berbew | 837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0.exe
Size

552KB
MD5

afce6c41682405d55f09665e7a83d555
SHA1

e0420a0e4951927618cb5e33360cad8d3ed69af9
SHA256

837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0
SHA512

59545fa35e56da4c7968a33c3e6dd277d923bb3ff080112499193bc182d8fe0107c7110c96c6d574250aa447ea716a2e062038e4353d5857320d30e637fb3d84
SSDEEP

6144:7UJr8lyLUy2Ly08SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrloBNTNxaaqX:7UJrVLPuz87g7/VycgE81lgxaa8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
2984	Cmgjgcgo.exe
4912	Chmndlge.exe
3520	Cnffqf32.exe
3432	Caebma32.exe
1176	Ceqnmpfo.exe
2760	Chokikeb.exe
2148	Cdfkolkf.exe
4552	Cfdhkhjj.exe
4720	Cmnpgb32.exe
4344	Ceehho32.exe
4084	Cffdpghg.exe
1492	Cmqmma32.exe
2948	Dhfajjoj.exe
1804	Djdmffnn.exe
1060	Dopigd32.exe
4804	Ddmaok32.exe
3408	Djgjlelk.exe
3708	Dmefhako.exe
1864	Ddonekbl.exe
1688	Dodbbdbb.exe
4508	Daconoae.exe
4400	Ddakjkqi.exe
4448	Dhmgki32.exe
64	Dfpgffpm.exe
3368	Dkkcge32.exe
4432	Dmjocp32.exe
2060	Dhocqigp.exe
2792	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3404	2792	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 2984	1100	837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0.exe	82
PID 1100 wrote to memory of 2984	1100	837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0.exe	82
PID 1100 wrote to memory of 2984	1100	837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0.exe	82
PID 2984 wrote to memory of 4912	2984	Cmgjgcgo.exe	83
PID 2984 wrote to memory of 4912	2984	Cmgjgcgo.exe	83
PID 2984 wrote to memory of 4912	2984	Cmgjgcgo.exe	83
PID 4912 wrote to memory of 3520	4912	Chmndlge.exe	84
PID 4912 wrote to memory of 3520	4912	Chmndlge.exe	84
PID 4912 wrote to memory of 3520	4912	Chmndlge.exe	84
PID 3520 wrote to memory of 3432	3520	Cnffqf32.exe	85
PID 3520 wrote to memory of 3432	3520	Cnffqf32.exe	85
PID 3520 wrote to memory of 3432	3520	Cnffqf32.exe	85
PID 3432 wrote to memory of 1176	3432	Caebma32.exe	86
PID 3432 wrote to memory of 1176	3432	Caebma32.exe	86
PID 3432 wrote to memory of 1176	3432	Caebma32.exe	86
PID 1176 wrote to memory of 2760	1176	Ceqnmpfo.exe	87
PID 1176 wrote to memory of 2760	1176	Ceqnmpfo.exe	87
PID 1176 wrote to memory of 2760	1176	Ceqnmpfo.exe	87
PID 2760 wrote to memory of 2148	2760	Chokikeb.exe	88
PID 2760 wrote to memory of 2148	2760	Chokikeb.exe	88
PID 2760 wrote to memory of 2148	2760	Chokikeb.exe	88
PID 2148 wrote to memory of 4552	2148	Cdfkolkf.exe	89
PID 2148 wrote to memory of 4552	2148	Cdfkolkf.exe	89
PID 2148 wrote to memory of 4552	2148	Cdfkolkf.exe	89
PID 4552 wrote to memory of 4720	4552	Cfdhkhjj.exe	90
PID 4552 wrote to memory of 4720	4552	Cfdhkhjj.exe	90
PID 4552 wrote to memory of 4720	4552	Cfdhkhjj.exe	90
PID 4720 wrote to memory of 4344	4720	Cmnpgb32.exe	91
PID 4720 wrote to memory of 4344	4720	Cmnpgb32.exe	91
PID 4720 wrote to memory of 4344	4720	Cmnpgb32.exe	91
PID 4344 wrote to memory of 4084	4344	Ceehho32.exe	92
PID 4344 wrote to memory of 4084	4344	Ceehho32.exe	92
PID 4344 wrote to memory of 4084	4344	Ceehho32.exe	92
PID 4084 wrote to memory of 1492	4084	Cffdpghg.exe	93
PID 4084 wrote to memory of 1492	4084	Cffdpghg.exe	93
PID 4084 wrote to memory of 1492	4084	Cffdpghg.exe	93
PID 1492 wrote to memory of 2948	1492	Cmqmma32.exe	94
PID 1492 wrote to memory of 2948	1492	Cmqmma32.exe	94
PID 1492 wrote to memory of 2948	1492	Cmqmma32.exe	94
PID 2948 wrote to memory of 1804	2948	Dhfajjoj.exe	95
PID 2948 wrote to memory of 1804	2948	Dhfajjoj.exe	95
PID 2948 wrote to memory of 1804	2948	Dhfajjoj.exe	95
PID 1804 wrote to memory of 1060	1804	Djdmffnn.exe	96
PID 1804 wrote to memory of 1060	1804	Djdmffnn.exe	96
PID 1804 wrote to memory of 1060	1804	Djdmffnn.exe	96
PID 1060 wrote to memory of 4804	1060	Dopigd32.exe	97
PID 1060 wrote to memory of 4804	1060	Dopigd32.exe	97
PID 1060 wrote to memory of 4804	1060	Dopigd32.exe	97
PID 4804 wrote to memory of 3408	4804	Ddmaok32.exe	98
PID 4804 wrote to memory of 3408	4804	Ddmaok32.exe	98
PID 4804 wrote to memory of 3408	4804	Ddmaok32.exe	98
PID 3408 wrote to memory of 3708	3408	Djgjlelk.exe	99
PID 3408 wrote to memory of 3708	3408	Djgjlelk.exe	99
PID 3408 wrote to memory of 3708	3408	Djgjlelk.exe	99
PID 3708 wrote to memory of 1864	3708	Dmefhako.exe	100
PID 3708 wrote to memory of 1864	3708	Dmefhako.exe	100
PID 3708 wrote to memory of 1864	3708	Dmefhako.exe	100
PID 1864 wrote to memory of 1688	1864	Ddonekbl.exe	101
PID 1864 wrote to memory of 1688	1864	Ddonekbl.exe	101
PID 1864 wrote to memory of 1688	1864	Ddonekbl.exe	101
PID 1688 wrote to memory of 4508	1688	Dodbbdbb.exe	102
PID 1688 wrote to memory of 4508	1688	Dodbbdbb.exe	102
PID 1688 wrote to memory of 4508	1688	Dodbbdbb.exe	102
PID 4508 wrote to memory of 4400	4508	Daconoae.exe	103

C:\Users\Admin\AppData\Local\Temp\837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0.exe
"C:\Users\Admin\AppData\Local\Temp\837a53fbc0e4fe38873deb1d6303d2e673aa2a8e5edf38c2d8c99398fbddfca0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\Cmgjgcgo.exe
  C:\Windows\system32\Cmgjgcgo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\Chmndlge.exe
    C:\Windows\system32\Chmndlge.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\SysWOW64\Cnffqf32.exe
      C:\Windows\system32\Cnffqf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3520
    - - C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
      - C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 412
        30⤵
        Program crash
        
        PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2792 -ip 2792
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caebma32.exe

Filesize
552KB

MD5
f892ca50c2b1bbd28dffd8c0dc668c34

SHA1
f7bdae71f4bb2eaf53bd5a5a35ec8df1e44134ca

SHA256
dd263ffea8bdcb850c56c98878ba0c98332bf886ef87b53aaf792a06d6f14d94

SHA512
0470a79c7f58a459b2bad9f007a02d79999869b4240c9e03e68ff468be95ed2d6ac97017c2b0177e61866210228870da54c13c88513ae25117e74db427b8584c

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
552KB

MD5
20089a96adba220acea90ebe563b5b32

SHA1
48748a556ea3383115842b0b3d85adf44634af22

SHA256
221b532ce5287f9e1aea69a3562cc37f40e8b7fb90e951491709a59ed5d67e72

SHA512
f8bab16d615c6d69b930053c640c98b5c371c6c29322e3a5bd7cf3cf39e8208ffe57771bd2c57dca4a29e2acda8eb64302772dea4dd4ef00e4b7373a2b676111

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
552KB

MD5
0ca2685805338eff753b28d822be4477

SHA1
85d1a019cc74145f491ebb64efa55f7ff781f35a

SHA256
5eb3aad5e6fa49aa71ee1ac36333697945cb8ac0a2b058d73c5360e8505cc478

SHA512
73a822b4fff19ff8e64d4d5012a2afcb97f7088d0eea50f7c46328dbbd3dcc4b2f8c4fda720feea401285ce92103fa8a17f92d98c61b3ac1434a61809a724d94

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
552KB

MD5
b0b1630f9c17c8312886123b701983b8

SHA1
9be9d232165b25aed1b19c26f1eccef09a78a3f2

SHA256
a3510e34ad75798612da8e4eb4fec4347b9e273d2ec5bed191f3b2cc27a463cc

SHA512
165a0d7b3bd239c0b735ccf1c49f546af13abde018eaa7d9857ecde8d1b534d3a1ca644e426d8bd5a6d3855f956e5d9de4bdf76160370da3aeec4ca5c64de732

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
552KB

MD5
9d7b27d00b3f853b0110fe400e9f7c2a

SHA1
a4367152e8945e72ab2672e878802ec10f5eb17b

SHA256
0342623e04040a0b23ae9b6709d2bc3a8cdc31cf7e943c9dfbbb2371a4633171

SHA512
cf3804c25bd57dd1c029004f394a2439f0c45287700c1897dae07289bdeb9c340749487d8426d4a048c5177a6d926c0b753cf2f9e5e889744f929018ed9c468f

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
552KB

MD5
78361b3aea891917c090b4199b692116

SHA1
85d5c49e3d17fcb9f039d0d5796ecafb42661c66

SHA256
455f197f4c6464f7bddb39f1d9fffe897689183cadbc63106f2fc1facce0c71b

SHA512
bf82ff3a4385eb8b2195737b3c6a9f4efe095efbf05e8a71732faa34dd4ca18bf2c63bee603d6888dcad8e82f27185cbf5614243207801c5525bafdd9f95dff2

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
552KB

MD5
7dbf0dd1ee0b4b35f09f3fbdc6ea72d7

SHA1
70314085845f80cd4f25d7375b1d752e4ad2255f

SHA256
7e6e94ee171d24f93e26b289630396507878cb7a8b7f12a107b325a42841ef2a

SHA512
32ab94101c5eb4c4c3499034b704c77ea7b300c5826c67d9e03efe9310f15e3e899d2f547351cf6e1ccf64f2b2c859416e94ac33e4ca419634a736aaa0e1617d

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
552KB

MD5
2b6748246497294cb28c0fb35e40b571

SHA1
74a71df75b6fc53314e0144bab8c4bad0258937a

SHA256
9f642a88d22d2706d65d90c10c839cc519c5748b5d48b5281e391ddd8b72e47c

SHA512
072501865e3f51256d26b63f57bf88806e7a1b237b7ddf9922080e7483d1ef7fdcc6b484366e2547b9abd4670fa9755f2c0dc3cd3cf7304ae1b09b7a26718c83

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
552KB

MD5
b62d033d5706335a41dbd95d7db617c7

SHA1
4f9648f1505bb4e033e8548363ec679492a41b93

SHA256
d10ae4d56a65d653a936fc919d683092835b02efa6de37418dd6f2c0b97f213c

SHA512
60868216ff073e4e5dfb71f78305f8759c17ba7cd1ac3dbe6a3a6b1f609a5325f6fd3fd0b68a4bc14e42918fdde91c8d9e4cedf954527517c3ad99de1acdc38d

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
552KB

MD5
ca5b83cd1964e6de00149e756ba8d590

SHA1
b9af77441a0285e4306ceb4486ab6f779fa17bd4

SHA256
67979403940c2f805e74ac1b3a77e693e159e233e079f229dfbf5a5284b79f70

SHA512
d248b1881d04adb79572fe1477cc5f949620ad56c12c79565bd07a2661719e3f552c2e051dffdf546d051adb6b6ab7cdf9e3c0bdba150fa0b09b3be6f90e53fa

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
552KB

MD5
5c9831da904e01f1068b85c0f7c65a26

SHA1
2215a1074575cfea08e09eb39b12a23403bf4c75

SHA256
7f5ff0113ac43dbee77b1eb37f138e2f991b861208af5e2309449e26d69751e7

SHA512
083e07f0c68a6befeb4befe407f0dfe3564b4f55131c1d315ded428667817e435a0eda8c767d7b9b0b8db415f0aec8df8a6664dd949f1961ecebe21fa0bd5768

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
552KB

MD5
b82a287de01b5d451ff2301b45c4ad20

SHA1
58e7fed6ac2ee6112f88596b9658d9afc3ee2d88

SHA256
eb12286d691ef37516c57092b692a608016446e46f77dc9c44dbee29fd9199bd

SHA512
368316d0fadb50cbb529bd530e7ab82b620898ed57419512040f5e2d7cb5957ab6a4f23a4e3472c2b0b7b7284685e5e076ac13ea2b52b47ebb1c4b851deb304c

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
552KB

MD5
1f77c05307c5a64ada0fdea60835f169

SHA1
de2e13f6d42d1f4e77366efedc3d97330ebf9020

SHA256
fded2f0c06ae5d111e08faadf86a69a8e4520896e1432a9fac77e7247a0d180c

SHA512
d980ea8585100b9567526c8b49214ea0339eff727121d2a201f8c47d2c063549a62fc26ae8567286421608dbc1e22f4e380ee0f4a5f42aabf5df1966abd7571b

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
552KB

MD5
cdc473f692b066d25c09fdb69af56e40

SHA1
632ac54bb1dcef4ab1466b59dc90fa370ed8bb69

SHA256
acd6d76801c89e8f135df473019326e45b18e7c9f201dd2b502041527e91918d

SHA512
633c370d25992f7da5669f32e24cdf23a2f74d795e478b370f3819f12890eef8b168474e8d14d11fbccb4288c69a7b18037c0fd6e1ea5e13fab9f252e4053ba0

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
552KB

MD5
5e6de0adde20b4f30f0d5962c1aa861b

SHA1
3f38a469548b54b3d0fb0f00fb6a48cb24957f68

SHA256
c065c3c5980e149cf6919e613247ef51d5eb5f3a800d00ea8120e9c78a0dcce2

SHA512
0a789801a8c6c4c786e9b09d1a8e923346101d59a574b7a06251b311aacac55e5b566746703abc065b8e911dba4f1d05bfce92188cb2664a531e1b51d66976a8

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
552KB

MD5
67775921b4280746bdf9136644187ff0

SHA1
314cdf381050f659dad5323e24695c2e666ae0a3

SHA256
713a01de71b01ef86abf3d989dccb5f01154cd2c9609da4604e52473befa6507

SHA512
e7eaebea0bd9865ef611d5407c4d19d231c358ad643ddb7aace61e57e73ef0403ef55a18c7eb6744698fb62b8e8f44a4c002715a7350d8ec1c841608356cdfc2

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
552KB

MD5
8bd30b278e4c228ea31473d84ac877bc

SHA1
624d486143dd5f330b0f8388cbfa415f2d5fa434

SHA256
218b72369e93d4c7b00ff953a0cd847624b356e5d8bdd2edb47d40a266765dad

SHA512
a79d1641efe7ccf2ed4f073fe903623e324c474e5d3cc7a86c1d892310641c9bb0266b272f3822dc6711ba26e0c092fcc995646f4d390f1c790f55a75d12a58c

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
552KB

MD5
a5d0ae80afebac91d2b419d0f46f4c38

SHA1
de0ebaa60d15653b9ddd0a7c553447b24b9af152

SHA256
4ceb11eeef174748882f97a4bc274257deb06b89e108e1e3e60221253925676a

SHA512
05dc55ea894b3715a15adbf0f5691131fd19e3352b88d2c0ab5d7b9712fdf1340f1d37bf461fde996e69942d19460bb582b944d12f033ad825a7cc016d195f5f

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
552KB

MD5
0f856a6094c7f3f7b9e033c5db0771e1

SHA1
cc88277cb4ad066ba6af695e8bd66a273c77ff43

SHA256
2738df199ac4e10e8e7ba2bda098540c9c441e57fce6311fc063da2b2340607c

SHA512
0aadeef1ccf4764b8c4e4b8df6088a0535ec84775a8ef94d824afb4b8f503dd6bab158d83ea7eae6db20f1ca4f7c10f508ee85514d81517d744c4c9c4bafbdec

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
552KB

MD5
e1a20603ffb6ee1a9040114fe0ae3aa6

SHA1
96602cc8921657e193b848b1de037b0c43a4a360

SHA256
1561d7c7ae71469514b611e1491d7a8eff26f50f8ddd4fb3e2c3a6721cad7030

SHA512
fbc50c7396efa28d4c7791191350fa6e8c7ea9e37765082705aec39de059fa104c3ad97057ebeb3b31995f1d247bca41f600cb8214339e2732cc639463f9874e

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
552KB

MD5
820c1d2831e3167d0a48d5c87450cc6d

SHA1
6e780315ead541ab36ef15f83a5314c6f7be419a

SHA256
da14135f633402d6984370740152218370ae965d755fcd0cb2b2710cb1111282

SHA512
d666fd9766b45ddc33d09f4c808802c2d999fdc0ba249f825de911573e9a054f9896b3b1bcc72ba00668f31fff7e4d036dde0ebc94bcf8851724191f9a228a88

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
552KB

MD5
e5e093a07567ef0d62f716ae93944e1a

SHA1
4d896e3c70f66873a3d27f239ecd357c40edef9d

SHA256
add99b43e451cc7d3a43e9a146252b6934b58821e58c9fbff70d4dd0ee9ac264

SHA512
40738472b6980bf47625ba0ff53ec9260cddb6a7776502999c5ac610f7371da197f7277bc48a747462815e483d44b9a6a7a3f3533e9907ec53631a434922c9c9

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
552KB

MD5
dbec0ecb381c690f3f5f913980920f4a

SHA1
a5f8c3e5c7718139bd5cdfa30d42b8dea8cde60f

SHA256
0fbbc10da7cad9c5c35267c1c7a0385dd6d803a06aca13d596907c742e436fbe

SHA512
031cce62942a76d6b7516e9a7641bf202eac78c239971ebe29cdc1ff2db97d4fb719a7edee9b42f39598fc4f3da7aa3515da1ff117080d59b0062953e9f64cd3

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
552KB

MD5
8a42fa29ce837f3ba82f8a590d92b2c4

SHA1
7f4eece2fc83609c9092bc7efc787bca49387860

SHA256
45c70433432f5367d422e595f9f432a9812ec491bb1e3e35e8a9aff4a010e51e

SHA512
2d8d7927cc00fb666fbe5d29803b7f992bab474d004fa4b5499d03ed6623cdbd3aef846abb4069f34d65c8428670de92c8769b88b0e58b9b93dc77aace44a20c

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
552KB

MD5
427c3b4f8baa018f530e5a21c74859c1

SHA1
a87cc4d8240c823f463096d1238e90d6066359aa

SHA256
ef19abc6913ec11181744fceb32d8e742adccfffb87cc73a819ba9c487983ddc

SHA512
62f18f98d043eb4cb6f7eec22526627c718ce17b2ebbc6db9dd754c05a43706c7bb3ecb0a124e26f8522542d79294132614fafc7e971683b6e517df43cece3a1

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
552KB

MD5
2312001b26f812acddd6cd17d5a72f28

SHA1
b198bce1baeafbd0791dfc5cf8fe730b6723c33d

SHA256
10c4124b9be3f9a46c25f6993b38bcb30d7203d176391d545883978eec5b6cd1

SHA512
e0b035d6f9b2fee72cd89f67164c3c9102fce7e2987c5ee46536ef26b6a1a6bba94ad92ddfb3409b974148ea523291fc25e792d533736926ca15916ee27d8d8d

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
552KB

MD5
e5cd600bce330423d9fb94407f0a636b

SHA1
9cd2509a356f325231cb7a54caffac1e9a00b6b8

SHA256
3374b3d25948bb9fd98edc264e7fa9172a193cc124b6ac3a63ce04ec45b1b85b

SHA512
72919551d748d61e0c0607498979dccc7541059fdd1b42db674c9e0b6ead6e8252dc419629a76414cf66eda4d376fa5fbacf54050acf948943fbba11e36badf6

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
552KB

MD5
3a6fb1d11ec927412d8d03d61b3d5bd5

SHA1
c0506e46246055e02d1af7c0dee7c5305fe4c29e

SHA256
0f0e729092259adc54464ff39943160360714c0960250c6102d9dad168e3089b

SHA512
a3a55012197cfd3f4da807b475e2627bfe3eca6cb092deead67ac67cd9649f80c203d7f5f67e2fd2c68ece4cea881b126dd6d786137712655bf2f9d73d305f0a

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
552KB

MD5
0cab0e4e01f91ae2027bf1018c6af0fa

SHA1
05168cd06931340ba977e1e7fd372561d2f2f269

SHA256
b00a7b8c39d7c2218551aaecee5b621175d7f2dfffb3fa541806a18f77c8046e

SHA512
1ee10c37db01d89fa5253f3fd708a02c38c285280ebe3deaed2c64cc33180ad1abde7d98879db129c2144f5c14af5d5f48d29a4ab10f70a36c7052048f855dfe

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
552KB

MD5
c88e6d70a5173008cf828cb592656e6b

SHA1
30b7f5d414ecf466c0c3d85e273d5092e4744854

SHA256
c5e26b5725d296128ef40c8c11706e36b37b64aad39c26cb0c155c9021f65d10

SHA512
6ec3cc7349d1e1f3825104b1237e11a46f0f11bd1d47347b44956278ba9a03e47e703d74996a9868533a1a5b0398ea71ddc815670cc0ed98f137b87b00a65eee

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
552KB

MD5
18e7529a9570a99681fa12d618383c52

SHA1
acf2324b021355b86ea1d22ddb35c0a341aab86b

SHA256
2230227fd33ad5de4da6058c3f3e8e1efdc3fee074eb2bc9e234ccda25ef5380

SHA512
933729395526b469d8044cea34f822cbcc930d9044eb923d166c9e2e12e81453f6225e4831b755b4928b4c78ce589ee6e4adea4eb79808f369d24cc2d0bae8de

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
552KB

MD5
5bcc3b60445df23ffd4191fd74e2d1fd

SHA1
32c370ef35bb8a7ae14a236433e093d8a1115fbb

SHA256
69688d9d61c4c7de4daafd4758d1970d644464fc5831553ae815e3d0500a2391

SHA512
bf6d82d391c592f26cca0bbf3f8f3bf470f3e785daaa4d5f8ea16fa39de4ebf251e5ec4bb299275ca2c53f649fc4591e73153e49c720922e43bb9fd8781f7455

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
552KB

MD5
eb2c72fe29f8d90104a48e4a5b3688bd

SHA1
544f0f90ce43a14ffcbffe5e7490bf4b15079e9b

SHA256
0bec2a76612f8409579157645dfd7c3754cd9fa73700c89693a18e3adbee41ef

SHA512
dd545727566846ae3664ddaa16eb8e3f417d342ea2d267cb2e4bc8485fa9d47f307b418d065de1b63e958681fc235dfa4e091d4c7020c8a6219ae0e5ccdd8d43

Download Submit
C:\Windows\SysWOW64\Kdqjac32.dll

Filesize
7KB

MD5
92d0b66b6d817fed8a0247978263e815

SHA1
e49858974afd93096a29ca7b55289987a2b78aff

SHA256
db3e0897f9eb9e18c19616f4e19a541e6d07e2fe9894a5a1a777f8e182087c3f

SHA512
cd34e36171cc33f45f1151c361e4f044719ac1ae9c0effef9e43d02ac791fb53073778eb1ffe186ba8bfa37c97b40b2f993edbadeaa3780b29caea1561f924a3

Download Submit
memory/64-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads