berbew | 8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1

Analysis

max time kernel
130s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1.exe
Size

96KB
MD5

af42d351dd465a0662442baed79a6b81
SHA1

2aee856eb170f54468eb711113fb00697270d7a5
SHA256

8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1
SHA512

910fbc3c43b5b76334bb71b9a34f9db153572e2b2a73816243d645c2ce5661f8f5d4859c8a6e889249cf2d796f41fa9b1eb348bd4fc7789d655fdd9014477962
SSDEEP

1536:A2oL1ldiJ0eDzuIwLDqIsZrxHDc2LoZS/FCb4noaJSNzJOV:SpldL2KkxHRoZSs4noakXOV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 27 IoCs

pid	Process
3768	Chjaol32.exe
4440	Cndikf32.exe
4068	Cfpnph32.exe
4356	Cjkjpgfi.exe
1660	Cmiflbel.exe
3044	Ceqnmpfo.exe
2500	Chokikeb.exe
2512	Cfbkeh32.exe
5036	Cjmgfgdf.exe
2236	Cagobalc.exe
4200	Cnkplejl.exe
3156	Ceehho32.exe
4400	Cjbpaf32.exe
4524	Calhnpgn.exe
1532	Dfiafg32.exe
3568	Dmcibama.exe
4796	Ddmaok32.exe
1792	Djgjlelk.exe
1020	Delnin32.exe
3572	Dfnjafap.exe
4208	Dodbbdbb.exe
968	Deokon32.exe
3304	Dfpgffpm.exe
2320	Daekdooc.exe
1932	Dddhpjof.exe
5088	Dknpmdfc.exe
1044	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3728	1044	WerFault.exe	115

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 3768	2584	8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1.exe	86
PID 2584 wrote to memory of 3768	2584	8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1.exe	86
PID 2584 wrote to memory of 3768	2584	8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1.exe	86
PID 3768 wrote to memory of 4440	3768	Chjaol32.exe	87
PID 3768 wrote to memory of 4440	3768	Chjaol32.exe	87
PID 3768 wrote to memory of 4440	3768	Chjaol32.exe	87
PID 4440 wrote to memory of 4068	4440	Cndikf32.exe	88
PID 4440 wrote to memory of 4068	4440	Cndikf32.exe	88
PID 4440 wrote to memory of 4068	4440	Cndikf32.exe	88
PID 4068 wrote to memory of 4356	4068	Cfpnph32.exe	89
PID 4068 wrote to memory of 4356	4068	Cfpnph32.exe	89
PID 4068 wrote to memory of 4356	4068	Cfpnph32.exe	89
PID 4356 wrote to memory of 1660	4356	Cjkjpgfi.exe	90
PID 4356 wrote to memory of 1660	4356	Cjkjpgfi.exe	90
PID 4356 wrote to memory of 1660	4356	Cjkjpgfi.exe	90
PID 1660 wrote to memory of 3044	1660	Cmiflbel.exe	91
PID 1660 wrote to memory of 3044	1660	Cmiflbel.exe	91
PID 1660 wrote to memory of 3044	1660	Cmiflbel.exe	91
PID 3044 wrote to memory of 2500	3044	Ceqnmpfo.exe	92
PID 3044 wrote to memory of 2500	3044	Ceqnmpfo.exe	92
PID 3044 wrote to memory of 2500	3044	Ceqnmpfo.exe	92
PID 2500 wrote to memory of 2512	2500	Chokikeb.exe	93
PID 2500 wrote to memory of 2512	2500	Chokikeb.exe	93
PID 2500 wrote to memory of 2512	2500	Chokikeb.exe	93
PID 2512 wrote to memory of 5036	2512	Cfbkeh32.exe	94
PID 2512 wrote to memory of 5036	2512	Cfbkeh32.exe	94
PID 2512 wrote to memory of 5036	2512	Cfbkeh32.exe	94
PID 5036 wrote to memory of 2236	5036	Cjmgfgdf.exe	95
PID 5036 wrote to memory of 2236	5036	Cjmgfgdf.exe	95
PID 5036 wrote to memory of 2236	5036	Cjmgfgdf.exe	95
PID 2236 wrote to memory of 4200	2236	Cagobalc.exe	96
PID 2236 wrote to memory of 4200	2236	Cagobalc.exe	96
PID 2236 wrote to memory of 4200	2236	Cagobalc.exe	96
PID 4200 wrote to memory of 3156	4200	Cnkplejl.exe	98
PID 4200 wrote to memory of 3156	4200	Cnkplejl.exe	98
PID 4200 wrote to memory of 3156	4200	Cnkplejl.exe	98
PID 3156 wrote to memory of 4400	3156	Ceehho32.exe	99
PID 3156 wrote to memory of 4400	3156	Ceehho32.exe	99
PID 3156 wrote to memory of 4400	3156	Ceehho32.exe	99
PID 4400 wrote to memory of 4524	4400	Cjbpaf32.exe	100
PID 4400 wrote to memory of 4524	4400	Cjbpaf32.exe	100
PID 4400 wrote to memory of 4524	4400	Cjbpaf32.exe	100
PID 4524 wrote to memory of 1532	4524	Calhnpgn.exe	101
PID 4524 wrote to memory of 1532	4524	Calhnpgn.exe	101
PID 4524 wrote to memory of 1532	4524	Calhnpgn.exe	101
PID 1532 wrote to memory of 3568	1532	Dfiafg32.exe	103
PID 1532 wrote to memory of 3568	1532	Dfiafg32.exe	103
PID 1532 wrote to memory of 3568	1532	Dfiafg32.exe	103
PID 3568 wrote to memory of 4796	3568	Dmcibama.exe	104
PID 3568 wrote to memory of 4796	3568	Dmcibama.exe	104
PID 3568 wrote to memory of 4796	3568	Dmcibama.exe	104
PID 4796 wrote to memory of 1792	4796	Ddmaok32.exe	105
PID 4796 wrote to memory of 1792	4796	Ddmaok32.exe	105
PID 4796 wrote to memory of 1792	4796	Ddmaok32.exe	105
PID 1792 wrote to memory of 1020	1792	Djgjlelk.exe	106
PID 1792 wrote to memory of 1020	1792	Djgjlelk.exe	106
PID 1792 wrote to memory of 1020	1792	Djgjlelk.exe	106
PID 1020 wrote to memory of 3572	1020	Delnin32.exe	107
PID 1020 wrote to memory of 3572	1020	Delnin32.exe	107
PID 1020 wrote to memory of 3572	1020	Delnin32.exe	107
PID 3572 wrote to memory of 4208	3572	Dfnjafap.exe	108
PID 3572 wrote to memory of 4208	3572	Dfnjafap.exe	108
PID 3572 wrote to memory of 4208	3572	Dfnjafap.exe	108
PID 4208 wrote to memory of 968	4208	Dodbbdbb.exe	109

C:\Users\Admin\AppData\Local\Temp\8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1.exe
"C:\Users\Admin\AppData\Local\Temp\8f5d9ac8c4a72fdd167bddaf66da4d871069ef8f12fe4f53ac1b11424a8eb0c1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\SysWOW64\Chjaol32.exe
  C:\Windows\system32\Chjaol32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\Cndikf32.exe
    C:\Windows\system32\Cndikf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\SysWOW64\Cfpnph32.exe
      C:\Windows\system32\Cfpnph32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4068
    - - C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
      - C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 412
        29⤵
        Program crash
        
        PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1044 -ip 1044
1⤵
PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
96KB

MD5
555175f5099d87a5d899f86006d15b10

SHA1
5c72e985259c1478257cefd642070a815ddcd4d7

SHA256
f40ae9d96772b64f82251d11a9ab5c2d6a86980d21d8e482415c3c81af6dd5f8

SHA512
fe00c9ed35079ee45e093b5b67f7773fda52c81b9a7ddf4efbd010267916c1dd98dbc29dfc9bbeb1b2662eac9f1b9936efed5dcd7f7df3c0c8742cf0d50aacbf

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
96KB

MD5
fa4393cd8cb849464fbf398514f97f57

SHA1
a35d06fd7947fac498ca2189618ed4ba17128928

SHA256
228a2634bba0aa5672f3bb47a827d0c9d9e180e29b8fba142b21ac9b8a7db420

SHA512
3a88a5fbe798cc3b0ffb940e834380b2f45a50efd061ac70c563aab1969d036b757365816f5ec40e5f31b613f787ab08c4b3035df4f097f9fae01ae5d2cd4d2e

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
96KB

MD5
3bfada9ca8dcc7b792e178b6d7d91448

SHA1
5c906374dc9d489b5439a70b58a25ac62d19c504

SHA256
f8a622d608860b806c4392cb351f3e1bd494d77e31591726cbd601e076dc3c48

SHA512
f31f03a41a05e65ae7e2d09bb8252e6e2c127485f74d9b13b79ce7fcda726fabac819c4c39f843d8028ab8303f80eeac01ee63dc3c72b3f7555d103b5288d610

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
96KB

MD5
a58e973810e5122b5713687e9a008c41

SHA1
127c8d79923db4947e64047d2b193d25a38b2dad

SHA256
13c7be0fb7fb3baed9a5a022f8dfaedba50979cdb80540c8a83a6328315dd5ea

SHA512
7ba7ff4cd328740fd261fd1216954efd76d37b63cf2b7bf4a61e9b79cd371e9fe2ea12dba3a6b110a3068f9aff66bf31928fa4f4735dd4f69c564dd62b35bcf7

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
96KB

MD5
dfa85148cb7b7588eb283c9300415884

SHA1
6773aaa281e750ce855f23516d57d5ed6487e1a6

SHA256
8c977f65466a25a878149566945d2ce035ceba2931e50ab08d57bf454b7d07fc

SHA512
b90c97ae435be24ad9f702bfd872c0e919770fe9a8d1c86004b1f3192eb6ff96e9b78984d5978240f0931f220f780017563c577965a73d0ad52147c11126f170

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
96KB

MD5
96d625c9ee45940227afaa8f68413134

SHA1
8ae66946d853181f4fe0b1cbe57f101acaca3844

SHA256
28349cbdd4d36b710e6b3829c1a01071aa40606f2b3b6d9cbb47b25dd1de853d

SHA512
d8ea9767b4d076f0b47ce33fe7bba2be28ecadf72df5c7f41b9d97aab4a06df8ab4fbac9e9af2b1f8a5a255b1b7d83407ee31822f00eb85f58d268c22fe8114e

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
96KB

MD5
4eb54158f1566280768b1649ed129573

SHA1
8f7c9c6a74d356e4e13e249773945c7efd98c74d

SHA256
e6d306a82d642a1a4c7c2e0029741105608e5aa4a3b7e968eea7f8c4797a4a0d

SHA512
6cee0d92a5e351d8464323594432926b98e8fcb40555ae5627e9975c7acd924d547f3be01e0835ece2908e6f1df77142a6f4e33e66dc38ea12291c1cb344f28f

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
692724ce34d0a15972aab5aa385b37c2

SHA1
821eb3848491240256b6e59cf9b40c8fb8ded16d

SHA256
55698448995109bc749552b20313afec958c4c0e3bef69378fefcbd8d98e7ee7

SHA512
8a76e1b971c341cb74cab16cbd25431081e766e6af47d247a6166a0429aff6f7b433e5eda32bdd95de727fe703547df4df2d450be6327816ff87caeeb740ef68

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
96KB

MD5
5fea3abe4f8c10570f5c96d8ed0b02d3

SHA1
616277a0e9d59ab2ec5eec13d1ddf23b56020613

SHA256
97d8fd6eba26f236b8eca8f0c8456f71ddfb0e7b0c750742105c6d80e663a42e

SHA512
886e7d12757ec28469efcd97549c58b7836e0d8a97a016d53a4c3d4225d14a3eb7c2b00c62b8c2e99203ad712abeae04fa1a78f9cc98ddf22cdcf65ee3dd8b27

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
96KB

MD5
3e3856b7722bf8c6e288d7bcf08aa2f1

SHA1
1467992bd4cb7b77b170f0a6259fe852e23ad053

SHA256
191b0ac8e5d36a798b43456b7bd1f43c799a77e4d1ba4f10e0cf236b1abb1411

SHA512
5a3c81bc90da6370f5396438277640268c19ee68dbd7d0c69319163ab084547142572fe8b124ab52adadc2ab6d9d0538b2cc1890e19647b236c53ea08ecdaf79

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
96KB

MD5
f7114807a94583070407305e7592400b

SHA1
550874c8b122c3f9b4efb277f4516c842b73e29b

SHA256
6ffe73004788edb644f03b1211c4e400b3cb05aeb05d565e592ac63217be08d1

SHA512
d1c2c012f42a631fbdd853fa1432f0c1d7cb86a1f219dba870d1b91e1bb99af79abb42b9a7c9dedc98afec8b703a662a6b93f7819c3cf71fab05f0848c936370

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
858844e9e85b991565323c336d2ae256

SHA1
300e558888f3aae843c684abb66f568d34206023

SHA256
d1e4feffdb8248b6d81b2b7d30fab94a890651807cbae881ef70fd178d7e20e4

SHA512
f7b4e67f088d66e9b71403530146add5468b4d41751c0770d6d2f6fc3846268cbc43b36675574f3bcb5ceba8d4d15cecc4ffb4ccb179fd9642d47f065fa43caa

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
96KB

MD5
3586c7ec2702c9941fbc44930442d7db

SHA1
92053f590b3b5664e9343f8134aab15bd6daf0b7

SHA256
e8079a217420ced6d5da1fd0e0b4f650959d6f39fbf6bda65dddf9279deb88a4

SHA512
38fc6945d9b598d1fba1ac16b1c517f0f9c9cff9fc9273f4014c52e82e3e805cc2cef10d70ffd008a5082e131570795df8406db8bdb20ea292461cfc669e764f

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
c5cd2b5c96d9c987fe4eeefe4b004848

SHA1
f601a10267c1336e5b365688fb1dbd653dbeb1b5

SHA256
3be91a99dcc0bd956e3301a4a9c4a162c1c387183e05fde463004dc0d4288b15

SHA512
3d440ba8c2e2f188a59813323ff6dc523399a679b6f079aa3e02bc04c34087df6e8be09ebd7d8e085116612be3cba8f11a6b24fba4543908b3a6e84dce487082

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
96KB

MD5
d541e7414cf26a330db81f276910fbe6

SHA1
815555c4c57d370a084db6cbe81598b6aa30804c

SHA256
87342d7e2a3a56eae0dc01253ea18e420c79f0dbd2b7ca0901279487303e8cb9

SHA512
2ff3e3916be895303e3e349daeeba98a769e1209fb7f4fdd7400e009e59d1c44882377a9cfccf1d3df2882c2c96b3f0c77e6855d48a6f201f27ff987cdce4adb

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
4e2cb25f050b8cb816e0cba2594addaf

SHA1
35f46c59dbb18c5967ab2d4b9f3224b281e0e4a7

SHA256
28db039b44e71bc5e1bc11a3623fe6b9a793f3c393222c88cb9446fe555d879b

SHA512
18799791fce11c0379143d587d8a1907317388d27be059b308fec38b026857c9e4adacb4e1711fb1dcef6d3fc4727a01feac72f02f0490419ad1481875675036

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
96KB

MD5
b77d12fdd8a1df1d24cfd1e86d77c8b2

SHA1
0e898c5a61c2ad0444fc3b174ff36482b24bb65f

SHA256
6b8f8b95d3ce25cb8f16ee2e18318ea64125af8887a931c290b55ae12869be16

SHA512
cf9202f336f68cf24664c2a7f94e8eef6505bcaeb228811b86d316732f6481103c5bd0e74b29d4b1ff2bcc6a411f5e5e724ea143a1310363b46e38ff0dd2ea6b

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
262d0704c3a64d5dce8ca97a80a036b8

SHA1
2cd898a05473e227fd15b2002266bc4360e6fa72

SHA256
2e0aad7dc382945cc9c23ea40ff70cc645d2f14d0c9e88fdc5bc9ab5fe77e32e

SHA512
5fb8dad99871809c3d771641e85c1d3167185b9f702e686ea385b60febabee2eedd4f8da87f40e322648c66cb8c6f478cc4acd1f104a23ac5a6f6074630155fa

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
96KB

MD5
71a27cc048570094063bf7434125e2e8

SHA1
a8bcdb5cdc49655758b84fee53195c088797253a

SHA256
e54992bf9622964b49a97689962a2a8f06849014035f82cc91f16ab0df4bd7fc

SHA512
edecc41d6d8c925ecdbc3ec35706503dfb0bfbc1b7b25cb8c9158ea1854e13fde60e8e950c51a00235c663d3e58640c05d1d57a9848d7fec04b9da5017779da5

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
96KB

MD5
9b23703c5d12ea58294564e6af6107f4

SHA1
4b9c54a73fc9efd0cc7d0ebf38e1f9b5551aa20c

SHA256
54a2d5dd307296d912d99aeacf1d8911e8ee688a7d0b83e13e8612145bb4fa6b

SHA512
3311cbd9b0bdcaa27feb183c1a55b419f825eb3baef4a341db77fbdc1e288334d2ff47d128a0dab5d330d6e107614d9f7316b77e5e549e1b2eeae325abe57919

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
9cd2021a65087078d9b9bd1c7964e4e4

SHA1
4da2f4b1ee3cfa864b99ddf84810a0b294e8538d

SHA256
2ce09b32d34106abf26c1eb993ec52fd60a224d73ab4bc67693e5ba54ba84b35

SHA512
159f6058b584c26b19194de9e361c7a8a2c94ecfd1931007fbb777eb5661ce9f9468355d9394c938eade15e1561d8237b229878ad4740396176220f0cda4bc42

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
1a63e25df7be80e60087fd6fc2075e69

SHA1
bdae54b6956d4998bd5fc55905d12dac700b0a0b

SHA256
6965c171d061f026d6a082a9f7a744c70d97843091040d46373cd5c63d2e12c5

SHA512
1066c8a0d48c27c4ed9be55849da16ede1743ede0c3668cd9e7aa164ea62ccb7f34916246a8e4457ea510a75de1453e87b9fb737cda8013f74ecc240b49e4fcf

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
96KB

MD5
362c3ce31a67cb4748de6236469f636c

SHA1
b130fb281aaa34e19447a305ccee7d0a7c0ba22b

SHA256
7bdbefa62c1ccd12390206263b823f375954bbfeb4fc0e344b94162f484ddc54

SHA512
d440e8346287ae8a5e4fd4963af14801676b9cc662f7f98d0515597d890b623b5c44ed66df374259746773ea0861dce13988ad66a5d441d18a3af418ab73e7c9

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
96KB

MD5
1be5dc73f2935b9924aedba6ca311032

SHA1
e169b9d2b23822afc43aa6a9793e229c2f7b8cd4

SHA256
2514ab58f786752dd9914f99b962ad3bbee9a21d25e6e52409416a9379ecf590

SHA512
c0bdb50f740ed09ba70061bbed70d37b3899d4203212536ac96308e9e4c9c7bb2831acb0b2b588fa1f3fb661bed313b2389b41d825fbec9a6e58a7d7f10c00cc

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
c47d75c53f0268bfc7d7ae1af082e8ce

SHA1
1133ecbdad07653f889acefe2310a12ce01e4fc2

SHA256
e662a991953c95dd47e28e396cfcc18a1ab21ef4cbd58f563af9192977a3bf60

SHA512
16728b75aacadc16bd9af56caf1b206368e36858973e862696e99b106980b5a721032d987dd4a0333c123f14e4802816f2d3bc7b59b4f84d38bc6831145e4a16

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
859f1e32cf6ce99ed84255887a54df50

SHA1
90283cb6a790c556c2a0553b3ef1c533ef6395e1

SHA256
18aeeb04ea6c09d3c5165b1c260a06be08878c7ea9453c20eaf5e911a35b88a9

SHA512
09487b294b1fe84b07f1bf74f040eaf729c66894759a7f5f60b02e2ae39d2c5a585e821ef97883e91686bb28162af931ffcc276e9238659c87ab463aa3d3838e

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
aaacc794f00ea5a279587585e30d6c68

SHA1
4bafe687427d707033454d61f883209a2386945d

SHA256
701959152203753768b2557dae63c523330d5d12b8e95fc75110b6987c196dde

SHA512
d5daf685caca84fd79c6df005aa72a80f7d94d7551e132d829f9db7de25b3f219102ac4a718bf00fb9c17f40a0dc21bae56486047771808c527bcc16db48841e

Download Submit
memory/968-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2584-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads