berbew | ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe

Analysis

max time kernel
95s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe
Size

74KB
MD5

44fdc773009c98d994c6ee718fd8b294
SHA1

bd363e34481ed07c1ab3553d5320a8f445b87722
SHA256

ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe
SHA512

4d70f6c1de5c9f32f4fe24af0c0b02776110d608b2ede2e3e0a92aa6dfafbfcd62981b2d64cfb191a958d9e7d7e78041c9464d8898933cbfda7c69ec5634edaa
SSDEEP

1536:wYdhJH7Z9TS+mxlygaWh2xes7TfIMMZhDnyD3IV:VH7Z0/c8CDTfIMyZnmIV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 27 IoCs

pid	Process
3872	Cfmajipb.exe
916	Cmgjgcgo.exe
4996	Cenahpha.exe
4544	Chmndlge.exe
3112	Cnffqf32.exe
3500	Ceqnmpfo.exe
1476	Chokikeb.exe
5096	Cnicfe32.exe
2180	Cagobalc.exe
2136	Cdfkolkf.exe
4916	Cjpckf32.exe
4456	Cmnpgb32.exe
640	Ceehho32.exe
3644	Cffdpghg.exe
4592	Cmqmma32.exe
60	Cegdnopg.exe
4880	Dfiafg32.exe
4148	Danecp32.exe
4740	Dhhnpjmh.exe
3680	Dobfld32.exe
1588	Delnin32.exe
4260	Dfnjafap.exe
1304	Deokon32.exe
4776	Dfpgffpm.exe
3084	Dmjocp32.exe
1076	Dgbdlf32.exe
4872	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1140	4872	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3872	2112	ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe	83
PID 2112 wrote to memory of 3872	2112	ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe	83
PID 2112 wrote to memory of 3872	2112	ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe	83
PID 3872 wrote to memory of 916	3872	Cfmajipb.exe	84
PID 3872 wrote to memory of 916	3872	Cfmajipb.exe	84
PID 3872 wrote to memory of 916	3872	Cfmajipb.exe	84
PID 916 wrote to memory of 4996	916	Cmgjgcgo.exe	85
PID 916 wrote to memory of 4996	916	Cmgjgcgo.exe	85
PID 916 wrote to memory of 4996	916	Cmgjgcgo.exe	85
PID 4996 wrote to memory of 4544	4996	Cenahpha.exe	86
PID 4996 wrote to memory of 4544	4996	Cenahpha.exe	86
PID 4996 wrote to memory of 4544	4996	Cenahpha.exe	86
PID 4544 wrote to memory of 3112	4544	Chmndlge.exe	87
PID 4544 wrote to memory of 3112	4544	Chmndlge.exe	87
PID 4544 wrote to memory of 3112	4544	Chmndlge.exe	87
PID 3112 wrote to memory of 3500	3112	Cnffqf32.exe	88
PID 3112 wrote to memory of 3500	3112	Cnffqf32.exe	88
PID 3112 wrote to memory of 3500	3112	Cnffqf32.exe	88
PID 3500 wrote to memory of 1476	3500	Ceqnmpfo.exe	89
PID 3500 wrote to memory of 1476	3500	Ceqnmpfo.exe	89
PID 3500 wrote to memory of 1476	3500	Ceqnmpfo.exe	89
PID 1476 wrote to memory of 5096	1476	Chokikeb.exe	90
PID 1476 wrote to memory of 5096	1476	Chokikeb.exe	90
PID 1476 wrote to memory of 5096	1476	Chokikeb.exe	90
PID 5096 wrote to memory of 2180	5096	Cnicfe32.exe	91
PID 5096 wrote to memory of 2180	5096	Cnicfe32.exe	91
PID 5096 wrote to memory of 2180	5096	Cnicfe32.exe	91
PID 2180 wrote to memory of 2136	2180	Cagobalc.exe	92
PID 2180 wrote to memory of 2136	2180	Cagobalc.exe	92
PID 2180 wrote to memory of 2136	2180	Cagobalc.exe	92
PID 2136 wrote to memory of 4916	2136	Cdfkolkf.exe	93
PID 2136 wrote to memory of 4916	2136	Cdfkolkf.exe	93
PID 2136 wrote to memory of 4916	2136	Cdfkolkf.exe	93
PID 4916 wrote to memory of 4456	4916	Cjpckf32.exe	94
PID 4916 wrote to memory of 4456	4916	Cjpckf32.exe	94
PID 4916 wrote to memory of 4456	4916	Cjpckf32.exe	94
PID 4456 wrote to memory of 640	4456	Cmnpgb32.exe	95
PID 4456 wrote to memory of 640	4456	Cmnpgb32.exe	95
PID 4456 wrote to memory of 640	4456	Cmnpgb32.exe	95
PID 640 wrote to memory of 3644	640	Ceehho32.exe	96
PID 640 wrote to memory of 3644	640	Ceehho32.exe	96
PID 640 wrote to memory of 3644	640	Ceehho32.exe	96
PID 3644 wrote to memory of 4592	3644	Cffdpghg.exe	97
PID 3644 wrote to memory of 4592	3644	Cffdpghg.exe	97
PID 3644 wrote to memory of 4592	3644	Cffdpghg.exe	97
PID 4592 wrote to memory of 60	4592	Cmqmma32.exe	98
PID 4592 wrote to memory of 60	4592	Cmqmma32.exe	98
PID 4592 wrote to memory of 60	4592	Cmqmma32.exe	98
PID 60 wrote to memory of 4880	60	Cegdnopg.exe	99
PID 60 wrote to memory of 4880	60	Cegdnopg.exe	99
PID 60 wrote to memory of 4880	60	Cegdnopg.exe	99
PID 4880 wrote to memory of 4148	4880	Dfiafg32.exe	100
PID 4880 wrote to memory of 4148	4880	Dfiafg32.exe	100
PID 4880 wrote to memory of 4148	4880	Dfiafg32.exe	100
PID 4148 wrote to memory of 4740	4148	Danecp32.exe	101
PID 4148 wrote to memory of 4740	4148	Danecp32.exe	101
PID 4148 wrote to memory of 4740	4148	Danecp32.exe	101
PID 4740 wrote to memory of 3680	4740	Dhhnpjmh.exe	102
PID 4740 wrote to memory of 3680	4740	Dhhnpjmh.exe	102
PID 4740 wrote to memory of 3680	4740	Dhhnpjmh.exe	102
PID 3680 wrote to memory of 1588	3680	Dobfld32.exe	103
PID 3680 wrote to memory of 1588	3680	Dobfld32.exe	103
PID 3680 wrote to memory of 1588	3680	Dobfld32.exe	103
PID 1588 wrote to memory of 4260	1588	Delnin32.exe	104

C:\Users\Admin\AppData\Local\Temp\ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe
"C:\Users\Admin\AppData\Local\Temp\ac1b744ae147f199c02ee5281bcf1039fe72e3324c81de3dfda9e241b8655bbe.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\Cfmajipb.exe
  C:\Windows\system32\Cfmajipb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\Cmgjgcgo.exe
    C:\Windows\system32\Cmgjgcgo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\SysWOW64\Cenahpha.exe
      C:\Windows\system32\Cenahpha.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
      - C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 408
        29⤵
        Program crash
        
        PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4872 -ip 4872
1⤵
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
74KB

MD5
a6e9710cf3aa805ea440fc1eb125d50e

SHA1
d41fae819c706c935ca6a9982d48c0fd80f1a515

SHA256
3e47770c9b691a4e0b36cd6c40478c88614aadbee2ac81bf7bd923c896c0c4eb

SHA512
4173fd8e6762100ab3446458c666a407aac7e1d6d34dd4e7b800c0ea18a753cef82e3c4d439770fb30e9eb4de1e6e3ef9ab2eed2c9fdb3cb62f0ec4f903d7a54

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
74KB

MD5
5b5bdf69c61ac1dc0870bc0dd0b6ba32

SHA1
89ada6d4f4af599b390349ebd848611b01aa61b7

SHA256
d419f5625e3bedfb9ad62a8b99133fdcf974926537bdd7847773cc29e68814d0

SHA512
f656a937020bc3dafa5e68313ceca530dd1a1d605269bdbf1b9c208ce4408ecb383eeef5f4dbcd3cbc16fb3423061a082ccff9fe4ebb39c5a6c11355b7c51648

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
74KB

MD5
169d9b045bdf718780957c19c35e7150

SHA1
7c9271ff20a877f63470476b8e406fb8d5d19653

SHA256
ea949cc8130746466b48171a676f9a38e0f55e8a221503703f877d7541784788

SHA512
553c52086a4b552b5c1e8ce5f39238c0fc9c0e0585edfc411d6987943b3e1d5fb7799a87aaeff7e8bd6a9643c080b6a439a553527faf0719c61dab0f4e748ac3

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
74KB

MD5
f5ae4962ed39a35c5c313fd21d8cd20d

SHA1
24e6dea3081e1b30096b5816a13bf782079764c7

SHA256
70aa3058bf373247fe433a3478db636d4eef8f3ab589e769469f9a091e06f878

SHA512
45e471e6fa25afbb8dfedb3543dbfe06790adda9d665bd6e0865a1eb5c597b99bce919418a998e93d35f7c7110be358d5b06ace6866418b81b1e2d524f15173d

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
74KB

MD5
daaf3febb8203677b6035adb279e7039

SHA1
ea11a1464920bf4ffbb1b34fcb9d32ebe8d3ea12

SHA256
df5c7e9ade961f41ce6d23c6204713094a537949fbfee2764d2536d11a7ae0e8

SHA512
9b3eb9993738080afeec84cd09b33289cd78cbd6d76263d8f2090817e8543dcc4e4b61067c508087deb61fb86a721aff9ff0a4cb7db29411a26ccbbd60461291

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
74KB

MD5
7001e07a51157aa5292f09d064c5c0eb

SHA1
d55b5f2903efe5eb37101d9cd0ddad1ce56e35f1

SHA256
a4d7a46c0466f6459f97004b8ecd815ccfe679c7eba264533842813828175cc1

SHA512
a99cff5a70a5ded9a4d2e526dd8bef8f32feadd2f75a4c636470aa9dbb1cfa0175d17e97b91e5d45a56b8e9674aeae2d715fd7bc56ff7d49d99f2ff5d0a9eb65

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
74KB

MD5
c0b0bf7c6f0c495c3c6973a5f35dc549

SHA1
adce02a6530564f1b01cba06cfb4c4f57d2a2937

SHA256
622b7db617ca4aeae5573b7dca6d74dd8c74ceae2facd978c824cdd150e0a51a

SHA512
5677b59768ea6b2fc5407f49cd9ae4bebfa23b7e5c359ee1b5d7b3300d7935c4ac8e7082b010d5e4d7ddd7e51f2a8dd0aa66a9c88f054f688ba7dbf3d8cea5d0

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
74KB

MD5
85f494373166b96adb3636a011893f23

SHA1
7eaa4ddc008a25db00c418e19ab3ab464ac3a4ac

SHA256
674e786c37edec7dc5dfbe382874a8e331712f3bcb9c717ef8dfbf1878961076

SHA512
ba2916d0f10aa235823cbecb5b30f8c38bf3134ddd0841d5430fbf7bdaf12aa639bb4d16d754af87a99202dc563b31728d09408d14d252b3b1ac67f2394e11b6

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
74KB

MD5
7d11ad15f62c762c97469017007f9ed0

SHA1
1271d58738b0bfbb469eca880cf56f552d09b9f2

SHA256
1d0224e047cc3ad7ed83df789aa5f8bf8e0f019097a9256a4958dd56f523f963

SHA512
cc1d15454e10827a60634b43da6610b07e698a9f924a626f57e1140ed5aea9e0142a96ea07bd5965f075433d9484b0baac281f52b40c6377be4905fdc4551826

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
74KB

MD5
51906f663a7e51eee3832d5edf110988

SHA1
7d0a2500db157f6b9f60ffb72ccbcae2973d7209

SHA256
992dea4c61d7fd2eea597af93256c3a63d728d9971dbe0113dcb9323c817a5f4

SHA512
56fc45e59f786b15796c7e443c29cbc35f03b505ed0fd5dc45c9fe729335372f0d4e93d37579f84c9e6e150791c7b57a7de0565b6ab0dce7b317b1b4d2b2054a

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
74KB

MD5
0b66936a2a2728ca73c6c91f9e881e4b

SHA1
4c4378e58a6021ba714acf63cf97bc8f872e3231

SHA256
6851ac588325b888a95f5e3463c431a87890df1850ad3b512fd574d7c858f44e

SHA512
82d7db6f6df90880dc7047b3ad918df43ee1dffe7c2629ee73a19f8fcf87aa5228f660a3df86b9fcc490675d37ae64e753bbf18b2ab8a8231369d4986682531a

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
74KB

MD5
234b35615277a489331b5f237516baf0

SHA1
ef08e7bc31d136d483358289d653beacdfc8e390

SHA256
2a85d4fea2d099604a3d73b02526dc572308c3723ce310cb3db178fe0c0847fe

SHA512
46e4281549da4d736e2c4d3a5dff4747e328f120e88fbd562d401eefe2c68d26e557d2a934ef8dfe427b15a5af71a0b2c19ddc646b3edc68193f76d44bdf5a2c

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
74KB

MD5
f1ffc8484eec26e7aaff4f3ffd5d0531

SHA1
fdfb16796663362c38d8fc50640cd7023fa818f5

SHA256
3a9ec003477987d281d8bf75ee4541cb6797619d8e9ba33e89c14109130e0d54

SHA512
c94904f9330e3066a80b5196eced1ef82fbd0fc9909d0099375cc340836a3f05557ebf1515e6c69e688207ff54c3fb2354742d1671a76a39f246d404486d57ba

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
74KB

MD5
f966c891edc087e12861806eef209b9a

SHA1
027bfbdbbe8cb8acd56fb72546bc75b5868a1c3b

SHA256
6178f255a71e8d896d2e013ca65d978ff595f97e645ab6bdf0ee40a35f20ff97

SHA512
af56dfc98b3e547ba896c603c3a24fa29b6b0ae2013850621047f6de067e97f4c2cea611efa0ca2bc4aaea87d6feff862439f474ccf9ff907a61462e361f683e

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
74KB

MD5
689ef72c4ec58d5f5e1f06ced315f240

SHA1
86d3369a529e42ec3aa4b4daa484f9c64c875a97

SHA256
93cbb58b02f83b74e371bede7475395497269416a4efea3eede6a8338a3f0b51

SHA512
69046fd18bade92af1ba419c43dcc0641afc1f3b9dde14ac5891756e568557e79a8c04babf2490f58f94bfd49957e3ab2ed7244363d18a988c00d5ab300a22e6

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
74KB

MD5
556503e94851e0431c28eee7d4811c3a

SHA1
761bbcd975e9c0a62d514f7b982424e708b1dea8

SHA256
3174b168ca51aa36c63895e18c4726a73a04b88204438f61e7151b76303dede1

SHA512
2107b1e30954d2a2a2804a2a0fa4940e0e82f9144db7779a35157fa82643d64f7f1918e948545ed3bac7634d500be26e45e136f5a497d5207dc76c6bd41b2616

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
74KB

MD5
8fae28dd25b908b899c3d0ef9927f66d

SHA1
42ab818e60b1d7307c2b7a7bf1e97d7e1d0fb162

SHA256
0dfe71d41f06179290bf868194993e1ba8edd7f90a8694a065f54316162a1182

SHA512
03705bd98454de22b25c54805e1eca94d4a49e2f808319c277a439b47db3eb603426bfc738d9d71a6b4cb0ed45f0e86a534a9099d1e81fc5e41b1705322c3030

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
74KB

MD5
f669949c6a084c00152c8e89fddc75a6

SHA1
969966c7bc0eeb5efd6ac90bac08d7adfa8d9cee

SHA256
8726d723a8854e1b69b79226537c194e62c9245835d7586ee9cab4272be0222b

SHA512
165f0d49cf2999faa899c9dcc5bd1ae6d1d87764abebf481caf68ee7480f646fae7c4236e93c4683ab03442d9bbc9919ccb1d64b2339ef20b422ba4cf7078aa9

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
74KB

MD5
9739ffb4cbc3b2f593609f81d502fb2d

SHA1
92f2f3e45178686562acd468f958bb420a0a6174

SHA256
6c449be3325575ebd4b3f4b45a7651ccd9519f251d23b114f31dc0375cf27b7a

SHA512
aac24034638ade74ee4b47baeb9dc88c54b36d7f90be49a80e67b5370cc77d93d8c8b5ae9f41797402eea489fb8875c60b7754e5a1b8fcebe16b992e84bd2502

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
74KB

MD5
2eb0d8c7da7b166026fc6d038a1d3c83

SHA1
6224296701581f35517ef97fa5b63241309336d6

SHA256
cdf149115264d45869904a3be0f6a1492d1cfc5d4f4400eec2bb2741399a26e5

SHA512
f550edec8f3c084568a53e78255a285608884ae648833a24be2a1b690edd17855926744fbf90d92c7f3ba2cd0e0c597681f0bf46ecfdb0763359b47f1650ae64

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
74KB

MD5
301f6b5b2845cdc7b4333e4f2e5642e2

SHA1
b247b191a9b9f619b388d0ddf35df6b660950800

SHA256
69ddbc1212de50e759f211ad1105db113967486afa5b4d51f276d9350552c484

SHA512
61c065ad08262bc05175b9c2ddb48016813bc5744c50409fc83592bf53baa24e69ae15da65f2ff55d5480cc3f4b3596f90e7085a6c0b8b581f570fb922dca089

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
74KB

MD5
c5500c800ffb37f96ef182c41bd87252

SHA1
ea5761c861215cb6b6507e8148e5a1edc582ee6e

SHA256
8c2c0d18fb790356072208ce13ff72c5b7e456ee292b4a6799a4896ed9c4a558

SHA512
5e70dcb86a481c85ae3fbc266d162f1070a2b4670c54c6cf2527adb27f60c5cabcbe66a2260c720d67c064954ee0bbb905afd04c268a9a4b6482028b5bc81ce5

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
74KB

MD5
786c7ce4ac75621a97a05e4c745e8865

SHA1
d62e6d10ba8afcebb85c657f4b6cfeb340250268

SHA256
1be347a726e112af41d7530e575f4120ca3047f42053a8fa20f0e90f513b203d

SHA512
e262b19c8f316d2ddc15afeacfba96b5278c72fd846eb18243458e8510585c32c0b0ede9a1582974befc739ed6be35bde1ed730e87741a00ad066ed6a8816302

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
74KB

MD5
49daa21b7c8ac25d70bf927f2ea5f942

SHA1
6896c89a7c02fba4831489cf71280874bfb92c6a

SHA256
1c730528e8c4b9edc313e4efb3c7029f89fb3b04400f10c4de8eef6531338976

SHA512
29116e4d612ec265d3f28e7da92690370708cffcb7e13d0d8e65851ba4e3467f2e0a7876237b878e4f5205fe1a9de8df2bdc3459f723657ec0e33c67bbdb5013

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
74KB

MD5
3ac979e386bd82657249f3a52c678bd0

SHA1
9f4553932b91c9363f789243d4ab4495859df81f

SHA256
81482611949631777c782b81861cd0907e3e20c00d877bdaca3093f859aafd1c

SHA512
a490a024bd68a1c975b6d74a344c9baa9048361b9f51e5628fa8819c0d769b1187cda730a7e265f27a19a5add77d9fa2d160f75f7655f7701013f83e3989612a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
74KB

MD5
15666f5281c9233220e9c66667bc3133

SHA1
f24371784b5a2edd6658f52d7d9f226cc2f1418e

SHA256
c9fcd814333c1bcc22e40138d7ed44f65eda8f59420da4b67de0ac1ce60671ab

SHA512
43f47ee73a585d6882ab0abaa4318f522b7973e78c8a513d69897537b917cdb8d00e8b1733a81fe6de26fc861603811a201efc54b386a490524418329cb1695b

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
74KB

MD5
78678b1203870eaa40c49db471a9e951

SHA1
6c9dc76de452e0e7d6dc815430e78677219ef51b

SHA256
d15c63c315faa1773be7910446f92a16fe681cb4d4972f67c8b7d4c6de69b896

SHA512
86e324992d01e7994c0030d42140e1d51b35b351db0865166ab42eff1d72b84251f5bc440d64d5557759a026a37c58518a50c8aaccd97227930c109c60d1e5c1

Download Submit
C:\Windows\SysWOW64\Lfjhbihm.dll

Filesize
7KB

MD5
3ac43c6f57168ee77f2c8262ed76f198

SHA1
667b4fb823054df6575373239df99918c486c5e4

SHA256
80b4d53bd4a7a667a8056125a45926c60a6e2998ae11bfb18461e92629c83d1c

SHA512
de2a51d281d362d4e5bbb76348f96281c09dbb65702310016e4febfde4fdbba981263e9483a375aaf443827ee87ecac3cf5f4dae7b02ec1c5c0de2665837e1ec

Download Submit
memory/60-228-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/60-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/640-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/640-230-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/916-241-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/916-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1076-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1076-217-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1304-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1304-221-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1476-236-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1476-56-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1588-222-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1588-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2112-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2112-243-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2136-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2136-233-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2180-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2180-234-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3084-219-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3084-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3112-40-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3112-238-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3500-237-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3500-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3644-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3644-229-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3680-224-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3680-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3872-242-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3872-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4148-226-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4148-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4260-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4260-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4456-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4456-231-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4544-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4544-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4592-124-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4740-225-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4740-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4776-220-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4776-191-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4872-218-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4872-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4880-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4880-227-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4916-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4916-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4996-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4996-240-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5096-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5096-235-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads