berbew | dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8

Analysis

max time kernel
16s
max time network
18s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
Size

81KB
MD5

adcad37a9967766cd82498c33d3a0614
SHA1

00075be62d7fc8d253f833e1044420ce0fa289b3
SHA256

dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8
SHA512

e256f189158fa2c383fdefcb3c7c12f3679b277ef2df0b9b820f8069e54c356ea188ce3ac035c24987e1fd8426f12582cf896b065079a5afe290567608aea5af
SSDEEP

1536:BeQ3BLytzMNbeUIl25qEWtN27m4LO++/+1m6KadhYxU33HX0L:hR0MNKUIo5qEWtE/LrCimBaH8UH30L

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpmjjhmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddkbqfcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Denknngk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpkmehol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dicann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dihkimag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlfgehqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cobjmq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Celbik32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coiqmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dijgnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dajiok32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgnhhq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceoooj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddlpg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpkmehol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhaefepn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjikaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Codgbqmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbhlb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlhdjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciebdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Celbik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dicann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlfgehqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlhdjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoimlc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Codgbqmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceoooj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbkffc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbkffc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddkbqfcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Diencmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbnblb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Claake32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Diencmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpmjjhmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dijgnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogpfc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoimlc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfgehn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfgehn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbhlb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhaefepn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cobjmq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmajdl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Claake32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cppjadhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmjdcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogpfc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coiqmp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbnblb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Denknngk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciebdj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cppjadhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddlpg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmajdl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjikaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cligkdlm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 33 IoCs

pid	Process
304	Claake32.exe
1912	Cfgehn32.exe
2908	Ciebdj32.exe
1112	Cppjadhk.exe
2700	Cobjmq32.exe
2664	Celbik32.exe
1608	Cjikaa32.exe
1356	Codgbqmc.exe
1288	Ceoooj32.exe
1908	Cligkdlm.exe
2960	Cmjdcm32.exe
3044	Cddlpg32.exe
1992	Cfbhlb32.exe
1552	Coiqmp32.exe
2840	Cpkmehol.exe
2200	Dhaefepn.exe
2216	Dicann32.exe
2328	Dajiok32.exe
580	Dpmjjhmi.exe
2140	Dbkffc32.exe
2152	Diencmcj.exe
2244	Dmajdl32.exe
2252	Ddkbqfcp.exe
2340	Dbnblb32.exe
2632	Dihkimag.exe
2352	Dlfgehqk.exe
1688	Denknngk.exe
2816	Dijgnm32.exe
2824	Dlhdjh32.exe
2708	Dogpfc32.exe
2728	Dgnhhq32.exe
1696	Eoimlc32.exe
1156	Eceimadb.exe

Loads dropped DLL 64 IoCs

pid	Process
1200	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
1200	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
304	Claake32.exe
304	Claake32.exe
1912	Cfgehn32.exe
1912	Cfgehn32.exe
2908	Ciebdj32.exe
2908	Ciebdj32.exe
1112	Cppjadhk.exe
1112	Cppjadhk.exe
2700	Cobjmq32.exe
2700	Cobjmq32.exe
2664	Celbik32.exe
2664	Celbik32.exe
1608	Cjikaa32.exe
1608	Cjikaa32.exe
1356	Codgbqmc.exe
1356	Codgbqmc.exe
1288	Ceoooj32.exe
1288	Ceoooj32.exe
1908	Cligkdlm.exe
1908	Cligkdlm.exe
2960	Cmjdcm32.exe
2960	Cmjdcm32.exe
3044	Cddlpg32.exe
3044	Cddlpg32.exe
1992	Cfbhlb32.exe
1992	Cfbhlb32.exe
1552	Coiqmp32.exe
1552	Coiqmp32.exe
2840	Cpkmehol.exe
2840	Cpkmehol.exe
2200	Dhaefepn.exe
2200	Dhaefepn.exe
2216	Dicann32.exe
2216	Dicann32.exe
2328	Dajiok32.exe
2328	Dajiok32.exe
580	Dpmjjhmi.exe
580	Dpmjjhmi.exe
2140	Dbkffc32.exe
2140	Dbkffc32.exe
2152	Diencmcj.exe
2152	Diencmcj.exe
2244	Dmajdl32.exe
2244	Dmajdl32.exe
2252	Ddkbqfcp.exe
2252	Ddkbqfcp.exe
2340	Dbnblb32.exe
2340	Dbnblb32.exe
2632	Dihkimag.exe
2632	Dihkimag.exe
2352	Dlfgehqk.exe
2352	Dlfgehqk.exe
1688	Denknngk.exe
1688	Denknngk.exe
2816	Dijgnm32.exe
2816	Dijgnm32.exe
2824	Dlhdjh32.exe
2824	Dlhdjh32.exe
2708	Dogpfc32.exe
2708	Dogpfc32.exe
2728	Dgnhhq32.exe
2728	Dgnhhq32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nfadap32.dll	Cobjmq32.exe
File created	C:\Windows\SysWOW64\Fniiae32.dll	Dbkffc32.exe
File created	C:\Windows\SysWOW64\Ciebdj32.exe	Cfgehn32.exe
File opened for modification	C:\Windows\SysWOW64\Cobjmq32.exe	Cppjadhk.exe
File created	C:\Windows\SysWOW64\Ceoooj32.exe	Codgbqmc.exe
File created	C:\Windows\SysWOW64\Cddlpg32.exe	Cmjdcm32.exe
File created	C:\Windows\SysWOW64\Cfbhlb32.exe	Cddlpg32.exe
File created	C:\Windows\SysWOW64\Lcophb32.dll	Cfbhlb32.exe
File opened for modification	C:\Windows\SysWOW64\Dogpfc32.exe	Dlhdjh32.exe
File opened for modification	C:\Windows\SysWOW64\Claake32.exe	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
File opened for modification	C:\Windows\SysWOW64\Codgbqmc.exe	Cjikaa32.exe
File created	C:\Windows\SysWOW64\Cfbnjjmf.dll	Cmjdcm32.exe
File created	C:\Windows\SysWOW64\Kceeek32.dll	Dhaefepn.exe
File created	C:\Windows\SysWOW64\Dajiok32.exe	Dicann32.exe
File created	C:\Windows\SysWOW64\Dbkffc32.exe	Dpmjjhmi.exe
File opened for modification	C:\Windows\SysWOW64\Dbnblb32.exe	Ddkbqfcp.exe
File opened for modification	C:\Windows\SysWOW64\Dihkimag.exe	Dbnblb32.exe
File created	C:\Windows\SysWOW64\Eodpobjn.dll	Ciebdj32.exe
File created	C:\Windows\SysWOW64\Eoimlc32.exe	Dgnhhq32.exe
File created	C:\Windows\SysWOW64\Eceimadb.exe	Eoimlc32.exe
File created	C:\Windows\SysWOW64\Denknngk.exe	Dlfgehqk.exe
File created	C:\Windows\SysWOW64\Codgbqmc.exe	Cjikaa32.exe
File opened for modification	C:\Windows\SysWOW64\Ceoooj32.exe	Codgbqmc.exe
File created	C:\Windows\SysWOW64\Coiqmp32.exe	Cfbhlb32.exe
File created	C:\Windows\SysWOW64\Hbfaod32.dll	Coiqmp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhaefepn.exe	Cpkmehol.exe
File created	C:\Windows\SysWOW64\Gobdgmhm.dll	Cpkmehol.exe
File created	C:\Windows\SysWOW64\Dijgnm32.exe	Denknngk.exe
File created	C:\Windows\SysWOW64\Cjikaa32.exe	Celbik32.exe
File created	C:\Windows\SysWOW64\Mepmffng.dll	Codgbqmc.exe
File created	C:\Windows\SysWOW64\Ecagpdpe.dll	Ddkbqfcp.exe
File opened for modification	C:\Windows\SysWOW64\Dgnhhq32.exe	Dogpfc32.exe
File opened for modification	C:\Windows\SysWOW64\Cjikaa32.exe	Celbik32.exe
File created	C:\Windows\SysWOW64\Bleppqce.dll	Dihkimag.exe
File created	C:\Windows\SysWOW64\Nkpbdj32.dll	Dlhdjh32.exe
File created	C:\Windows\SysWOW64\Cppjadhk.exe	Ciebdj32.exe
File opened for modification	C:\Windows\SysWOW64\Denknngk.exe	Dlfgehqk.exe
File created	C:\Windows\SysWOW64\Mohkpn32.dll	Dlfgehqk.exe
File opened for modification	C:\Windows\SysWOW64\Ciebdj32.exe	Cfgehn32.exe
File opened for modification	C:\Windows\SysWOW64\Cligkdlm.exe	Ceoooj32.exe
File created	C:\Windows\SysWOW64\Ngcjbg32.dll	Ceoooj32.exe
File created	C:\Windows\SysWOW64\Flnjii32.dll	Cddlpg32.exe
File created	C:\Windows\SysWOW64\Kalgdehn.dll	Dajiok32.exe
File created	C:\Windows\SysWOW64\Pfaokb32.dll	Dmajdl32.exe
File created	C:\Windows\SysWOW64\Adaflhhb.dll	Dogpfc32.exe
File opened for modification	C:\Windows\SysWOW64\Cppjadhk.exe	Ciebdj32.exe
File created	C:\Windows\SysWOW64\Cobjmq32.exe	Cppjadhk.exe
File opened for modification	C:\Windows\SysWOW64\Dbkffc32.exe	Dpmjjhmi.exe
File created	C:\Windows\SysWOW64\Diencmcj.exe	Dbkffc32.exe
File created	C:\Windows\SysWOW64\Pficpanm.dll	Dbnblb32.exe
File created	C:\Windows\SysWOW64\Fdakhmhh.dll	Cfgehn32.exe
File opened for modification	C:\Windows\SysWOW64\Coiqmp32.exe	Cfbhlb32.exe
File opened for modification	C:\Windows\SysWOW64\Cpkmehol.exe	Coiqmp32.exe
File created	C:\Windows\SysWOW64\Dpmjjhmi.exe	Dajiok32.exe
File created	C:\Windows\SysWOW64\Dihkimag.exe	Dbnblb32.exe
File opened for modification	C:\Windows\SysWOW64\Dijgnm32.exe	Denknngk.exe
File created	C:\Windows\SysWOW64\Dlhdjh32.exe	Dijgnm32.exe
File created	C:\Windows\SysWOW64\Bfkfbm32.dll	Eoimlc32.exe
File created	C:\Windows\SysWOW64\Danmddgh.dll	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
File created	C:\Windows\SysWOW64\Jleide32.dll	Cppjadhk.exe
File created	C:\Windows\SysWOW64\Hgaeaa32.dll	Cligkdlm.exe
File opened for modification	C:\Windows\SysWOW64\Dpmjjhmi.exe	Dajiok32.exe
File created	C:\Windows\SysWOW64\Dmajdl32.exe	Diencmcj.exe
File opened for modification	C:\Windows\SysWOW64\Ddkbqfcp.exe	Dmajdl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1192	1156	WerFault.exe	62

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dajiok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgnhhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dijgnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogpfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cligkdlm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpmjjhmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlfgehqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Denknngk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eoimlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cppjadhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhaefepn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkffc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlhdjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Claake32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddkbqfcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dihkimag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eceimadb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddlpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpkmehol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbnblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjikaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjdcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coiqmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dicann32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmajdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfgehn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Codgbqmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbhlb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceoooj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diencmcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciebdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cobjmq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Celbik32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danmddgh.dll"	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfbnjjmf.dll"	Cmjdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cddlpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbhlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbhlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fniiae32.dll"	Dbkffc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecagpdpe.dll"	Ddkbqfcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbnblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bleppqce.dll"	Dihkimag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmajdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhleiekc.dll"	Cjikaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcjbg32.dll"	Ceoooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flnjii32.dll"	Cddlpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coiqmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kalgdehn.dll"	Dajiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpmjjhmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbpkc32.dll"	Dijgnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjikaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbkffc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmajdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cppjadhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Celbik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cligkdlm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coiqmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpkmehol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddmalde.dll"	Denknngk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoimlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpallpil.dll"	Claake32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cddlpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobdgmhm.dll"	Cpkmehol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpkmehol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpmjjhmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohkpn32.dll"	Dlfgehqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cobjmq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Celbik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhaefepn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnabh32.dll"	Diencmcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlfgehqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dijgnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlhdjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfadap32.dll"	Cobjmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Claake32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cobjmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfaod32.dll"	Coiqmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkpbdj32.dll"	Dlhdjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmfnaj32.dll"	Dgnhhq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoimlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Claake32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbkffc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogpfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faeaddaj.dll"	Dpmjjhmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jleide32.dll"	Cppjadhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dajiok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Diencmcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cppjadhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dihkimag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogpfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgnhhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaeaa32.dll"	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kceeek32.dll"	Dhaefepn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 304	1200	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe	30
PID 1200 wrote to memory of 304	1200	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe	30
PID 1200 wrote to memory of 304	1200	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe	30
PID 1200 wrote to memory of 304	1200	dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe	30
PID 304 wrote to memory of 1912	304	Claake32.exe	31
PID 304 wrote to memory of 1912	304	Claake32.exe	31
PID 304 wrote to memory of 1912	304	Claake32.exe	31
PID 304 wrote to memory of 1912	304	Claake32.exe	31
PID 1912 wrote to memory of 2908	1912	Cfgehn32.exe	32
PID 1912 wrote to memory of 2908	1912	Cfgehn32.exe	32
PID 1912 wrote to memory of 2908	1912	Cfgehn32.exe	32
PID 1912 wrote to memory of 2908	1912	Cfgehn32.exe	32
PID 2908 wrote to memory of 1112	2908	Ciebdj32.exe	33
PID 2908 wrote to memory of 1112	2908	Ciebdj32.exe	33
PID 2908 wrote to memory of 1112	2908	Ciebdj32.exe	33
PID 2908 wrote to memory of 1112	2908	Ciebdj32.exe	33
PID 1112 wrote to memory of 2700	1112	Cppjadhk.exe	34
PID 1112 wrote to memory of 2700	1112	Cppjadhk.exe	34
PID 1112 wrote to memory of 2700	1112	Cppjadhk.exe	34
PID 1112 wrote to memory of 2700	1112	Cppjadhk.exe	34
PID 2700 wrote to memory of 2664	2700	Cobjmq32.exe	35
PID 2700 wrote to memory of 2664	2700	Cobjmq32.exe	35
PID 2700 wrote to memory of 2664	2700	Cobjmq32.exe	35
PID 2700 wrote to memory of 2664	2700	Cobjmq32.exe	35
PID 2664 wrote to memory of 1608	2664	Celbik32.exe	36
PID 2664 wrote to memory of 1608	2664	Celbik32.exe	36
PID 2664 wrote to memory of 1608	2664	Celbik32.exe	36
PID 2664 wrote to memory of 1608	2664	Celbik32.exe	36
PID 1608 wrote to memory of 1356	1608	Cjikaa32.exe	37
PID 1608 wrote to memory of 1356	1608	Cjikaa32.exe	37
PID 1608 wrote to memory of 1356	1608	Cjikaa32.exe	37
PID 1608 wrote to memory of 1356	1608	Cjikaa32.exe	37
PID 1356 wrote to memory of 1288	1356	Codgbqmc.exe	38
PID 1356 wrote to memory of 1288	1356	Codgbqmc.exe	38
PID 1356 wrote to memory of 1288	1356	Codgbqmc.exe	38
PID 1356 wrote to memory of 1288	1356	Codgbqmc.exe	38
PID 1288 wrote to memory of 1908	1288	Ceoooj32.exe	39
PID 1288 wrote to memory of 1908	1288	Ceoooj32.exe	39
PID 1288 wrote to memory of 1908	1288	Ceoooj32.exe	39
PID 1288 wrote to memory of 1908	1288	Ceoooj32.exe	39
PID 1908 wrote to memory of 2960	1908	Cligkdlm.exe	40
PID 1908 wrote to memory of 2960	1908	Cligkdlm.exe	40
PID 1908 wrote to memory of 2960	1908	Cligkdlm.exe	40
PID 1908 wrote to memory of 2960	1908	Cligkdlm.exe	40
PID 2960 wrote to memory of 3044	2960	Cmjdcm32.exe	41
PID 2960 wrote to memory of 3044	2960	Cmjdcm32.exe	41
PID 2960 wrote to memory of 3044	2960	Cmjdcm32.exe	41
PID 2960 wrote to memory of 3044	2960	Cmjdcm32.exe	41
PID 3044 wrote to memory of 1992	3044	Cddlpg32.exe	42
PID 3044 wrote to memory of 1992	3044	Cddlpg32.exe	42
PID 3044 wrote to memory of 1992	3044	Cddlpg32.exe	42
PID 3044 wrote to memory of 1992	3044	Cddlpg32.exe	42
PID 1992 wrote to memory of 1552	1992	Cfbhlb32.exe	43
PID 1992 wrote to memory of 1552	1992	Cfbhlb32.exe	43
PID 1992 wrote to memory of 1552	1992	Cfbhlb32.exe	43
PID 1992 wrote to memory of 1552	1992	Cfbhlb32.exe	43
PID 1552 wrote to memory of 2840	1552	Coiqmp32.exe	44
PID 1552 wrote to memory of 2840	1552	Coiqmp32.exe	44
PID 1552 wrote to memory of 2840	1552	Coiqmp32.exe	44
PID 1552 wrote to memory of 2840	1552	Coiqmp32.exe	44
PID 2840 wrote to memory of 2200	2840	Cpkmehol.exe	45
PID 2840 wrote to memory of 2200	2840	Cpkmehol.exe	45
PID 2840 wrote to memory of 2200	2840	Cpkmehol.exe	45
PID 2840 wrote to memory of 2200	2840	Cpkmehol.exe	45

C:\Users\Admin\AppData\Local\Temp\dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe
"C:\Users\Admin\AppData\Local\Temp\dfa7c4f393aa73cdf8da7b2476b9d99bb900e0c5579e843f657d69ee99a37cc8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SysWOW64\Claake32.exe
  C:\Windows\system32\Claake32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\SysWOW64\Cfgehn32.exe
    C:\Windows\system32\Cfgehn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\Ciebdj32.exe
      C:\Windows\system32\Ciebdj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\Cppjadhk.exe
        
        C:\Windows\system32\Cppjadhk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
      - C:\Windows\SysWOW64\Cobjmq32.exe
        
        C:\Windows\system32\Cobjmq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Celbik32.exe
        
        C:\Windows\system32\Celbik32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Cjikaa32.exe
        
        C:\Windows\system32\Cjikaa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Codgbqmc.exe
        
        C:\Windows\system32\Codgbqmc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Ceoooj32.exe
        
        C:\Windows\system32\Ceoooj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Cligkdlm.exe
        
        C:\Windows\system32\Cligkdlm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Cmjdcm32.exe
        
        C:\Windows\system32\Cmjdcm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Cddlpg32.exe
        
        C:\Windows\system32\Cddlpg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Cfbhlb32.exe
        
        C:\Windows\system32\Cfbhlb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Coiqmp32.exe
        
        C:\Windows\system32\Coiqmp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Cpkmehol.exe
        
        C:\Windows\system32\Cpkmehol.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Dhaefepn.exe
        
        C:\Windows\system32\Dhaefepn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Dicann32.exe
        
        C:\Windows\system32\Dicann32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\Dajiok32.exe
        
        C:\Windows\system32\Dajiok32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Dpmjjhmi.exe
        
        C:\Windows\system32\Dpmjjhmi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Dbkffc32.exe
        
        C:\Windows\system32\Dbkffc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Diencmcj.exe
        
        C:\Windows\system32\Diencmcj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Dmajdl32.exe
        
        C:\Windows\system32\Dmajdl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Ddkbqfcp.exe
        
        C:\Windows\system32\Ddkbqfcp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Dbnblb32.exe
        
        C:\Windows\system32\Dbnblb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Dihkimag.exe
        
        C:\Windows\system32\Dihkimag.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Dlfgehqk.exe
        
        C:\Windows\system32\Dlfgehqk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Denknngk.exe
        
        C:\Windows\system32\Denknngk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Dijgnm32.exe
        
        C:\Windows\system32\Dijgnm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Dlhdjh32.exe
        
        C:\Windows\system32\Dlhdjh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Dogpfc32.exe
        
        C:\Windows\system32\Dogpfc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Dgnhhq32.exe
        
        C:\Windows\system32\Dgnhhq32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Eoimlc32.exe
        
        C:\Windows\system32\Eoimlc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Eceimadb.exe
        
        C:\Windows\system32\Eceimadb.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 140
        35⤵
        Program crash
        
        PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cfgehn32.exe

Filesize
81KB

MD5
f00f70b3b35f2a4cfb02740008c32234

SHA1
7f3fc550f2bc3c47b3b2824c7d07a9be9872c14f

SHA256
d622edc1ade088b109736977a4c90b0e493731109b274cf3416ca879c3206aaf

SHA512
ba42449c21396b1496b11f71a55da397041a4d8a1007f1e9380511925ed471b91ef856099b60a571dc3b205a7b68c62faf040ffd0a834a06e181fec4aa1b37c5

Download Submit
C:\Windows\SysWOW64\Cppjadhk.exe

Filesize
81KB

MD5
f665547621ba0e5b4f84d58bb309823c

SHA1
88e41561b4d17b19e794963862a8ca0ad8fa27a9

SHA256
5f1554f690aa7f73c6586eda3120a74291bd3720875c1b5a80eae62116ba3564

SHA512
d692c9b53febd43df0220052e89272b75aaa8bb152c66723f907214bc72f18992c85bd271ebff7f36332b5bcfe4f027f574eb3d2b34a1d7c1454fc7f283b2053

Download Submit
C:\Windows\SysWOW64\Dajiok32.exe

Filesize
81KB

MD5
471598c25d613a331a64b7dadf8cb786

SHA1
36f2b2fac0f04d5eb927df06fdcbbe4dd9c048af

SHA256
13fd2b607fcf66b2578bdb70272ddec0c388baf00686a83b3d46ec8b6bc6fd26

SHA512
ea4b8d55dee7318dd00fd86dd504456ec8a0c40ae36f5ff0af8d47e7d47c83f3bc416933e22aa80cbc5aab345e8d0f2c2a6f36ffd87dda97a15026408b2e823e

Download Submit
C:\Windows\SysWOW64\Dbkffc32.exe

Filesize
81KB

MD5
f8977aad747c030388a499ed724ac05e

SHA1
703b766140378c25100f533648dc9e7cef3cfedc

SHA256
7ad266b055e4e5d39c5191b8081b872cb66b8ba64e3ff6535ed4f158ae65be1a

SHA512
7b3243d392475e543950ce1cbe93794f41eba69611e2ff638627369ea0252a39ca1a9f0d36564fc7d93585370c1a09a699d046a54fc266093608d37545cdd93b

Download Submit
C:\Windows\SysWOW64\Dbnblb32.exe

Filesize
81KB

MD5
7efd44f91ef045b273ebfec0317e41c8

SHA1
8be9c2bc89d9a9d34d40caff5e5c908eb24a1aa9

SHA256
2856990ad84b211d803f9196c844aa6d2e3d83bfb07325b62fc6013f51046a56

SHA512
0a3f7ce83e384146393773db563796b7afef21473783943a5e9e901debb6d88635bac9fe7ab3834a9e1492bace4189127ab424b11001f5f6e5e51810a3bf92d0

Download Submit
C:\Windows\SysWOW64\Ddkbqfcp.exe

Filesize
81KB

MD5
ae9493389d5d637f7e8ae447dd4da6a8

SHA1
215cb5371471c8a6dd808f0d2408c15701e064d4

SHA256
3044e15e344d487e66050b5638fa853141a64d43b6c146448b40d5ee3a4523d3

SHA512
0e42446df1e71f1ba9551660eb9566a85787f39bc5ec278e14be09feab3c5cd8978dec6a51dc8f00f41d61adc10fc7bbdabcc3a6b6299d29e36e63f3f554cb93

Download Submit
C:\Windows\SysWOW64\Denknngk.exe

Filesize
81KB

MD5
f25261f9c58df3d380ea042fcfe0e5a7

SHA1
ffc5db4ee35a27996d750d159b23573ee7b7853a

SHA256
c27af52cccd3c761a069e9d7f039ba397b75283861efcc148a2b1e510fcc73eb

SHA512
ea7391f7524823bd4af14134a6e3245185cdf3cb9f59cedab154eefae06b402a0d0be149710773faa495b313e9b9fb9ff8c82fc7c6441df5fd61b8f8614b1cd1

Download Submit
C:\Windows\SysWOW64\Dgnhhq32.exe

Filesize
81KB

MD5
70e7604edb9749edfd5305692f4f5261

SHA1
1a16026292d49d7c01f894fb807e571a732bf51d

SHA256
fe27c9e5163231765020b3882b313513ffee8234bf5ce1ccdc220d880deabfa7

SHA512
f7d97ba74d8fea713593a4553df8619bb52d925fa8dd0a5376c4936fc717a3bc6932acbb516c6fbc07922ad8bf8192d950d2bcf369119d40336769aba316bfb9

Download Submit
C:\Windows\SysWOW64\Dicann32.exe

Filesize
81KB

MD5
2e3b3f62179800385a202675a5961ae2

SHA1
9da54bc0987d12ba61c0cfd97a0e1a2958f72746

SHA256
1cdb6879c1f7750df4160ced1860c16825d1dd37782716d87b7fabcd61c04287

SHA512
30cab405955fefebdbce1dd2555dc4fdaa1971508de766c6ad5d9c06e07aa1a8c08b1ff894a55ac0db1f12a0f7634ab7d268567cc15a160c3ffc203f1757419b

Download Submit
C:\Windows\SysWOW64\Diencmcj.exe

Filesize
81KB

MD5
459fa223635864b22c8f5c03e1b3d8d9

SHA1
a747e8c0eb3598bb1d8ef2880ee53197e503c929

SHA256
336ffadf5d535e73047ec724e72e564c5382278607bcfbcac540401fa20d59d9

SHA512
2b17198ecffcf26cf34207e5c7a0c01cbe699938aaf0169d72cedebcf7c0917807ef3e5c019f2ca35f9e76eb242919c601b7d194adc39eda7f602248b3df8357

Download Submit
C:\Windows\SysWOW64\Dihkimag.exe

Filesize
81KB

MD5
716c5281cb82692b7b9ba598eff41273

SHA1
419e6fb92bc218dc0492222e551106cab49df722

SHA256
a1323233dbd78f3194b0d3edf78ef245bc9392986e04b18decd0f3f2a6c41a63

SHA512
d6299cbeb2896bf346d7433bb3293b1a0a9ed43ab25aa863a07987c8606ed0bae01a5d64dbdbf39510455c930e754c05188ab8bc963c23963f1ed2b67cae1e89

Download Submit
C:\Windows\SysWOW64\Dijgnm32.exe

Filesize
81KB

MD5
71583ce526791966321e8e224f1686fb

SHA1
dc5c013cfaab2e061c6a3485b08381b3c66fc6ad

SHA256
15d57761ccd01513b0176e9d086fc20f164dbe80725873a3dcef7ba4ccb3949c

SHA512
2b6d5fb8b01d65e055d5b71a8440d0a2e36344390c9de97dfe8ecb7f8aaa01262387cdd9701ee95cd20e95908c0198f1a598b15d0827f87e84877b0a944c0137

Download Submit
C:\Windows\SysWOW64\Dlfgehqk.exe

Filesize
81KB

MD5
6d1bddd822ac905ae60751383f43f1bf

SHA1
a2945dc8607a97517c9cb83a9f8f9a6893e6a99f

SHA256
247fd2c81381b7a5808ff019b399039dc09ea579c7232812ad0c2af06bef02d3

SHA512
34c1faff8640394b4ccfeb7674b88b0b7ef2a0c3c8823b9cb9164b4ac4bdfec26207a0505737e8061ff51b10f8fa38e6c3239c9b5b68807e1494e1a9f148cd8d

Download Submit
C:\Windows\SysWOW64\Dlhdjh32.exe

Filesize
81KB

MD5
6a79e8fb5d3e9f22c5e48681d7c1b2de

SHA1
81f15e44c4abfaf30cdd889d6631b59335363c36

SHA256
1e0db212c9ed6f46c2e138302933de97ac1fd86584d1287585383b166f5050e3

SHA512
feb59eb3831b18eb6a9698084de4afe9d068b5d9fec4dd1c1ecedf069c6d0255c23d7313e7e89005014aa6b5bc06642f0e423831e10154ca6e36d117d22ed9f8

Download Submit
C:\Windows\SysWOW64\Dmajdl32.exe

Filesize
81KB

MD5
f08492e01dda85d8619d3b8e5dc24515

SHA1
7a5711dcd08a12a760100a954a2e5f52cbec598c

SHA256
8e4a601cf554245387f1bc72d2a85c1fa97ea6a818cedcb5fec5b4ba0e8e14a2

SHA512
2552edf70fc713af276e1d443de7cf63872ae3f0448f77ed5b2e673b99cbeea539eae126eaed46e62dd39da97f7b0ee4b310f87a9c792c5b1e89bb1fbd50d450

Download Submit
C:\Windows\SysWOW64\Dogpfc32.exe

Filesize
81KB

MD5
632bafad783859d8660672e7a8e96847

SHA1
862612e003ed2334995a514bd092c1ee72b559b0

SHA256
97b05510ca89cf5a1f9d7a3dd8c20b9e197dd5a9eddedc41512f8323d4148153

SHA512
5dc1d6ee19d7adc1d303a783b0455f1fad9a2b2b3ebcd7623f43813668b5691854e4629355e62c0d521e50417b67a66b1a77a80e15e721ebff73683d799501b0

Download Submit
C:\Windows\SysWOW64\Dpmjjhmi.exe

Filesize
81KB

MD5
6c92781715d1e63d01864bfbac5c16b0

SHA1
6ca1170db6c5617b13fa673e173e734674cbdd08

SHA256
3a5e845bcc9d986410f3a6f05877e760476685915bc22a513361a3caf4b67c9e

SHA512
499e6795dda47237c7653ee577a61cfcdc1243a853ae86b1738bba253d93c4ab90867ba7075b7f640928d42e151ea0e164577262a928c91d6b272c8ef9fb673a

Download Submit
C:\Windows\SysWOW64\Eceimadb.exe

Filesize
81KB

MD5
81b8a7fa7b31e2d02d5a95d8ca97198c

SHA1
701171d64dad0f34646f70ee917ceeb368a1f239

SHA256
69939598bddd4d1fb4313b47c7f0118ec232e41d6a894ab97821a2b3ceb2c74c

SHA512
6b91e2ee3def487fe7a623af69aa9d410a6002ac8b23d6576c37427ea85c67e20d1d3c953fea0c575a9b2a89a4a00caedf0368151ef9eddf62e5219a04680aea

Download Submit
C:\Windows\SysWOW64\Eoimlc32.exe

Filesize
81KB

MD5
2183253a109254327ddf10bf76a6e61f

SHA1
70987638e328927daeeed97043ccc622080a6005

SHA256
24d263ab588e50591a39d3e1f776fca1ec00ec0eeba43f3aa82db8ae95f84ba9

SHA512
bbee30be16935dfb45dc6aae9acbdc431b27433260d442c534886791e282a64233d7604d8c32fee926da613a72d5223c8345f2575a00d0cb71aa2ad8350617dc

Download Submit
\Windows\SysWOW64\Cddlpg32.exe

Filesize
81KB

MD5
b382904c902e3da8680ba39cfe8f0022

SHA1
467cafdb9933f4b9e9ae4b565cb4b26e1e862bcb

SHA256
76f326a95d4d6efd7ac568b3d4c52c1eedcbbea7eea29ae485dbad55729356b5

SHA512
fca292497f3a879743a7d699744d6d2ed35264e784fc5ba67b102d7ceb5f92140d94b97632f0c6a99890637ddaf97013a67d02b1661b4bd50b38804d8fefb908

Download Submit
\Windows\SysWOW64\Celbik32.exe

Filesize
81KB

MD5
0f9b09ca408eb4573046af6460750261

SHA1
a50ed756024ed2989e560de766de0e1b9260db0a

SHA256
9b604b7b20abdf5a1b207512f45a79b7155a60e14929ecaae6d58e3e5a43a617

SHA512
972afb6b4a83a12734aaca90b4c1f4e799bf3bfc4683682daa847535510b08bcd84af019a2f787fb786895eba38a28ac9dbdb44202cf654d7a270021f8f62468

Download Submit
\Windows\SysWOW64\Ceoooj32.exe

Filesize
81KB

MD5
24704f9f9c2b3b78ed568e78dd0eedb2

SHA1
0bba2d4a5c1f88760b8e9b39ee1004c8ba39c036

SHA256
8c118b161692fcb730787b0152e4dc93efc1c1bdcd925d2436e6a692bbea844c

SHA512
a7be3f0d2eb43b9bd1174146c9549c2df131757ca700165b2f4edcbb0545b918152704db9c9974de4c08da3ab75b5c542066838602f8ed69e6624911c51cc48e

Download Submit
\Windows\SysWOW64\Cfbhlb32.exe

Filesize
81KB

MD5
69751aebb411956835452fabf83a0aef

SHA1
b307a2fd85180416af96183c587b3a05df965806

SHA256
229e1daa9bff72e24532775fe2bcdadba734439e1fba9b944cd89798fb59477c

SHA512
3ab8d42998b3adb8a528520a2def14c03bcc69fb7390c75b709cffb459b2af182677a3859585f4148d3d154313663bc0d5c40ef11917e6e014c62c348644fe26

Download Submit
\Windows\SysWOW64\Ciebdj32.exe

Filesize
81KB

MD5
f550f0ffff1de68f8d098b5e70424d8c

SHA1
0f3afe2c65729343f262aff834c2089da38a43f6

SHA256
3f6897d0a675376f83085bb6709bf1e4f2aae317e71f96b1aeb03fbf4f64bbdc

SHA512
e7941098da449945eed6e75ce9b841a0dd0db191b9fce68b614d443442347245c4b13ff17efb7f160065c854154364b9640a68f1b9cc97ecc2a0a3d4f59da969

Download Submit
\Windows\SysWOW64\Cjikaa32.exe

Filesize
81KB

MD5
8f4cb5ff53c87179fe88791140587221

SHA1
d2b3ced7b1584c88fce271b9ef94a1372d23a416

SHA256
e97a2b2abc49515c0e69ffd353ff90c5b2cf5a743fb4e2cc50933c67b385cba8

SHA512
b871f2e3d55e3f40e06a80d2b9a22320110d5af0b6ad51689719497081fca9020772731062854c67c4b76ab29409a4160d51757971d12515b558b08a4a9f4e17

Download Submit
\Windows\SysWOW64\Claake32.exe

Filesize
81KB

MD5
35e7e7785c8f98c13a98ce80035029df

SHA1
b68e490b58a824b6aa17abfcbfbea909c8e7a3f3

SHA256
e1da2b50a08fe394a01a53a4951f768627c02934f20547ccdc86c3c7a0483184

SHA512
2148508b58c0710145ffd11c9c3e31f2e498de087933aaed8df80504688a8d9eb67d3fffe891bbbf2592a5fab81eaafd58a872f594419bea68ab65d931cfb2f8

Download Submit
\Windows\SysWOW64\Cligkdlm.exe

Filesize
81KB

MD5
a59d8e1c235a797c4fa64f6c211167dc

SHA1
5510149e31b84e1df0b7eb2fcfe351c31de3d115

SHA256
61b4257b54d072d1640ebd3db202dd2e8d56908f4b3aa81355cd2b32a94fe230

SHA512
8786c1c846609c6d404d26ce9fee872ae53b6283646f0d4a2d25082e75fcd7539f7bbb95bbcd849b4f1a44b2765a5fbdfefa826d5cbeec54a41aca8e1c792310

Download Submit
\Windows\SysWOW64\Cmjdcm32.exe

Filesize
81KB

MD5
d85ea84d65817ffd65d4af8e6d48bed1

SHA1
cb9678083e421806f0cef7104ede384fc1e0dcd5

SHA256
5899898f46c1fcd6cca493d7495841e4f152951d2aac1139540772cbd3395ad6

SHA512
6b4476d518e383db643106c8cab2445c1ed6b08d91446b151a6912a1ee4123511e46e9052ee555eb4afb8a0f3c5b8932613975d6d8bccdc881a4dd66a0dfb70d

Download Submit
\Windows\SysWOW64\Cobjmq32.exe

Filesize
81KB

MD5
27de4922d1e4fb696d28570fabb01447

SHA1
7b553f4f53486da45b47a44eedf70a237c1e4794

SHA256
5bc86548aac192725b5a7c8ce1ed21edf05c3cfb839dc34e703fa90aa2a46b82

SHA512
fbc94cc852fdf2931505242fa502b4c03d47e0d022f36244b51d6c345f22dd0b60454511d0aa20d2f5014caf3f3bd1d48038245f66da879bbd191d7fd076ccb7

Download Submit
\Windows\SysWOW64\Codgbqmc.exe

Filesize
81KB

MD5
502e4ff89b8781d2930b9faec6083117

SHA1
79c693b074c288883a41925e87fe1ceab8d9371d

SHA256
b70dcba780dfc6970fb3a4a0db096fdc09d89af5b1ba7815abb3514c63e2292e

SHA512
de539edc47dd4cd81cd75f48a8ccd67d6584cff5f2e8450489a47613335e32987d689e00ed2af0695513b259da32a756c9e685b99f6c7a06b0fb75b2f12de9ca

Download Submit
\Windows\SysWOW64\Coiqmp32.exe

Filesize
81KB

MD5
8ee69feef2cefab489e0304b6dba12c7

SHA1
e39ebf15fe40d12dd9d8ad08b0e7f54690df7f9d

SHA256
b6fcbd1f6fe867c1bdc50255c33d863e4132f1b251a743fef027a61ae3d74877

SHA512
a3266532c33bf0c1c04daa658e322d6ce147326e9d64928a8ccee5b56a0c8105d979c794e012b098f3172017e2c3df8cfeb17325e82ad80061511c4ac05fa1b5

Download Submit
\Windows\SysWOW64\Cpkmehol.exe

Filesize
81KB

MD5
e0fa760b2327d9d5fb26a580b6259ff1

SHA1
4773bbe536e5e87af8d167c5d170e4788c969551

SHA256
2f5b13ab743214e085dbf5cf216693f81739a68c54d3816af2ada3413639279b

SHA512
f78fb0e9c3d79b79bf64bff3365bd697cb4fe23c4107a54e0ba5c7e8313f80c77aaeec3b8d7ee8d38f00bb1bb9886d7c7d54f325b4e75e9de7d9a290c9f4b10b

Download Submit
\Windows\SysWOW64\Dhaefepn.exe

Filesize
81KB

MD5
79bbb327afa4d2fbaa5f7c7207009448

SHA1
076d638d11db626b1ffe11253b3f0e4628692452

SHA256
f43f8459d6834da47f3eb941bcec885be584f241c3ea4bf595e7798f3d4ebeaf

SHA512
84a089d9c77c4b46fd88412d758ba9c0985c99e525995a9588785fd67d432e8ca8dbdd50aae5f526c34a82e8f0d3ad48ba9171e14ad4c9f01ef207503b87dc94

Download Submit
memory/304-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/304-351-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/580-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/580-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-60-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1156-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1200-7-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/1200-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1200-12-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/1200-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-114-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1552-192-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1552-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-326-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1688-330-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1688-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-140-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1908-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-33-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1912-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-179-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2140-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-255-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2152-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-265-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2200-217-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2200-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-230-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2216-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-274-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2244-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-283-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2252-287-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2328-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-239-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2340-293-0x0000000001F30000-0x0000000001F64000-memory.dmp

Filesize
208KB

Download
memory/2340-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-297-0x0000000001F30000-0x0000000001F64000-memory.dmp

Filesize
208KB

Download
memory/2352-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-315-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2352-319-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2352-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-308-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2632-307-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2664-87-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2664-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-74-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2708-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-340-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2816-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-353-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2824-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-47-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2908-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-373-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2960-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-157-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3044-165-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3044-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads