berbew | d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f

Analysis

max time kernel
95s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f.exe
Size

97KB
MD5

af37838b749fc801a6c33c697d24a377
SHA1

8bf3d65751937e2bd140a72af6b2077d0f55c860
SHA256

d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f
SHA512

316940b0b182a9129f73f242ddaa291e742eb1b9fb3e260dd92b5323f1396eeefdee4dae6fb3a6f7cdf0f993b1f950f8a9fe1c8bc714d2c78f44c227e44b51a1
SSDEEP

1536:nrapQ9WdvuVEsPHlTQ6+VKuXUwXfzwE57pvJXeYZE:up8auPHW6+0qPzwm7pJXeKE

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
4196	Cdhhdlid.exe
1360	Cffdpghg.exe
3096	Cjbpaf32.exe
312	Cnnlaehj.exe
976	Calhnpgn.exe
4856	Cegdnopg.exe
5012	Dhfajjoj.exe
2788	Dfiafg32.exe
3472	Dopigd32.exe
3552	Dmcibama.exe
3008	Dejacond.exe
1036	Ddmaok32.exe
1652	Dfknkg32.exe
3056	Dobfld32.exe
4444	Daqbip32.exe
3900	Delnin32.exe
2736	Dhkjej32.exe
1784	Dkifae32.exe
4456	Dmgbnq32.exe
5112	Daconoae.exe
4364	Deokon32.exe
4820	Dhmgki32.exe
1108	Dfpgffpm.exe
2040	Dogogcpo.exe
3844	Daekdooc.exe
3932	Dddhpjof.exe
2304	Dgbdlf32.exe
4544	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe

Program crash 1 IoCs

pid	pid_target	Process
2032	4544	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 4196	3496	d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f.exe	82
PID 3496 wrote to memory of 4196	3496	d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f.exe	82
PID 3496 wrote to memory of 4196	3496	d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f.exe	82
PID 4196 wrote to memory of 1360	4196	Cdhhdlid.exe	83
PID 4196 wrote to memory of 1360	4196	Cdhhdlid.exe	83
PID 4196 wrote to memory of 1360	4196	Cdhhdlid.exe	83
PID 1360 wrote to memory of 3096	1360	Cffdpghg.exe	84
PID 1360 wrote to memory of 3096	1360	Cffdpghg.exe	84
PID 1360 wrote to memory of 3096	1360	Cffdpghg.exe	84
PID 3096 wrote to memory of 312	3096	Cjbpaf32.exe	85
PID 3096 wrote to memory of 312	3096	Cjbpaf32.exe	85
PID 3096 wrote to memory of 312	3096	Cjbpaf32.exe	85
PID 312 wrote to memory of 976	312	Cnnlaehj.exe	86
PID 312 wrote to memory of 976	312	Cnnlaehj.exe	86
PID 312 wrote to memory of 976	312	Cnnlaehj.exe	86
PID 976 wrote to memory of 4856	976	Calhnpgn.exe	87
PID 976 wrote to memory of 4856	976	Calhnpgn.exe	87
PID 976 wrote to memory of 4856	976	Calhnpgn.exe	87
PID 4856 wrote to memory of 5012	4856	Cegdnopg.exe	88
PID 4856 wrote to memory of 5012	4856	Cegdnopg.exe	88
PID 4856 wrote to memory of 5012	4856	Cegdnopg.exe	88
PID 5012 wrote to memory of 2788	5012	Dhfajjoj.exe	89
PID 5012 wrote to memory of 2788	5012	Dhfajjoj.exe	89
PID 5012 wrote to memory of 2788	5012	Dhfajjoj.exe	89
PID 2788 wrote to memory of 3472	2788	Dfiafg32.exe	90
PID 2788 wrote to memory of 3472	2788	Dfiafg32.exe	90
PID 2788 wrote to memory of 3472	2788	Dfiafg32.exe	90
PID 3472 wrote to memory of 3552	3472	Dopigd32.exe	91
PID 3472 wrote to memory of 3552	3472	Dopigd32.exe	91
PID 3472 wrote to memory of 3552	3472	Dopigd32.exe	91
PID 3552 wrote to memory of 3008	3552	Dmcibama.exe	92
PID 3552 wrote to memory of 3008	3552	Dmcibama.exe	92
PID 3552 wrote to memory of 3008	3552	Dmcibama.exe	92
PID 3008 wrote to memory of 1036	3008	Dejacond.exe	93
PID 3008 wrote to memory of 1036	3008	Dejacond.exe	93
PID 3008 wrote to memory of 1036	3008	Dejacond.exe	93
PID 1036 wrote to memory of 1652	1036	Ddmaok32.exe	94
PID 1036 wrote to memory of 1652	1036	Ddmaok32.exe	94
PID 1036 wrote to memory of 1652	1036	Ddmaok32.exe	94
PID 1652 wrote to memory of 3056	1652	Dfknkg32.exe	95
PID 1652 wrote to memory of 3056	1652	Dfknkg32.exe	95
PID 1652 wrote to memory of 3056	1652	Dfknkg32.exe	95
PID 3056 wrote to memory of 4444	3056	Dobfld32.exe	96
PID 3056 wrote to memory of 4444	3056	Dobfld32.exe	96
PID 3056 wrote to memory of 4444	3056	Dobfld32.exe	96
PID 4444 wrote to memory of 3900	4444	Daqbip32.exe	97
PID 4444 wrote to memory of 3900	4444	Daqbip32.exe	97
PID 4444 wrote to memory of 3900	4444	Daqbip32.exe	97
PID 3900 wrote to memory of 2736	3900	Delnin32.exe	98
PID 3900 wrote to memory of 2736	3900	Delnin32.exe	98
PID 3900 wrote to memory of 2736	3900	Delnin32.exe	98
PID 2736 wrote to memory of 1784	2736	Dhkjej32.exe	99
PID 2736 wrote to memory of 1784	2736	Dhkjej32.exe	99
PID 2736 wrote to memory of 1784	2736	Dhkjej32.exe	99
PID 1784 wrote to memory of 4456	1784	Dkifae32.exe	100
PID 1784 wrote to memory of 4456	1784	Dkifae32.exe	100
PID 1784 wrote to memory of 4456	1784	Dkifae32.exe	100
PID 4456 wrote to memory of 5112	4456	Dmgbnq32.exe	101
PID 4456 wrote to memory of 5112	4456	Dmgbnq32.exe	101
PID 4456 wrote to memory of 5112	4456	Dmgbnq32.exe	101
PID 5112 wrote to memory of 4364	5112	Daconoae.exe	102
PID 5112 wrote to memory of 4364	5112	Daconoae.exe	102
PID 5112 wrote to memory of 4364	5112	Daconoae.exe	102
PID 4364 wrote to memory of 4820	4364	Deokon32.exe	103

C:\Users\Admin\AppData\Local\Temp\d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f.exe
"C:\Users\Admin\AppData\Local\Temp\d8c5350d8339918fb7062bb5d67b465cea6b7de60b6b792ade12c7663ede4c7f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\Cdhhdlid.exe
  C:\Windows\system32\Cdhhdlid.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\SysWOW64\Cffdpghg.exe
    C:\Windows\system32\Cffdpghg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\SysWOW64\Cjbpaf32.exe
      C:\Windows\system32\Cjbpaf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:312
      - C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 404
        30⤵
        Program crash
        
        PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4544 -ip 4544
1⤵
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
97KB

MD5
5002acd358416c5e6982cbb1623f55fe

SHA1
cf5a4d379b767156d8281340fc3feb7fd854fa2c

SHA256
ce097deba20e7c1dac642349f041b93821849de97131e0b2c7dc5cff54272d65

SHA512
ace0aeb4e06dd1aeb5d52c9f6e5cd5c8f68ebb3efbc1b6c9c07c68df347c47f8512a002e3790b49a2d0801a814eb84f9226dfafe110716d0cf15eb044ccddac2

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
97KB

MD5
cbed3d56af4fd24337c2218365713dc2

SHA1
75c81a1973e7b0f0335d8461443bc876551a1475

SHA256
65a601aa424239bbc1d1a2734105523b92ad304f3f4aad8c56807443c02a0e75

SHA512
756f7a0aa501728de4cb621c5830a700288e3f491b058abe3d2e7519901c170b0175cdc9a508753229bd326db2442734abd4ce3e2811a0bc326c46b3eae4d64c

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
97KB

MD5
23e8ae87dcee92b78835245dc207e8e8

SHA1
0b789bb43de827ab3449912d28a26deee7e2efc8

SHA256
5f9e7542a46f3d12ba4e397ffdca6b3e2f4043e577a4ca387aa836c3b1da287f

SHA512
f640ea826a9e1666fbc835678399aa31dc9a91309f9f840d506b21aa6353cb78bdf2960b8c9dca1f356b9202beddd2cd8a4ea7142573cb992a3f48cc155891a5

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
97KB

MD5
02ec0215a6cad3e0bf10e3f3b8e80d74

SHA1
e99dcff00a0ced495abc5b852ad077d2a61be5ee

SHA256
6d831091fe8a6b89951a7a7d0ab39fe08d615e357c9a2eef5d3b84a2e8e2282a

SHA512
bc205128998926e78d4606babe64da52ccc4fa5936cccf77d68450a4a3000a43394d46cc5e9d7325c9e66e660fd7546cd6f90c751e34841c250fc4eebea5fa27

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
97KB

MD5
8fc4b6dc29efabe688d1be127e1b9baf

SHA1
b0cf2e4b93b77309669edaabbef1e458acf93068

SHA256
f2bcf8aa6c7c0726a8ff3e961718cf7d03d278e8a821e27cb6f24dfdcaedefd8

SHA512
77f8d2a9cdea19a09c930a7a9f21bbddc45ce6a6debecf92d0925bbe571c0ed947d66d9353dfd2119333d278f81196ddb90c7be77cca0b5e8995dc53000b1b81

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
97KB

MD5
cc7c8d78b38886f0b47a9fd327327d61

SHA1
ffc694f841de408cf3730766753439851eb4eafe

SHA256
52113f1be196ca015fc9721ad50fa902848a3874a75785648e4ed66066c7835e

SHA512
d04ecb11d5146af438ad9aed5a5a415996c79c1fe08c84f8695438ebde6d236e73a8bf66461855b4e0c320b700f3844d1bb97161ee0ac286a5a3fb604a7942ce

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
97KB

MD5
df635831ccbd528edf5b08032437675b

SHA1
0fbff25611ee6cd23d294bf8fa68983b0c8eb70a

SHA256
c85abe966539d30e8db03918083e88bf4646d40471218b12ac4232fdc16f8b77

SHA512
e879511b2a953b2d3a4e087dd86799e6d9488dcb9b1d08f777c1d48e63cbe72065d12519660cecd2be3294345454afeb78211b484cbc8312634f076fabb53901

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
97KB

MD5
77cca81fed05aa1ab2a206953d8919d3

SHA1
0eadb8d01f2aec1865f4525e83972b71559c74c0

SHA256
fd8372ad16e017a3fcfc4693f54ccec6fab36720732dfa4298f8787aeecc78e9

SHA512
0a9b7c9dc457e9100938dbdb261b086510d8b1343e1ab86c4155edc5edc1ba544e110595e1429f8666f4dbdd6afa4a6af618263e50ef7249f8f3dc4ac1541134

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
97KB

MD5
c0dcb557c48a23bb204b2f51d7312349

SHA1
8a5904514432dcbb28ae6026c5ad64d2829fe047

SHA256
84e75d77dee1e5fb2125277ea877193e2b7ae1736309d3cef329c09a9624cbe6

SHA512
d5df63d73af4e2afc7f3adb0375c5acfb067953c7a8dde547a68d6b6bc75261f1a98045b16ed8ae44c415fb006c1fa9ae8486002dbcacb4a9ac5f32b669e1573

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
97KB

MD5
780cf359e6d797389010b831b8d2ebff

SHA1
03e2e7c5c1ab06e9f403f8863345d460a25854d1

SHA256
6b87d38a513559308cda633c96bcc7e7f89e6e196bb0418d5e20c65ce6c5fbde

SHA512
33154ff3ea49cb05fa62448c082de6a63a29f4bac9e26bca74aa7c96e57733b49b2353856f559c906582abba8c0adb129140064886228d5fda45d974d3cd8d8b

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
97KB

MD5
93c36c4e9cd5509f1c4f838134500b3a

SHA1
a71e101be1a6f8cba4f855d97b9226d82ba794b6

SHA256
e5ff55d83539e47e699922db8662290f5f778630cd97ab24ba559ce4d6c3044c

SHA512
2b0a9f0764e621676d2e38385bce862ef478e2f376d1f106195bd07a1c9df4c47dc06e0556a9b552de8269b8ab05f96f61ac4fd615d3669bc42ae46cf4410530

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
97KB

MD5
d76af7f6e7d01f5dd3ee6966d26736d7

SHA1
00c3b7b3b223e0b8f8c56791ec76991f8eee7337

SHA256
cc49fa79b5658464b9fb9e93f98a05bce8b298967d30028094b48779e06a48bf

SHA512
e39ef41cfd2eb4448897f0ce4dd8a3d996e285fe7e5acdd3d5c248ffe52f67696e607a2395194a1da6edbb94a0825bd17d3bff08a981bc9268a7657607d5227b

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
97KB

MD5
d4d63627e257be14226e8d54a48b7900

SHA1
bdba6c7fab4427242d93410c265aef2141ae4f13

SHA256
1d35a0d9e6675f4b344d1888cd1b14cb070babdbeb0d69302692b5ef3c0ed856

SHA512
3b696c8cdc7f4aa70ac942145a7e1912ea3d8059b67313d11d54587d8a3b47d4b8d0217a18015e8c13dd7e11c75571327f99de960271ecac676f0c5caf8b2af6

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
97KB

MD5
314b8694ac44aee7ee677ebfc01909ec

SHA1
0c9b36fa5e0c8a2e9f6ab1848e5f21d8b41de989

SHA256
69bf2b04d38f50028cb7fbe400e2d21fa9cf84fade91562c44bf2a32637a0067

SHA512
b4114560aa594719118d6fa63ab5dcd38aecd23481b8c6800e9802c3fc9a5e87657c4b19e563280dec5ff0cce899636d6b469cc6087d19feccc1af806c52f7f5

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
97KB

MD5
42a90cde549bd378ffa20611d3d40b56

SHA1
95ac8f87625b99b968328ff0811d08e847f2479b

SHA256
9f834a5822833546d67ec673680ebf8805b0b6111597c187b2eb181fba2f09cf

SHA512
9ac248a89068124d7dd772bfceba658ce4017976ca90e728baef6b09eec9d5a6cff3f699efd580131b51f40d60247ba2a25e66c0e3e4ef3ea934fed78198486e

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
97KB

MD5
65bb388e53aa4abc90e900cac1146f07

SHA1
a9d7b38e341b4212d7992281655e467d39af0c18

SHA256
a8aa03660a7195916fb2a37e57ed58017a3de530315425d258dfe5f2ad6f9433

SHA512
aadd0d82b49737f925eddd9b08ac88ecdd95be05b9d689a68e1588040d889437a1d5579f91d870697381042e9a2d29b9b40b8b780f2ae403eb007d4468e5a7b8

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
97KB

MD5
2360569736be40d44ff08ef1af6d7f11

SHA1
ccbb44182c85d39dbc9508c4a589372326caa3fd

SHA256
2c78675429bd5258e83069d0d83c49747fdb06a10ee3fac6a4bfe03c9f16d4e7

SHA512
e61910e7b471d7d926370b8a4abdb78c9aa99139f81f2136bdd381385adf66990658ee52a8bb17068c79436cadc92f12cd4854ce8508055494f2b462fdfe237d

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
97KB

MD5
e1b9a0d641d8fdcd731c9566e2a9a83c

SHA1
a09254f4f92a64e1deb4a6f31234d84d5401b566

SHA256
baefd88dd624eefc5262295d4bf383b5050d0d0e924032f8928a1860f3a0da4e

SHA512
0ddb1c91f2bc44953b2ef107d17476e04a7dbfc3ed523e984d0962c01f931f65441de059bf66b7efba9b2e50a0faaebdaea0e8181617236e42b37ce120b22320

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
97KB

MD5
1400cb6105d0a6152f342ebf9bc81acb

SHA1
5cde80bd36a4e90353556dacf5131b9b646b73a7

SHA256
47e8f03a6e5e8b18f7b3ef744ec522109bace367344d6717491e8fa2f0054ab7

SHA512
c2027914f7cec9d2d7fc9f7c5fb8d8f32eaad41a24be9ffeb4e8166e9273317bade397b8b231ceb4e0afe247498a66d35afeb445a8f1403678ab29a6d78dc9c8

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
97KB

MD5
a262afaf40f19ee73b22afa132c5e893

SHA1
821396bf25136a746e2398eb8d369adc8b4861b3

SHA256
9507a65153920ed659fc50a7e9fe7a514a188b07cc8dfaef05a33bf55b7f2632

SHA512
d6b3f11f9b04186c92d91bf2b3e15da8c97f428efdee08759be16df051df62cab78e5dd071b2dbab625312669ce8a1cf14fa0b4d2a32bcab834948db85e5ca2d

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
97KB

MD5
7254af2a17a32a313b455379868e9fff

SHA1
adbc6fcc0dd683c93cbcdf7066d4e3b70940082d

SHA256
3c23fd4dd930613d5141a2ec0434907134949816833c8d17962a95e0c6de421a

SHA512
f0cc635ed3bb78b4f54d0306decc49cd48191f430236a09312061cccf7f83cd4978477fcbccf3dc79c09a3aabbd23a3adaca8f95d73732649329e3c65ae4f12c

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
97KB

MD5
90470c4e51c5caee571436f159ef2e45

SHA1
7ecd484ce40398c2e3abd187e0533f22578fb433

SHA256
ad5bd905e860e9cbd98ad1f68c1dd7685250c45820598f03f63258eb0368b508

SHA512
d49e224d1e3aae0645fb83a1e22dc4c7caab944aa6990d5f547f4fc53115c00569ae66bde6e13dc2141edd287eeba9514d8816744f525877356546936dca4247

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
97KB

MD5
89137bc16ea4572c07a153dc1ce3a0ca

SHA1
c04e126afd3577c7537df287b14845ea9abb059e

SHA256
66873b0d6a4a1ce00f567078a99088c97b14dfbb9264fb676cbf9083c39276d2

SHA512
7dd6e8eb7fcc4b067544f086de5451407f3c19c1f6bc1c8b2af891583fedeb30b1b0ccced627b04ba36401d6e38355f78af3d2a169855da01939800af395570f

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
97KB

MD5
a108b4530a7d713c7496c1c90ab321de

SHA1
ca3cdbde97195e2b599ec17eb68689a8790dc0ea

SHA256
678fd1c125341f249b852f5edf2eb57231f0afd54784feafaf16a9edca2ec993

SHA512
0631c9deac4c8f4b5dba80de74b27095fcaff3c502e84c37b6ceb6d9da9894002d97e20c808ee9c1e94d371a1a2002b844a4a836bdd090d4fcaf320ab425e76e

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
97KB

MD5
84b4d27850966c981b72a4a8725c03c9

SHA1
0ec3d6210ffda32d0a7827cbc8e1f0425e6128bc

SHA256
b42e61fd29bc5abf1d62e4334c66e35b5f0ead5271698e0bd9a67798d51030d4

SHA512
362dbe0754efd6f7fc9d40db7e917b065b58174a799ad885e1d4bde26d3e150a07f64cdfd8b1d8abcb835b190fa217819fbaf0615b90eebfafb664334bcb457c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
97KB

MD5
7f96e2a30bcbfdca1ae55ba5513968cc

SHA1
1662d797524b8d70fff8a2b71148bca55cbbe252

SHA256
311f8e2ebbc7a0dc4cb48da87a7eb208c503ca78bd6dabbe225fd19896bd18f9

SHA512
1174cf9bf8da6b7fa9c6a836f421818379d232cee9a8bce193ae44c4dbf219410546baf3ad4ccbbfc1c750833ecb876182e69f18335f336e9e8f8f08ba2e458a

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
97KB

MD5
d01d551ffaf7db17699e007e29e35230

SHA1
90f33a5b6eaf12ab67e1d45026956746f28592e0

SHA256
3e1efa9960d3e0cc6f4b4c9e292b101cedc0f6b98ce5883256dc95929bea0317

SHA512
055151ac706cab06231e408d250102ed784f1129fc6ca0c9da8cd9463b42db923205b4d8279a34dcf35921b3d3fd01735d3de12d6f101a7067375c9fd453c386

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
97KB

MD5
af0c7e636b4d4e4470665f710030e4ff

SHA1
a6609bdf181df40b600bbff5ad88f3df376ddcc1

SHA256
5c6102fc21bbba304063e10332a2689c798d85a01447207fc3cbfe2768ec0164

SHA512
7e0640c14655225f61bc7876a3b9d0ce1576da1c78f2ea027f78c686d06f55086ba0e23c99c8d75cce8ae5f0dc0a0237ae8ebd331a3c39337e45588c67c374c9

Download Submit
memory/312-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/312-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1360-277-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1360-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2040-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2040-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-253-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3472-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3472-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3552-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3552-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3844-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3844-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3900-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3900-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3932-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3932-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4196-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4196-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4364-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4364-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4820-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4820-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4856-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4856-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads