aaed8c6a922434deaf0d0ef45f02

SHA512
5d97320417c02bfbb5a19c112fb89fceb95b964be1a86300892d41efd3fde384c28b3a6f08ceb708f4bc898ea270c00d30b7fed841066600db6b124b8ca92d50

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
97KB

MD5
d3df1c534ff745d4a0c2e7346da6d13a

SHA1
6da29d726dc3db81179e6f9e8fbd30b68253153c

SHA256
3a975b45517610406361a52281e713915b2098fd9f8cbb8439fdf60ff227d1ad

SHA512
946982dbd3a81c25d369fa0adbd8f4dfbcd8ecae1f578cb55f94a8af6668298b4c6d644c64268374f0aab775971921f83091da8341f8e061809706a464a61a94

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
97KB

MD5
28a262f1d3770cabe036a0e35e4215b1

SHA1
78d3c7890f13ab2f41a44b80255bf01f51199164

SHA256
b9bf5dc11e885640ff37d967e0e29534e623da907347c4519938653f2cfbb35e

SHA512
5c9aa03e361d79cb1632a5acc14c0d9c0994deb96bfab83587b81f365862d2d977234bb2e694be70b2ab3467dd7a52809b0205a8b9678a87877912faca63492a

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
97KB

MD5
c2971abf6f2f339549413aa62358a2a6

SHA1
5736ab0c22ebe2e86eaeaf835c90fa208d19e105

SHA256
61f0e04defe8e64592bec3d8b9ae8ca70bd1285e715f9dd2935864c985bc929b

SHA512
5c8ba387d9102ccf77a43755911e8ba4cdbaaefa40bda8844b1f5d64ac82421ba2f01fc9ba39f7b86174e1cc85fd4e6316d3c7eddd12b2934dea1b56b35075ef

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
97KB

MD5
88d234777e6b42581289eba8a6171c97

SHA1
5347f70740054987d3490399e83d3b8f6a3d50c2

SHA256
5873ee510e7e814a8154de9b658cf75082131950705b104ec02f663b9361fc24

SHA512
72f0f2eff9d6e4e17d4e483ed7a84646b746b73de6331a521eec247199f2232bb97d44349a43a1992d4df845120fd59bd350ee850a44922878f2ea074b0338b3

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
97KB

MD5
1a52724547b5a7401716f36580108b08

SHA1
c559a78064db920658536839ea40b227eaf37a42

SHA256
72539e5fa920b991b502bcb21e93c542c78ed2aa59b2855945d1d2374fb73b3c

SHA512
0034438d2f795c47832aa39598550b15e2ee4a1e0edd0f6ea68c03132d158ed5a9a9e3c0829e6f0dbbeb87747378232765e306c160e075a4cbcb12f2b438467b

Download Submit
C:\Windows\SysWOW64\Qlgene32.dll

Filesize
7KB

MD5
1533a973dc74d1cc58154a1d333309ea

SHA1
cbf5ba043bf4eb4f3fdf5f37c1f3b94d74606ecc

SHA256
34650a88707d0b0ab0702365f86e417307b6262e999c7ce037bac805425ddaef

SHA512
52a4f12267ae33c2010f7b372c4bdc9450f7ed5c59600ad12fae6e4bb551191d1624e3a77b8fe82280f82b94b59b4d8583e6af410d399c3b22c635dec8539b47

Download Submit
memory/368-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/368-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads