berbew | 2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe
Size

57KB
MD5

59ef6242f59431554df578bb6de5eaa0
SHA1

3cb9b5e74ecf2c1f2949082c2399317f9f0557bd
SHA256

2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80
SHA512

73ec8978d0e7cc95db2ac1944322e88acb4838c50718abe2a11d899081a67822c65b3bcf5b46e8eaf1d38b9d4ca003af172ccf1ab23c2bf07ad72132d1064e55
SSDEEP

768:Vo5oWymmgbSLPW6fR0ucEU6doYzkp+cItoGHVA/1H5KXdnhg:t0cjKuHOMtBHM6

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 35 IoCs

pid	Process
3140	Bmbplc32.exe
3172	Beihma32.exe
1284	Bjfaeh32.exe
4984	Bapiabak.exe
4820	Bcoenmao.exe
3556	Cjinkg32.exe
2452	Cmgjgcgo.exe
2916	Cenahpha.exe
1436	Cfpnph32.exe
2864	Cnffqf32.exe
4540	Ceqnmpfo.exe
4028	Chokikeb.exe
4708	Cjmgfgdf.exe
3032	Chagok32.exe
4940	Cnkplejl.exe
3096	Ceehho32.exe
1420	Cffdpghg.exe
3988	Cmqmma32.exe
4692	Cegdnopg.exe
4632	Dfiafg32.exe
4644	Dopigd32.exe
216	Danecp32.exe
5012	Dhhnpjmh.exe
2732	Djgjlelk.exe
1856	Daqbip32.exe
2240	Dhkjej32.exe
4700	Dodbbdbb.exe
4388	Daconoae.exe
1672	Dhmgki32.exe
4908	Dogogcpo.exe
3984	Dmjocp32.exe
4088	Deagdn32.exe
4976	Dgbdlf32.exe
1160	Doilmc32.exe
1272	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3060	1272	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 3140	3488	2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe	82
PID 3488 wrote to memory of 3140	3488	2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe	82
PID 3488 wrote to memory of 3140	3488	2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe	82
PID 3140 wrote to memory of 3172	3140	Bmbplc32.exe	83
PID 3140 wrote to memory of 3172	3140	Bmbplc32.exe	83
PID 3140 wrote to memory of 3172	3140	Bmbplc32.exe	83
PID 3172 wrote to memory of 1284	3172	Beihma32.exe	84
PID 3172 wrote to memory of 1284	3172	Beihma32.exe	84
PID 3172 wrote to memory of 1284	3172	Beihma32.exe	84
PID 1284 wrote to memory of 4984	1284	Bjfaeh32.exe	85
PID 1284 wrote to memory of 4984	1284	Bjfaeh32.exe	85
PID 1284 wrote to memory of 4984	1284	Bjfaeh32.exe	85
PID 4984 wrote to memory of 4820	4984	Bapiabak.exe	86
PID 4984 wrote to memory of 4820	4984	Bapiabak.exe	86
PID 4984 wrote to memory of 4820	4984	Bapiabak.exe	86
PID 4820 wrote to memory of 3556	4820	Bcoenmao.exe	87
PID 4820 wrote to memory of 3556	4820	Bcoenmao.exe	87
PID 4820 wrote to memory of 3556	4820	Bcoenmao.exe	87
PID 3556 wrote to memory of 2452	3556	Cjinkg32.exe	88
PID 3556 wrote to memory of 2452	3556	Cjinkg32.exe	88
PID 3556 wrote to memory of 2452	3556	Cjinkg32.exe	88
PID 2452 wrote to memory of 2916	2452	Cmgjgcgo.exe	89
PID 2452 wrote to memory of 2916	2452	Cmgjgcgo.exe	89
PID 2452 wrote to memory of 2916	2452	Cmgjgcgo.exe	89
PID 2916 wrote to memory of 1436	2916	Cenahpha.exe	90
PID 2916 wrote to memory of 1436	2916	Cenahpha.exe	90
PID 2916 wrote to memory of 1436	2916	Cenahpha.exe	90
PID 1436 wrote to memory of 2864	1436	Cfpnph32.exe	91
PID 1436 wrote to memory of 2864	1436	Cfpnph32.exe	91
PID 1436 wrote to memory of 2864	1436	Cfpnph32.exe	91
PID 2864 wrote to memory of 4540	2864	Cnffqf32.exe	92
PID 2864 wrote to memory of 4540	2864	Cnffqf32.exe	92
PID 2864 wrote to memory of 4540	2864	Cnffqf32.exe	92
PID 4540 wrote to memory of 4028	4540	Ceqnmpfo.exe	93
PID 4540 wrote to memory of 4028	4540	Ceqnmpfo.exe	93
PID 4540 wrote to memory of 4028	4540	Ceqnmpfo.exe	93
PID 4028 wrote to memory of 4708	4028	Chokikeb.exe	94
PID 4028 wrote to memory of 4708	4028	Chokikeb.exe	94
PID 4028 wrote to memory of 4708	4028	Chokikeb.exe	94
PID 4708 wrote to memory of 3032	4708	Cjmgfgdf.exe	95
PID 4708 wrote to memory of 3032	4708	Cjmgfgdf.exe	95
PID 4708 wrote to memory of 3032	4708	Cjmgfgdf.exe	95
PID 3032 wrote to memory of 4940	3032	Chagok32.exe	96
PID 3032 wrote to memory of 4940	3032	Chagok32.exe	96
PID 3032 wrote to memory of 4940	3032	Chagok32.exe	96
PID 4940 wrote to memory of 3096	4940	Cnkplejl.exe	97
PID 4940 wrote to memory of 3096	4940	Cnkplejl.exe	97
PID 4940 wrote to memory of 3096	4940	Cnkplejl.exe	97
PID 3096 wrote to memory of 1420	3096	Ceehho32.exe	98
PID 3096 wrote to memory of 1420	3096	Ceehho32.exe	98
PID 3096 wrote to memory of 1420	3096	Ceehho32.exe	98
PID 1420 wrote to memory of 3988	1420	Cffdpghg.exe	99
PID 1420 wrote to memory of 3988	1420	Cffdpghg.exe	99
PID 1420 wrote to memory of 3988	1420	Cffdpghg.exe	99
PID 3988 wrote to memory of 4692	3988	Cmqmma32.exe	100
PID 3988 wrote to memory of 4692	3988	Cmqmma32.exe	100
PID 3988 wrote to memory of 4692	3988	Cmqmma32.exe	100
PID 4692 wrote to memory of 4632	4692	Cegdnopg.exe	101
PID 4692 wrote to memory of 4632	4692	Cegdnopg.exe	101
PID 4692 wrote to memory of 4632	4692	Cegdnopg.exe	101
PID 4632 wrote to memory of 4644	4632	Dfiafg32.exe	102
PID 4632 wrote to memory of 4644	4632	Dfiafg32.exe	102
PID 4632 wrote to memory of 4644	4632	Dfiafg32.exe	102
PID 4644 wrote to memory of 216	4644	Dopigd32.exe	103

C:\Users\Admin\AppData\Local\Temp\2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe
"C:\Users\Admin\AppData\Local\Temp\2280c9814a1f93111331314f0ee69d558af2d1410168f382945814877ed96f80N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\SysWOW64\Bmbplc32.exe
  C:\Windows\system32\Bmbplc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\Beihma32.exe
    C:\Windows\system32\Beihma32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Windows\SysWOW64\Bjfaeh32.exe
      C:\Windows\system32\Bjfaeh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
      - C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 404
        37⤵
        Program crash
        
        PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1272 -ip 1272
1⤵
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
57KB

MD5
cac3c48fb7aaf7b1355282752d94f47a

SHA1
03c74ba09e7beaa0c3237ac67a02489404a4a4b6

SHA256
e714025e231c8b779dace9bc15ce1e733cc2b04e4c53c5ce7f6dcd969c1b79d5

SHA512
1ae117affb7721a25773fd59684951a64b2f1e36f221d809ee802946cf94182590f06dbc88dd5a94460af09ff1761c201c56174879d850288912997dda551f1f

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
57KB

MD5
b02de2bd87e86c41f4aa1769d3c88c29

SHA1
2d85598d0621f831b63ae806466610899a0f4e6d

SHA256
ba5b232d382ed890e9611bc539084d22a3708132685a4be41e1c5f384acd6e80

SHA512
7a6cde3b0caaf42112f0d256aed0c2016dca163c1e7faf14f5332747135d90f033d0127da0c25770fcc5b93854b2a4c17613c0c4469dc020fd52b2054f094dca

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
57KB

MD5
104843b9221326188e30a3d6154dc561

SHA1
9fc9b26f54c6646fb317ccf9cd2db96ae29efa61

SHA256
82368c1023e21e11a147a91d1b51193f7c7ae126964dfc1c13470bd8ca3bb21a

SHA512
49ba0d31ce5853d0c0c07fbfbab57fee3a3f2a69ab737c2fc07fb061f9d40f0c586209afe34b6b577e20f2a45ab90ef86daba8b8fbbe5ad2afdd65631efb8b29

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
57KB

MD5
bf7d698bbe2383a1ed8659fc7d6c62fa

SHA1
3f6a5b5db5c32397eade49a0df58122eb0555d04

SHA256
4b6c63658a83d00d666ca0345986cc0dd1bc77fdbd9236d6bd0f1afa03963954

SHA512
cc19a9139b917069102e5eb7dffa0426d5c480a477a34565b25454e1af2933a9d2639faa7b72c96928f59c05e0b2a265328411733e04213dff3268475f1c5d5e

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
57KB

MD5
b9174c4ac92380be93a7324863679d73

SHA1
fad3b0aaacb98344cbdc6b3d25fe589e5dbd0bd5

SHA256
c895bf4d2b57302b31de4d4543b1509ad61f37f2fdc2022b840ba0d2ff6c7be2

SHA512
c22335267b2ec9b1d7f46316bd6c3cefd3de917517a0e4f645f09f91c6651392477527bbcb103f2735814abe9c7008d56e98cd3e845f6fcf9ed79e18f9929b13

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
57KB

MD5
264657430a1259b32551752bd1a321a1

SHA1
cadb936ed4a12e39d1d2e0a3c344ba890769e11b

SHA256
75e27fbe67df08db001dbea47af9edb475bc1c32b60912bc40dc767f0f19dca4

SHA512
aa567979650a96f3899f1d2165242adf7fcdc39c1480ef477dae2c495c68b4b91f172e34bcd8c9276c790da22da4ef41389e104601e569d3313fd6801e215604

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
57KB

MD5
f0098a79ec14bb2c9c7a3e203e92c79e

SHA1
ccd43c8b12b6dc2d104c0dd1f111fa629cc35f88

SHA256
8713e281eea694e391f11d020df17d12a7c5bf304486b8a5f007f17dcd813cd7

SHA512
6de65a6ecc2e1493b688de195f1845152a91b3340f70de406f8d06cab5d5300ae115efee535cdceed55b83f542df030d73a845088f1c58f58509bcd354fe3b72

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
57KB

MD5
22ba319c67a180d762fbcc56ea528d5d

SHA1
35db4e348a167111436929f03f718785489fb57f

SHA256
ac15a92cf5f0194082ce15b840621424dc2eaa11e6ff94172994f5542f699453

SHA512
2d602d98083a5edefe99de4af1764c3fb9e1bf6cb05372b1edcfe7c546dc19957af9d923e375b199fcb067a30443b0bab8920faa0ecb30ec90fd2f6bcd16a778

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
57KB

MD5
78017560268c530dcc59b8829180d911

SHA1
c15f4e1acd1b60c6678aec0b56362a513fbe1cb2

SHA256
ba776d55dd4d224525f93a6f2fa267839d786a35c0130e2cf6b02158f891b5e8

SHA512
2c95d287ef3f18d4f892c4b360b69efced5107d64b079c40e2630fe686cd900bb1fbc8caa85c300191c5f72412c5043cc294bc7bcb9fd6f28084741e572a05b2

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
57KB

MD5
83ff7fa714905544156503e59d0ea4e1

SHA1
795358b09fbd70164b9e7ae5cb90b716b6ae4574

SHA256
996a60de5c2a76f1cc860f72eda66dee4b9027bf1725aa985591e46c37365ffe

SHA512
c831d5f6785cfe41d56b0a430ea4a24b104694135cce4de01472497b31d92deb43269881d5273f42a41a9b98d910e1a749345c2227a53414a4b15068da7dbf6a

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
57KB

MD5
b2660d54f4cb3a8b20125fe52a970365

SHA1
3d0f0ab85a4cbb6257734962d3571500eec778cb

SHA256
d7053ab458f01f2f322d7a311dd14aeffbaf8d61e4cfa6cdc6381c670181acc7

SHA512
508b3402d695e4de40d0a28be325c1b8fe8decd825ec3d0b36271fa9b3b27d3943ef9eb1b63460ec0e1086d6047e8018f6436ec0c863003d38cba0139faf2709

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
57KB

MD5
3c02b2da9dfedcae1ccfaea82d9acc76

SHA1
fc842fe802e718504b48cbccb2d55df0d8b2d170

SHA256
f507289e44bb12e034131a51281e30babf383bea1eb1ca8f0de3e6a856372ab2

SHA512
46bf6919c9f1c6b19c2547755a04e6c7071acb4c1ce2c3cd433b8b1fa0ddafeb5cd3997d09c9e547e214a97e487f7950ca35345e19024b85576f29bf5ca48951

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
57KB

MD5
2be04a0a803d4715873c1e4a850dd165

SHA1
91f707e7cdd2d6a594734d4bb282fdec4239c966

SHA256
24a9a7759a02a9040380d65f9235327434ca21e43d0b170401bcabee1b533a80

SHA512
33600e42dd331191847715e74c489d806bb9dc1631bd954fe5dcb872652bdc623bad2d96eebe166c6ce2c8b4c7d604a8a888c674ae37045134be6ed691f293d2

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
57KB

MD5
cef99e79201c4af7308c27d04d8c8bfb

SHA1
96bb99937815d54790aa0020367ed335a729c9c7

SHA256
de3712cbe8e7fccdc7f94a3cf083166ba46e214a72a2fba938c4129aca9667c3

SHA512
c4567a5fc2288f255575f5fad06a6600d6213bed3efe53436e7e14212153b78704568386b86f83b97edfa9921727f7cd3bcac77dfcd322533ec87f414ee51aad

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
57KB

MD5
5f7e0a59d147488f6bd64c3b38d15883

SHA1
04b723691c580de1a809a3c3418d1592fe4dd4d5

SHA256
d28e6b7215a9e1cc03d546d98270e6a78aba82db54bf2ea8589b238befdc0f1d

SHA512
7d313ea6de2a8fec4912d849ca25edafade18bad2bd3abf0b838429f3e78099f65ee4f10e640f253248075392a9fb0d78aadfb8a8cd3b4b2effd73ff12e5118f

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
57KB

MD5
104fe8fbd0b9edd635f45d5c1b141b5e

SHA1
03dcf950f4f0bbfb9ace9372243cee383abeb843

SHA256
ac69eff6d985e68b03fe413eecadc665138bfeb038ea0c22e57d86bc42238cc8

SHA512
98beee430865506df2e8477fbeeb1335cde95c844f8bab063716599b548593232e23b681edf9544dfd3b3a240dc080830234dc487a74e834abd45980a03314e5

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
57KB

MD5
51ab907c44b64abda4820e948cef3485

SHA1
77ef5a8b5ecd112c984cf3d3e23f951e08932d98

SHA256
6f1e65c214ed4e394a6d2de6b89ece4c83bc615a0802241143fa5c930aae656c

SHA512
a5fcc0693b1b5df79d429610b75be7a903ecc53a25d48a989e233ff6ac8fc614564aa06a680f18c41a2e1c6b469ab4248867a52ddc4cf0d1155721b061a8f171

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
57KB

MD5
5f7417479bab973d558d09d385848d22

SHA1
7fb9f0adb3f5681f7df9f8d31ff6fc2502d85293

SHA256
7a415eec4bb3d6746d4dab352ea4cc56e7f3c46c6ce696c307f784f070f76a63

SHA512
3a7f388d6c90027e79726391b6401f8b0af0f8a86a1e45b3126a6ae6fd95faa0bd5855462d4f833c8a5e86ab1c309bb1776e3b2da3182664133b4b853fe5cc3b

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
57KB

MD5
69fc5ce652bad7b0548de373a90c271c

SHA1
27dfc5618f34b0ebae607a7d32a19be1f3639f5b

SHA256
f9611aee2ed509c95ad4e6ed001ebc29ff9c7d3b315cfbbf1e7174a25bec06a3

SHA512
85a5996fc05382d28465e22ed8494e965879d69ebe377eb619f7b9fdf7fbdd929349979cdbb774ad783f2c03fb32158ab7e733b2110a4acc451860afc807b038

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
57KB

MD5
d386d7a9bcb6e646d699ae50f316516d

SHA1
c6eeac46041343745584208f6b5f7cfa4091b168

SHA256
598b486c5d857014c6fa5b123f9eddcf612f0d01927f5805dbc4c98954d922ff

SHA512
5f56997020a9cbcbb5e46445c9d85e5afab817ff12eeda42a621a395edccdf74ae1b9e015df47592266c9c6d194fe36121bb63cfee0e0cccd5aa123d7b69ceaa

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
57KB

MD5
92a30cbc238353fe50928990259dd3b9

SHA1
562f8a26418ae11728b5612e6d60d13fb7684cbe

SHA256
9a7fe7e9e417f99b1b08683842015668020e55ef485c20df90e2f7a88db5ac01

SHA512
3933ea86c968b92066079cff4a7e6e3ae1e1b43b87fd837561f07f662e05f7956c71ca9315a546f975bdd2793fd7831695814535fbe91166e56eb8c1bea37d41

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
57KB

MD5
474984456beeab26166c9a06df9cd421

SHA1
d79a590e5f8702c776221a9e85c701b1e81547b8

SHA256
146a5497b0ca6725cf0e46c9a61b7f402f2693bbd24e6fa1a3dacf68925b29ef

SHA512
1714f51f7f0f68ec278cc9b3be9cb04b757fd5455fa02cfb5581584f2dd1945e4c37c6218764571f637d9d69a12e099f3c7cd8d6c87564d39b43683bd6726c67

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
57KB

MD5
a6abb346d8d572af21d4915a25b15ed2

SHA1
602b77d1069d017cabd7e1514df18a36501d1a18

SHA256
837cbb2135a062763dca957d3e50ed797dbf728ec1ade5f166e9493f9d8a4fe4

SHA512
e70501a7da1833080540292e1d6b8f59f67a4dcdc8bb460fdc117d16a9e67245416fdc8cdbd11342bb5004403c4e8fd3ca5d4f067b636a825c6ead14e83cd1fb

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
57KB

MD5
4cef77a7c26c27067f69791b54c57f26

SHA1
6f84cd55d4091aefc1435560731bea9cce6db31d

SHA256
9cfb57a9a4b52c31c5da92858c4431d809f436599fca627a1fe490f26a1d9e5a

SHA512
6cc46a14928a4f80dc53d55d9932db389845c45ca0de04ae57a1dadf1112191322d8e207fa975b86501fc9c958c6709290c267b75177dffbe897009bceba2bbe

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
57KB

MD5
3414da5388f71245583ff31d20a59d74

SHA1
0a9a594d60d963cc93865fb3116cce7cc6ee0932

SHA256
7f32b5005a1a1f4e5a9f253b00aceaf5f5fe757cdee8795c6fbfa00178d1feff

SHA512
23a7d76e170e3da864df78ca5b393ed98aa6904c22b4e43dc77de5cc4f0fb8c9c7c853400b3d5a68eb34b568c1af918eaf5cfba07264a869888dab3409fd17f9

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
57KB

MD5
f55f2a602db4ad07e7f88fac5a83b319

SHA1
f88c544062970047470958627a009374afed4845

SHA256
52dd0940b6e54ffb5e281aec759e0471cd8c4157f46410fae77e7e8c2eca9aa9

SHA512
9acb7ac2a777fb4a64365b084a7bd390593368f1b8969ffffa2ef075f4017fe97e1cba1b1414b8deaa61606980e9d0e906933da4bff42282a7c7e677c73b2a7d

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
57KB

MD5
d3e67aff0bbd51af22bbcb02f7a2a43d

SHA1
16a287b15dcc2ba10b246d552668bd4198ae4e2a

SHA256
d153e56bcc17640ce7f88feacd1c01d651949951d53eb93932c11a627c7dc6a7

SHA512
bb1d5932fb65340a9a44e7437fdb0650033baaf2724111422470b7188ebdfff5da4d681b6874a5920077bc8b1499e6f691c5ff4ac7a0407463f25bcd201d89ff

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
57KB

MD5
af531df9688e06d9198736e631e9ad9d

SHA1
69b7bfe03355e201751368fffe9041d4c294f1e9

SHA256
9d33d9ec5e1ab878e5847ad1d64516b7ac158f5fd1b70fe7d66ec6bc3aa79f38

SHA512
18627732343205927495fc0b3596b706adfbb9503739513f8f73a196990073b98d05709a64c126d1be606e4fd690a0e8fc4abeaa2b61a5fb150b699ab5ff8bba

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
57KB

MD5
47f94fb8b76a72bc5aed978fec3c372f

SHA1
147dd26a1ab543bad6a87668b4e28cdffbdeefbe

SHA256
41076805a89b3feeb82898cb70fd7d423a5b3d18c66ad2bed2c00eb12b5a5bfd

SHA512
71c0d607ddff4ea5cdd26cda07cd5608bb9fb2179e1b801d9c26feec5b506ee868920c24d9cfa2c47b700f6bddddce249153037a506413afc873f4dfdf1451dd

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
57KB

MD5
8be4b3fbf58ea1383b752279e4059182

SHA1
ac1f795ccb423c2f5cd137a5850b910609deadcf

SHA256
b97daad349967d3530f0050010d192ff0c03198a73474fc911d525a0138da669

SHA512
73379a1630b75d519ce31fe1a8f7b9992dcf581c2201003991ee3fd90e5357393b7c2e1e516c77f7aa4141e461a1f7b90ff129400a397efd4cbe63b94ab43e39

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
57KB

MD5
e093f35b80566c4f377a91272e3494ea

SHA1
ac7f712863eec772b31a342d1492d9837b8caf05

SHA256
6019c37e5745a37af5cac6fa425aebfff59f05faf2f39e50458ad52dbacfc88b

SHA512
48b47f5afe79551bea862d2b54436872be5de82080c0c7c4eb4a0d9fc75624fcd1be5650c17f85029c6049f809c88e393787cb2d477ff016f957784d920a3065

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
57KB

MD5
960748d531208f4daa965a69e1b0e19c

SHA1
3411783481f15e3ca078cb4c22dac5f13ba7604f

SHA256
f23315ea2c30d771e44707c22ad5ec646fd7a1496533c78e45eeaa4b781d7508

SHA512
6904b450a5564dbc2483017ea54591c7e0c11ce799991ad566c0ef75b41924bf5c365cb3a3ccdc87add93f1d6fddecaa85ab82f723ced14bc3cf6569022dd344

Download Submit
memory/216-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/216-289-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1160-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1160-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1272-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1272-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1284-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1284-307-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1420-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1420-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1436-301-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1436-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1672-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1672-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1856-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1856-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2240-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2240-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2864-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2864-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3096-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3096-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3140-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3140-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3172-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3172-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3488-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3488-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3488-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3556-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3556-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3984-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3984-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3988-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3988-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4028-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4028-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4088-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4088-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-283-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4540-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4540-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4644-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4644-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4692-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4692-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4700-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4700-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4908-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4908-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4940-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4940-295-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4976-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4976-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4984-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4984-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads