berbew | 28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835N.exe
Size

142KB
MD5

144004f60e0953ac602df01417017ec0
SHA1

71ecbda38ac7608638cac37492d85ac4902710b3
SHA256

28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835
SHA512

1973d8b234b1f1d7ca7e8cb04e3c795ccf90bc5e944e79c71d3844b86cfcab5191c81712da861cdf92950b36c44ddb6b758ea5ce59960cfcb47c6572ea00f0c9
SSDEEP

3072:H3ry6yc2mgV9oleLTkDjY5L3a3jg0DihKjgUDLjBQ7/OuOXNxrXTkDjY5U:H326pD0LTGjYF3azNPXPXTGjYe

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
3796	Bcoenmao.exe
3528	Cjinkg32.exe
3636	Cabfga32.exe
3964	Chmndlge.exe
3824	Cmiflbel.exe
4896	Ceqnmpfo.exe
2152	Cfbkeh32.exe
1056	Cmlcbbcj.exe
3540	Cdfkolkf.exe
5064	Cjpckf32.exe
4548	Cajlhqjp.exe
1796	Cjbpaf32.exe
400	Calhnpgn.exe
4708	Dfiafg32.exe
4748	Dmcibama.exe
3532	Dejacond.exe
3660	Dfknkg32.exe
4292	Daqbip32.exe
1808	Ddonekbl.exe
3432	Dkifae32.exe
4680	Daconoae.exe
4524	Deokon32.exe
2816	Dfpgffpm.exe
2948	Dkkcge32.exe
2932	Dmjocp32.exe
4516	Dddhpjof.exe
4844	Dgbdlf32.exe
1896	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835N.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835N.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
348	1896	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 3796	4980	28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835N.exe	83
PID 4980 wrote to memory of 3796	4980	28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835N.exe	83
PID 4980 wrote to memory of 3796	4980	28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835N.exe	83
PID 3796 wrote to memory of 3528	3796	Bcoenmao.exe	84
PID 3796 wrote to memory of 3528	3796	Bcoenmao.exe	84
PID 3796 wrote to memory of 3528	3796	Bcoenmao.exe	84
PID 3528 wrote to memory of 3636	3528	Cjinkg32.exe	85
PID 3528 wrote to memory of 3636	3528	Cjinkg32.exe	85
PID 3528 wrote to memory of 3636	3528	Cjinkg32.exe	85
PID 3636 wrote to memory of 3964	3636	Cabfga32.exe	86
PID 3636 wrote to memory of 3964	3636	Cabfga32.exe	86
PID 3636 wrote to memory of 3964	3636	Cabfga32.exe	86
PID 3964 wrote to memory of 3824	3964	Chmndlge.exe	87
PID 3964 wrote to memory of 3824	3964	Chmndlge.exe	87
PID 3964 wrote to memory of 3824	3964	Chmndlge.exe	87
PID 3824 wrote to memory of 4896	3824	Cmiflbel.exe	88
PID 3824 wrote to memory of 4896	3824	Cmiflbel.exe	88
PID 3824 wrote to memory of 4896	3824	Cmiflbel.exe	88
PID 4896 wrote to memory of 2152	4896	Ceqnmpfo.exe	89
PID 4896 wrote to memory of 2152	4896	Ceqnmpfo.exe	89
PID 4896 wrote to memory of 2152	4896	Ceqnmpfo.exe	89
PID 2152 wrote to memory of 1056	2152	Cfbkeh32.exe	90
PID 2152 wrote to memory of 1056	2152	Cfbkeh32.exe	90
PID 2152 wrote to memory of 1056	2152	Cfbkeh32.exe	90
PID 1056 wrote to memory of 3540	1056	Cmlcbbcj.exe	91
PID 1056 wrote to memory of 3540	1056	Cmlcbbcj.exe	91
PID 1056 wrote to memory of 3540	1056	Cmlcbbcj.exe	91
PID 3540 wrote to memory of 5064	3540	Cdfkolkf.exe	92
PID 3540 wrote to memory of 5064	3540	Cdfkolkf.exe	92
PID 3540 wrote to memory of 5064	3540	Cdfkolkf.exe	92
PID 5064 wrote to memory of 4548	5064	Cjpckf32.exe	93
PID 5064 wrote to memory of 4548	5064	Cjpckf32.exe	93
PID 5064 wrote to memory of 4548	5064	Cjpckf32.exe	93
PID 4548 wrote to memory of 1796	4548	Cajlhqjp.exe	94
PID 4548 wrote to memory of 1796	4548	Cajlhqjp.exe	94
PID 4548 wrote to memory of 1796	4548	Cajlhqjp.exe	94
PID 1796 wrote to memory of 400	1796	Cjbpaf32.exe	95
PID 1796 wrote to memory of 400	1796	Cjbpaf32.exe	95
PID 1796 wrote to memory of 400	1796	Cjbpaf32.exe	95
PID 400 wrote to memory of 4708	400	Calhnpgn.exe	96
PID 400 wrote to memory of 4708	400	Calhnpgn.exe	96
PID 400 wrote to memory of 4708	400	Calhnpgn.exe	96
PID 4708 wrote to memory of 4748	4708	Dfiafg32.exe	97
PID 4708 wrote to memory of 4748	4708	Dfiafg32.exe	97
PID 4708 wrote to memory of 4748	4708	Dfiafg32.exe	97
PID 4748 wrote to memory of 3532	4748	Dmcibama.exe	98
PID 4748 wrote to memory of 3532	4748	Dmcibama.exe	98
PID 4748 wrote to memory of 3532	4748	Dmcibama.exe	98
PID 3532 wrote to memory of 3660	3532	Dejacond.exe	99
PID 3532 wrote to memory of 3660	3532	Dejacond.exe	99
PID 3532 wrote to memory of 3660	3532	Dejacond.exe	99
PID 3660 wrote to memory of 4292	3660	Dfknkg32.exe	100
PID 3660 wrote to memory of 4292	3660	Dfknkg32.exe	100
PID 3660 wrote to memory of 4292	3660	Dfknkg32.exe	100
PID 4292 wrote to memory of 1808	4292	Daqbip32.exe	101
PID 4292 wrote to memory of 1808	4292	Daqbip32.exe	101
PID 4292 wrote to memory of 1808	4292	Daqbip32.exe	101
PID 1808 wrote to memory of 3432	1808	Ddonekbl.exe	102
PID 1808 wrote to memory of 3432	1808	Ddonekbl.exe	102
PID 1808 wrote to memory of 3432	1808	Ddonekbl.exe	102
PID 3432 wrote to memory of 4680	3432	Dkifae32.exe	103
PID 3432 wrote to memory of 4680	3432	Dkifae32.exe	103
PID 3432 wrote to memory of 4680	3432	Dkifae32.exe	103
PID 4680 wrote to memory of 4524	4680	Daconoae.exe	104

C:\Users\Admin\AppData\Local\Temp\28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835N.exe
"C:\Users\Admin\AppData\Local\Temp\28471036171165e9f654d46639f75ae969f0caade9b7d71f2b94129c1229d835N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\SysWOW64\Bcoenmao.exe
  C:\Windows\system32\Bcoenmao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\SysWOW64\Cjinkg32.exe
    C:\Windows\system32\Cjinkg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Windows\SysWOW64\Cabfga32.exe
      C:\Windows\system32\Cabfga32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3636
    - - C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
      - C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 404
        30⤵
        Program crash
        
        PID:348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1896 -ip 1896
1⤵
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
142KB

MD5
529e439e57ed43d067aab9e056e8dc33

SHA1
6d9ee845598f38b5fff297d50837bb167fde11c8

SHA256
a1a11f268de333ce911c4012d8baf18dd0ffc3f266b527169b388cd6f4b7fa53

SHA512
12b2b6007e02f457153441d5d92bfe591c1e9562444270bf6400f386f39eba0ab47a92ddc0600b08688d4d46d9dc00309927784ccac3c6e72896348d2fe1390f

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
142KB

MD5
d69e7702c2e9524409cc70d6b75a5cc8

SHA1
cca1826d85f2ef80cfdda03b672304c76ce1da68

SHA256
b382f34f474b10bafe3999cedeaf510bda6b61b46f539c4593035993458c57ed

SHA512
2c8d5a969104edebb32ea11b9b4f7831b908c2a5d290779f5e420c3002d5d723501883f6a036aeb5b8094bc81a78b0b54609b65d284e12c5ab842f8f2ad2420b

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
142KB

MD5
5f7556802c8332cf099abb9c46363537

SHA1
79d6da5f82a17144996c4b91960d69c4360c71ce

SHA256
6d6de4b5ecf2c359f5efc51a66c446f8087ecebddfe95ccc3247ec1409722dd9

SHA512
b3b0dc51e0625dd2bb47d4f9e3460ee1aa89d169f61246b6e68cc363c1151a6610bcb6461ffe4bcb7d7922159e26ee4a7ce2b74b3325d180edffe5b6b0154406

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
142KB

MD5
e9654351b559d1ce36661551471f94e1

SHA1
faeabf4c22944364c5da9735fc45115fa2f166f3

SHA256
572afa4f45f6b40312a112c0a90458963bf9b3bafff82876cf7c264d9b3d1441

SHA512
99510c6af2ec7a52ef1e2b3418418decbe086ff98369e754898413d8c80d1d94726721131e7d8f840caf10fb764ae797666f1c5e1de5f9725e39abd3adab5312

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
142KB

MD5
553de65ae54ce927ee48ef1a2324460f

SHA1
300931ac43410524423d44b84c9fbfe03d6a888a

SHA256
1c563cb88fd6dc1d887724d4a86439a5c8bfd1cb9c4b812c23e21c368c984008

SHA512
f2237a7fc0b70b791297920ff841ef160c4c8a07c1fb8ce86e89721cbcd3d3269ab2b07de725784778a49eccd88f37373668d914cf0faf94a2817e235bfcadbd

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
142KB

MD5
129ac4691294450e7d958f8aab8ab4b8

SHA1
78ade2d874da6bf5e0d55f5a95275c133612afd8

SHA256
3a4357aeff4a559e7995fbbf0571cb8eb2670a166433bd899ec83bc9504e90eb

SHA512
50c7095a81ed1d282b482be0c6407f586928a4fb09b072117fee7dd8b38ed9d95496e8f27030a0cc45222284a9369b153b90538835f6e05a676192bc2023c297

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
142KB

MD5
cadbc173401e2a4e305bd725d20ca1b8

SHA1
4b0f3766662ed461f0215fa9b4faa0d87ecac14c

SHA256
d4648aa6ed7bd56ff3f80b17ae971b7ce6e6c080fdd25ce86226f0121966e42a

SHA512
5849876a2e2952becdd92d9d22225fd9e79e2ac448d1422eb2488f7585c4e4daf9909273541332c01345a9fa8e6904c2d9295241e5429d28ad6a60de53198617

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
142KB

MD5
6d8d86d0aa549eacd13efc7ed3943dd4

SHA1
7e806255420568cee9554a9ded408228caed8bbe

SHA256
6a9a56dfea2e037a33aafbd86489caf7755960b46a596d03cb1cb14e75b34f4e

SHA512
839a48656b9a8e971719dd14ec6e789b53ea2fe6914874433372a78685d373ddb78d0c52c12faf621c984ede16a56ed47fcf000ef316151ce51619919d88a8b6

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
142KB

MD5
0bdb23ed0582cf81b40a490eceb6e317

SHA1
8251137a905819cd19ccc7cbb81ab28eb9c30884

SHA256
d43c71d1d2dfecf6d74caea25905136e7fd5b5b686dd5cb88803dda57117cc40

SHA512
a3fa77cf1e5ac603f1cc32cbd1e1911227cf9eade7c32129bc2fde91b22ee37ea718d4bbee47315a61bb6eb8735258c49189879935a3486e705f2b675a558d94

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
142KB

MD5
c26732f5f32f6e860b0a58b5a7f2e2d0

SHA1
486569f8b3b785e8a6662f3fa688fa174bca729f

SHA256
bee8cda230f71dc67d1ee0ea18a02ab295720df2455d98debf4f30ded3b46cf8

SHA512
9df1320805dc6d7b304ac4309455ac50225b61aa61aa8c51cd647c9d3a312b71c299c94b8276df7cc714e691d6cca4366a54635e4d9835bf0ad5409f983624f6

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
142KB

MD5
7fd70db797a86df6c03a0253216b26f7

SHA1
eba420b2693f840ebe8f5d292c8c3807bab6b7fe

SHA256
358f9f9e067e8b3fe754acba192e6f6283bbf35d478255e8267245e4ab0fa7b8

SHA512
bfd75d7a67e287107ff87eed9d5cd3e8bac1c7ab9ea8f8f3413278036ef80a1944478a36f70983b15927f267fc165b19d875457766e3035c61d8139d2b2576fc

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
142KB

MD5
e1bed35b3666e73ca38a098007a0a62b

SHA1
8b07aa1f306ac26606a62c4f6750aa553c32abb9

SHA256
16f170eace05d9d55ebf0c25d0c7ced750cd5b8c7a919785bc45684c90fcb3c7

SHA512
6d566036cc42171ec8aaa33ad4f187c481ee7ff5bc3eb5f400489eaf6e20925ac7672f6c12292be9bbc7a36d95968fbc4640199ec582efccc10bb9ecc5233a5c

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
142KB

MD5
b1396ea3040a867698c6f39f1f5bd389

SHA1
a3fae8392f4f9e5315adaadb40068a56b9e1e5cd

SHA256
1160d930f13d03a1e565fe529cbda91c0ff693faa2bba6c861a6640e68d9802e

SHA512
e26030752c61c9b569a24f40dc4f59078bd2242907123fdbcf8ef0a4c9c5b0040a89bd3fbeb7d519f4b47c341548da085e5600e66b4e8208c97c21ced7370c8c

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
142KB

MD5
ff61c323d002fdd7eeea380add93e20a

SHA1
6dc47de2c2570a7b253a948555925848418b2c78

SHA256
2e360dc6b1f7b4afd5fca029632616e4d96235af8ae3ee51931fe4412713932b

SHA512
28c0d3f89046ff37308e7bd147c96ed7eff229bf4fe15793e927266606f5c10e12b8f7eeb5daf1a6f9703a861f8d17d9d6a39ab026c4973ab2e8e9b1233f6748

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
142KB

MD5
24dff89573d284e44c8f7a1727602954

SHA1
8ece23304285b9539be7c8a4afe6a07c0ac48574

SHA256
9e2881a212c517a9aaa2aeeb5b09f2d6124178f9736722206a565005e66d5a64

SHA512
1ce74f7789bf94c8d870957f524781d9cf7152690b1fc2295c056b3d4f4ea075709623e6f7fde13437990fc7ce9bf5363db5034f0d6015cd92dbe6d0e701e728

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
142KB

MD5
0da820c727ba309cbea3666f8222f07c

SHA1
27e398907349b0abda4d5d6e5da5fc0f817d94fb

SHA256
d7dd944585ddb41b495e027bbd1d69377aed5d537f3ab3b41d2cf3473f0e9004

SHA512
2ccd6ad648dbe647903b49a74b9bb8952ae9fa9ecac0bfba91962b5b3db3f892102ec0971348273747f12c1260ba333158521b309ba4b494f70f3406d8962504

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
142KB

MD5
1845bb23c4a280ed44ef283c8f56ee19

SHA1
0248d8aa8258d0ff62f57c7fcb4e3756981fe0bd

SHA256
790b1b1a845b4eb97c6d3af0d4ef7cdd3012075793dee6994a04d050a0f80c46

SHA512
3c07d510cc41c101730f35f106d0d25ce724baeeb0ed5b2e6058d231bd6e492a13fda61e0f523d23ea21fdc2e6c3262fb425c578ef1da92210dae02bd220bed2

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
142KB

MD5
3f0790aca13c1529665333526f0e2725

SHA1
b025ad749a363efe5bc867a48d5827bcc8f5c7fb

SHA256
314ac3f0eb6aadd59b61f805e71380e1cb311bc18092eefd2acc603f89ac5b56

SHA512
3814abb1e97cc1bdd06de90c9289641d5fce25a6634d860db3d200c63e1cdfba7cb5ecf3a3f43fcfeabf8b213a266e76437c601d7c3437bcf54f75048753af18

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
142KB

MD5
8eac3286fc1f9d27d176c9db2ac88e9e

SHA1
b88396405cf7e9265b495728c535445f3a5d8107

SHA256
248ac26b9066b9b3130c65591cf375643ab3b8264ca3217c85d5bd36200f5a2e

SHA512
eaffdcc0894fc7693063365e294b81ce2ee259e078b63d6f40b5b7e9662ac60e687d7bf25c619c0e7b21be28be7405333662dec661fc710bde80512781cc4be2

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
142KB

MD5
9a381bce6b4cddc66033a317f6b863b6

SHA1
6598e21703cfdcedf3909084e4c66384c87ff0ac

SHA256
e45fc5a6f6e23b49474adbbe5fe815b43e06e7dedbc8322a0a9b7195d4f9320d

SHA512
9a86b6a73438f147815c139410c56aa600a4efcbbf9f000d72c5b2e6df20f463efdcf82748b8a4579ddcfc4f8cdec22af087186fc847255c23733a93616d193c

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
142KB

MD5
8f5bb559000450a4eef997bcb5f39a12

SHA1
0908bf3c8bf1bd5c06af74102661a1830ec72ce7

SHA256
5b480ad73a9d342160db15ca988ea8080c9d14b2af55be163765d80a666ba063

SHA512
9374ce9116d63258054e0f7b11a61a9a83705c5dec923712267a450ea2bb36846b42f10a068189f196460ccbfad93f9a9bf92da3bbf60a1543aeeac23ed24591

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
142KB

MD5
1564a448ffd39b58c4e20d9b0d92b6ae

SHA1
ed9ae4b0d6028f310bb23db2170e85d2f589d6f7

SHA256
2d2df608ee83f507b624b3642eb858f298fef4a5892e8e640d71d2cebca17f6e

SHA512
36e03c22e28e2ea300e1aaa2cde6ed963d36626079cc3f7bd6af06aa235c84314236f8be0b820fd514dcb28744d3d73f21ce09da40dc0d03d98abfa418dc3229

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
142KB

MD5
fd3bc8ced2f2917bff6ca70693ca118e

SHA1
814bb1418324d228c5c82836112c5274dbe0fee8

SHA256
d7d51704302c4259907d63fcd433bd6b3afc6949029866e6b12a17d6dc94e6b2

SHA512
fa80eb3813f347a44e30caaa269cb275a9167801af4d51e30a948252f079cadead7e272c8d29ca3255e44a82bc8fa8bcd51261bde5bb1ba0001ff747d563188a

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
142KB

MD5
5d95f7ed8e159302ffcf31a595f72438

SHA1
c8025b85888aa0dc4d82ea23700dbd52d2336a62

SHA256
9c521ae8c7ec225b9cf15ba62fe06f47af64d9103efc960645e7be1639f5b57e

SHA512
6dd2b443bac8f4e66b5d2f8181cae1fc94e64c8bcecd5ab1a42e3c945405e3688a835a473b8c512aefc03ab94b3de1a5b7284b651c11ca71d35425406c58e20b

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
142KB

MD5
863191e8f9dad579b16e318d6d82a387

SHA1
1103c455659afeb7db42976a236a7b1b4e1266dc

SHA256
4e4c34e3bddece7b3e505d594ef27d832f6f8fba7c8b293514ab2cb59066ee3f

SHA512
a8bfce20d409bc03a27fce10367af80fdbafacff020b363d8f9158031c33c9038fbfb81cb2ca2f49aa4c1da1326a8ae4df374e414fa4d3a36e85aae5cf093c71

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
142KB

MD5
f4d137af21198938f013051e59d1c231

SHA1
46ccf9fb5569bbf050b8cb61f0070c8fafbc8c75

SHA256
b22be8ca6e4478c9e17bef86ed5a4e12d9ed07f1876cbd829e6df24a7a346d8d

SHA512
1dedb1643930040ff3c64d514bb0ad17b8886f74f3445e807cd0155747c5b1036b5c4fdd5a3c485a1e280b85baff0e2c4a008a6d516c6409e2c69e0fe23bcfa3

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
142KB

MD5
6472b53a3c3c0246effef01d6f26b46b

SHA1
ff51c051c657665e4d93d221462d65d5c7aac8a5

SHA256
195a1737d5f669592228b31d1417396295297cdb1b5c72db4dd2d68aa5163fbd

SHA512
c214d563d6c38baae1bca7828be8c66ca74facf81e8c75620c80112623cfd134b11094b98266af6d3ed51f622e9b625201df2789926889108aa03b9ccda0d214

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
142KB

MD5
b1a4eb3f52acb3a4969e87bb52096417

SHA1
3760e405460117c4bc7a032a92e0a3cdedb6c4cd

SHA256
e728818d4e649b6b8dfb0e76bee2ee18800a271f8aaf0f929ede594c761864cb

SHA512
bf846c870993255539a8bf26c9a0fe2cd3672c906baea13c529c3232ef141af0d21f22f3933ff0c8e0f46d4d25af35e4f595566f6eea057b8e9b385dbc6d7b53

Download Submit
memory/400-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/400-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1056-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1056-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2948-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3540-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3540-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3796-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3796-277-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3824-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3824-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4292-253-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4292-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4292-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4708-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4708-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4896-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4896-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads