berbew | f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-10-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Size

163KB
MD5

eb56e501de3516a6e3a2a649ce88b8f0
SHA1

39b42c2be4911f59268c27a6e29fb7bbc91c3473
SHA256

f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817
SHA512

5a28320ccb49eaf0c188bbdaebfcd611ca881f12b3c90a1a14bfbb990e4e6cbd4b44dd8af67db37c1172a04b17ea66b3a919ac2f02329479df212da2ed87263c
SSDEEP

1536:P5JWsetVI4O5xUxcLMFZF05cKGxeAWWKlProNVU4qNVUrk/9QbfBr+7GwKrPAsqE:BJWsePI4OUxcEZNKltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqijej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cghggc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djmicm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbfdjdp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqijej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlkepi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enfenplo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbfdjdp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlkepi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emkaol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djhphncm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dliijipn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgejac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dliijipn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejhlgaeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpbheh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cldooj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpbheh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Endhhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekhhadmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfenplo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmicm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejmebq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgejac32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 29 IoCs

pid	Process
2552	Cgejac32.exe
2720	Cjdfmo32.exe
2464	Cghggc32.exe
2820	Cldooj32.exe
2456	Ccngld32.exe
1900	Djhphncm.exe
264	Dpbheh32.exe
1404	Dfoqmo32.exe
2908	Dliijipn.exe
2976	Dbfabp32.exe
2020	Djmicm32.exe
2340	Dlkepi32.exe
1724	Dfdjhndl.exe
1456	Dhbfdjdp.exe
1752	Dlnbeh32.exe
2104	Dhdcji32.exe
2440	Enakbp32.exe
3028	Eqpgol32.exe
2872	Ejhlgaeh.exe
1168	Endhhp32.exe
1952	Ekhhadmk.exe
2816	Enfenplo.exe
2364	Ejmebq32.exe
1964	Emkaol32.exe
1892	Ejobhppq.exe
1344	Eqijej32.exe
2680	Ebjglbml.exe
2608	Fjaonpnn.exe
2584	Fkckeh32.exe

Loads dropped DLL 62 IoCs

pid	Process
2080	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
2080	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
2552	Cgejac32.exe
2552	Cgejac32.exe
2720	Cjdfmo32.exe
2720	Cjdfmo32.exe
2464	Cghggc32.exe
2464	Cghggc32.exe
2820	Cldooj32.exe
2820	Cldooj32.exe
2456	Ccngld32.exe
2456	Ccngld32.exe
1900	Djhphncm.exe
1900	Djhphncm.exe
264	Dpbheh32.exe
264	Dpbheh32.exe
1404	Dfoqmo32.exe
1404	Dfoqmo32.exe
2908	Dliijipn.exe
2908	Dliijipn.exe
2976	Dbfabp32.exe
2976	Dbfabp32.exe
2020	Djmicm32.exe
2020	Djmicm32.exe
2340	Dlkepi32.exe
2340	Dlkepi32.exe
1724	Dfdjhndl.exe
1724	Dfdjhndl.exe
1456	Dhbfdjdp.exe
1456	Dhbfdjdp.exe
1752	Dlnbeh32.exe
1752	Dlnbeh32.exe
2104	Dhdcji32.exe
2104	Dhdcji32.exe
2440	Enakbp32.exe
2440	Enakbp32.exe
3028	Eqpgol32.exe
3028	Eqpgol32.exe
2872	Ejhlgaeh.exe
2872	Ejhlgaeh.exe
1168	Endhhp32.exe
1168	Endhhp32.exe
1952	Ekhhadmk.exe
1952	Ekhhadmk.exe
2816	Enfenplo.exe
2816	Enfenplo.exe
2364	Ejmebq32.exe
2364	Ejmebq32.exe
1964	Emkaol32.exe
1964	Emkaol32.exe
1892	Ejobhppq.exe
1892	Ejobhppq.exe
1344	Eqijej32.exe
1344	Eqijej32.exe
2680	Ebjglbml.exe
2680	Ebjglbml.exe
2608	Fjaonpnn.exe
2608	Fjaonpnn.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ejmebq32.exe	Enfenplo.exe
File created	C:\Windows\SysWOW64\Emkaol32.exe	Ejmebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dfdjhndl.exe	Dlkepi32.exe
File opened for modification	C:\Windows\SysWOW64\Enakbp32.exe	Dhdcji32.exe
File created	C:\Windows\SysWOW64\Hhijaf32.dll	Enakbp32.exe
File created	C:\Windows\SysWOW64\Aabagnfc.dll	Ejhlgaeh.exe
File opened for modification	C:\Windows\SysWOW64\Ebjglbml.exe	Eqijej32.exe
File created	C:\Windows\SysWOW64\Cgejac32.exe	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
File created	C:\Windows\SysWOW64\Dlnbeh32.exe	Dhbfdjdp.exe
File created	C:\Windows\SysWOW64\Dhdcji32.exe	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Eqpgol32.exe	Enakbp32.exe
File opened for modification	C:\Windows\SysWOW64\Cgejac32.exe	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
File opened for modification	C:\Windows\SysWOW64\Cghggc32.exe	Cjdfmo32.exe
File opened for modification	C:\Windows\SysWOW64\Dbfabp32.exe	Dliijipn.exe
File created	C:\Windows\SysWOW64\Dhbfdjdp.exe	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Ecdjal32.dll	Dliijipn.exe
File created	C:\Windows\SysWOW64\Kncphpjl.dll	Dlnbeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dfoqmo32.exe	Dpbheh32.exe
File created	C:\Windows\SysWOW64\Djmicm32.exe	Dbfabp32.exe
File created	C:\Windows\SysWOW64\Dhhlgc32.dll	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Akigbbni.dll	Cldooj32.exe
File opened for modification	C:\Windows\SysWOW64\Dpbheh32.exe	Djhphncm.exe
File created	C:\Windows\SysWOW64\Joliff32.dll	Djhphncm.exe
File created	C:\Windows\SysWOW64\Dfoqmo32.exe	Dpbheh32.exe
File created	C:\Windows\SysWOW64\Mghohc32.dll	Cgejac32.exe
File created	C:\Windows\SysWOW64\Mcfidhng.dll	Dpbheh32.exe
File opened for modification	C:\Windows\SysWOW64\Djmicm32.exe	Dbfabp32.exe
File opened for modification	C:\Windows\SysWOW64\Eqijej32.exe	Ejobhppq.exe
File created	C:\Windows\SysWOW64\Dpbheh32.exe	Djhphncm.exe
File created	C:\Windows\SysWOW64\Nnfbei32.dll	Dhbfdjdp.exe
File opened for modification	C:\Windows\SysWOW64\Dhdcji32.exe	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Enfenplo.exe	Ekhhadmk.exe
File created	C:\Windows\SysWOW64\Hdjlnm32.dll	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
File opened for modification	C:\Windows\SysWOW64\Cjdfmo32.exe	Cgejac32.exe
File created	C:\Windows\SysWOW64\Cldooj32.exe	Cghggc32.exe
File created	C:\Windows\SysWOW64\Jaegglem.dll	Ccngld32.exe
File opened for modification	C:\Windows\SysWOW64\Emkaol32.exe	Ejmebq32.exe
File opened for modification	C:\Windows\SysWOW64\Ejobhppq.exe	Emkaol32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Fjaonpnn.exe
File created	C:\Windows\SysWOW64\Lchkpi32.dll	Ekhhadmk.exe
File opened for modification	C:\Windows\SysWOW64\Dliijipn.exe	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Dlkepi32.exe	Djmicm32.exe
File opened for modification	C:\Windows\SysWOW64\Eqpgol32.exe	Enakbp32.exe
File created	C:\Windows\SysWOW64\Ejhlgaeh.exe	Eqpgol32.exe
File opened for modification	C:\Windows\SysWOW64\Dlnbeh32.exe	Dhbfdjdp.exe
File created	C:\Windows\SysWOW64\Enakbp32.exe	Dhdcji32.exe
File opened for modification	C:\Windows\SysWOW64\Endhhp32.exe	Ejhlgaeh.exe
File created	C:\Windows\SysWOW64\Ekgednng.dll	Emkaol32.exe
File created	C:\Windows\SysWOW64\Dliijipn.exe	Dfoqmo32.exe
File opened for modification	C:\Windows\SysWOW64\Dlkepi32.exe	Djmicm32.exe
File created	C:\Windows\SysWOW64\Jdjfho32.dll	Dlkepi32.exe
File created	C:\Windows\SysWOW64\Oghiae32.dll	Dfdjhndl.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Fjaonpnn.exe
File created	C:\Windows\SysWOW64\Epjomppp.dll	Dfoqmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ejhlgaeh.exe	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Eqijej32.exe	Ejobhppq.exe
File opened for modification	C:\Windows\SysWOW64\Fjaonpnn.exe	Ebjglbml.exe
File created	C:\Windows\SysWOW64\Ebjglbml.exe	Eqijej32.exe
File created	C:\Windows\SysWOW64\Fjaonpnn.exe	Ebjglbml.exe
File opened for modification	C:\Windows\SysWOW64\Cldooj32.exe	Cghggc32.exe
File opened for modification	C:\Windows\SysWOW64\Ccngld32.exe	Cldooj32.exe
File created	C:\Windows\SysWOW64\Dbfabp32.exe	Dliijipn.exe
File created	C:\Windows\SysWOW64\Amfidj32.dll	Endhhp32.exe
File created	C:\Windows\SysWOW64\Cjdfmo32.exe	Cgejac32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	2584	WerFault.exe	56

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfoqmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejmebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enakbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejobhppq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjaonpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgejac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjdfmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cldooj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlnbeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejhlgaeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enfenplo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cghggc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djhphncm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqpgol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emkaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpbheh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbfabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmicm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekhhadmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebjglbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdjhndl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccngld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dliijipn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlkepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbfdjdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Endhhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqijej32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnghjbjl.dll"	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaegglem.dll"	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll"	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejmebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll"	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmkof32.dll"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkmmi32.dll"	Eqijej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cldooj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Endhhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehfcmhd.dll"	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjfho32.dll"	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlkepi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjomppp.dll"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghiae32.dll"	Dfdjhndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncphpjl.dll"	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enfenplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emkaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjdfmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joliff32.dll"	Djhphncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enakbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll"	Emkaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabagnfc.dll"	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djhphncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlnbeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emkaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll"	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lednakhd.dll"	Dhdcji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifab32.dll"	Dbfabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll"	Dhbfdjdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll"	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjdfmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll"	Ejmebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqijej32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2552	2080	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe	28
PID 2080 wrote to memory of 2552	2080	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe	28
PID 2080 wrote to memory of 2552	2080	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe	28
PID 2080 wrote to memory of 2552	2080	f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe	28
PID 2552 wrote to memory of 2720	2552	Cgejac32.exe	29
PID 2552 wrote to memory of 2720	2552	Cgejac32.exe	29
PID 2552 wrote to memory of 2720	2552	Cgejac32.exe	29
PID 2552 wrote to memory of 2720	2552	Cgejac32.exe	29
PID 2720 wrote to memory of 2464	2720	Cjdfmo32.exe	30
PID 2720 wrote to memory of 2464	2720	Cjdfmo32.exe	30
PID 2720 wrote to memory of 2464	2720	Cjdfmo32.exe	30
PID 2720 wrote to memory of 2464	2720	Cjdfmo32.exe	30
PID 2464 wrote to memory of 2820	2464	Cghggc32.exe	31
PID 2464 wrote to memory of 2820	2464	Cghggc32.exe	31
PID 2464 wrote to memory of 2820	2464	Cghggc32.exe	31
PID 2464 wrote to memory of 2820	2464	Cghggc32.exe	31
PID 2820 wrote to memory of 2456	2820	Cldooj32.exe	32
PID 2820 wrote to memory of 2456	2820	Cldooj32.exe	32
PID 2820 wrote to memory of 2456	2820	Cldooj32.exe	32
PID 2820 wrote to memory of 2456	2820	Cldooj32.exe	32
PID 2456 wrote to memory of 1900	2456	Ccngld32.exe	33
PID 2456 wrote to memory of 1900	2456	Ccngld32.exe	33
PID 2456 wrote to memory of 1900	2456	Ccngld32.exe	33
PID 2456 wrote to memory of 1900	2456	Ccngld32.exe	33
PID 1900 wrote to memory of 264	1900	Djhphncm.exe	34
PID 1900 wrote to memory of 264	1900	Djhphncm.exe	34
PID 1900 wrote to memory of 264	1900	Djhphncm.exe	34
PID 1900 wrote to memory of 264	1900	Djhphncm.exe	34
PID 264 wrote to memory of 1404	264	Dpbheh32.exe	35
PID 264 wrote to memory of 1404	264	Dpbheh32.exe	35
PID 264 wrote to memory of 1404	264	Dpbheh32.exe	35
PID 264 wrote to memory of 1404	264	Dpbheh32.exe	35
PID 1404 wrote to memory of 2908	1404	Dfoqmo32.exe	36
PID 1404 wrote to memory of 2908	1404	Dfoqmo32.exe	36
PID 1404 wrote to memory of 2908	1404	Dfoqmo32.exe	36
PID 1404 wrote to memory of 2908	1404	Dfoqmo32.exe	36
PID 2908 wrote to memory of 2976	2908	Dliijipn.exe	37
PID 2908 wrote to memory of 2976	2908	Dliijipn.exe	37
PID 2908 wrote to memory of 2976	2908	Dliijipn.exe	37
PID 2908 wrote to memory of 2976	2908	Dliijipn.exe	37
PID 2976 wrote to memory of 2020	2976	Dbfabp32.exe	38
PID 2976 wrote to memory of 2020	2976	Dbfabp32.exe	38
PID 2976 wrote to memory of 2020	2976	Dbfabp32.exe	38
PID 2976 wrote to memory of 2020	2976	Dbfabp32.exe	38
PID 2020 wrote to memory of 2340	2020	Djmicm32.exe	39
PID 2020 wrote to memory of 2340	2020	Djmicm32.exe	39
PID 2020 wrote to memory of 2340	2020	Djmicm32.exe	39
PID 2020 wrote to memory of 2340	2020	Djmicm32.exe	39
PID 2340 wrote to memory of 1724	2340	Dlkepi32.exe	40
PID 2340 wrote to memory of 1724	2340	Dlkepi32.exe	40
PID 2340 wrote to memory of 1724	2340	Dlkepi32.exe	40
PID 2340 wrote to memory of 1724	2340	Dlkepi32.exe	40
PID 1724 wrote to memory of 1456	1724	Dfdjhndl.exe	41
PID 1724 wrote to memory of 1456	1724	Dfdjhndl.exe	41
PID 1724 wrote to memory of 1456	1724	Dfdjhndl.exe	41
PID 1724 wrote to memory of 1456	1724	Dfdjhndl.exe	41
PID 1456 wrote to memory of 1752	1456	Dhbfdjdp.exe	42
PID 1456 wrote to memory of 1752	1456	Dhbfdjdp.exe	42
PID 1456 wrote to memory of 1752	1456	Dhbfdjdp.exe	42
PID 1456 wrote to memory of 1752	1456	Dhbfdjdp.exe	42
PID 1752 wrote to memory of 2104	1752	Dlnbeh32.exe	43
PID 1752 wrote to memory of 2104	1752	Dlnbeh32.exe	43
PID 1752 wrote to memory of 2104	1752	Dlnbeh32.exe	43
PID 1752 wrote to memory of 2104	1752	Dlnbeh32.exe	43

C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
"C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\Cgejac32.exe
  C:\Windows\system32\Cgejac32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\Cjdfmo32.exe
    C:\Windows\system32\Cjdfmo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\Cghggc32.exe
      C:\Windows\system32\Cghggc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\Cldooj32.exe
        
        C:\Windows\system32\Cldooj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\Ccngld32.exe
        
        C:\Windows\system32\Ccngld32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Djhphncm.exe
        
        C:\Windows\system32\Djhphncm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Dpbheh32.exe
        
        C:\Windows\system32\Dpbheh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Dfoqmo32.exe
        
        C:\Windows\system32\Dfoqmo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Dliijipn.exe
        
        C:\Windows\system32\Dliijipn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Dbfabp32.exe
        
        C:\Windows\system32\Dbfabp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Djmicm32.exe
        
        C:\Windows\system32\Djmicm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Dlkepi32.exe
        
        C:\Windows\system32\Dlkepi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Dfdjhndl.exe
        
        C:\Windows\system32\Dfdjhndl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Dhbfdjdp.exe
        
        C:\Windows\system32\Dhbfdjdp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Dlnbeh32.exe
        
        C:\Windows\system32\Dlnbeh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Dhdcji32.exe
        
        C:\Windows\system32\Dhdcji32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Enakbp32.exe
        
        C:\Windows\system32\Enakbp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Eqpgol32.exe
        
        C:\Windows\system32\Eqpgol32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Ejhlgaeh.exe
        
        C:\Windows\system32\Ejhlgaeh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Endhhp32.exe
        
        C:\Windows\system32\Endhhp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Ekhhadmk.exe
        
        C:\Windows\system32\Ekhhadmk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Enfenplo.exe
        
        C:\Windows\system32\Enfenplo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Ejmebq32.exe
        
        C:\Windows\system32\Ejmebq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Emkaol32.exe
        
        C:\Windows\system32\Emkaol32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Ejobhppq.exe
        
        C:\Windows\system32\Ejobhppq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Eqijej32.exe
        
        C:\Windows\system32\Eqijej32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Ebjglbml.exe
        
        C:\Windows\system32\Ebjglbml.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Fjaonpnn.exe
        
        C:\Windows\system32\Fjaonpnn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 140
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dfoqmo32.exe

Filesize
163KB

MD5
64817d8d830e775a170189243b9cef14

SHA1
a8452fdf84f35ca0f10cbbe564dd67e2afc9a97d

SHA256
33d30cae363514c4e9ad49bae1a7958c4d33d69201340fcf5d85c268bc5cab45

SHA512
99ad669663a858aac5b0c789207a716b50d46894f1c0cdb355a4f9bf603a804f342266a90553f6b7a6e844bce63aad6a05fd38049e1cea3e52cbb9dc12d1f8a0

Download Submit
C:\Windows\SysWOW64\Dlkepi32.exe

Filesize
163KB

MD5
7f59166b7dbc5bdc484f8bcad41d57ee

SHA1
d0beb6156b1c57318771f5b1994528f057b46a6b

SHA256
5b6e0a435b967b2c1c4835cce7f82301c4396da8e868e43c76f7f7352da01d95

SHA512
7bfd234e05580cad3f0b58886c065d95fb62044ad5d0e0e4a4c7057c9a031781d2b780a80a39261dfc8566b27a8f0a7320ba47b2b22e078b8c420de87fcbf8d8

Download Submit
C:\Windows\SysWOW64\Ebjglbml.exe

Filesize
163KB

MD5
7c92cde500b121e7c6fb6c2590678834

SHA1
86114a0f71a601275eead26c892e0417641ad890

SHA256
749f45bd293ad07dd7b91f3fd06822adb032508051d8bf4525aa619691c4656e

SHA512
9d79cc366568e02b3e3ae9b2ed418a7415d2ced558027e3dd8970fba88b2ff716ef955d8a9214bcfe636ec5fa7557c40c0b8a65d7e5eb2b42c3fc93e9edacca4

Download Submit
C:\Windows\SysWOW64\Ejhlgaeh.exe

Filesize
163KB

MD5
1659d67911b2244961134d2858e4580e

SHA1
3d7244c09c85e33c54009b0d26bf8b4ce265f2ac

SHA256
a7a9b19fd6cb6d385dde155ffa69a767b6d4c2a028318aaf9a1b6a8fad38214d

SHA512
e91364824b9375da652a351d3fbee2c3aed3b098517a7624264c98d80279f252fb36ffbdf8ef6249a1288b5ab3e71c1416da7e79203cd15e20cb3ae6dc2dad2a

Download Submit
C:\Windows\SysWOW64\Ejmebq32.exe

Filesize
163KB

MD5
ce6f27dbcbb0a48cf936badea548f33c

SHA1
02a55d87e92e965e73426ff835430931ed6a504a

SHA256
3dd282f70d588e1098408beb5a44afa0101afadc3b36df0e469a17ef906ec19c

SHA512
5209b35fa3a8faa30bd2a5eb25b462292bb9f5b9993b9f3f83905023da7cc21e20312fd7b82900b648c0de311957c20afa8095aa4021959e6661c0cce66e5e34

Download Submit
C:\Windows\SysWOW64\Ejobhppq.exe

Filesize
163KB

MD5
5b53725ef1d550d9434d21c9dd01087f

SHA1
d9ee949716d818547625ec6b85e24afef72fe0f5

SHA256
a6603c9ab1214b6501b593333e5e50a1f11c088abfa72c1fdadfa2934887d7dc

SHA512
0a7e90b8fce0ee99d9d256a60b9d71ad56ef437d46df6481bfa78ba559995f025ed1ab6a03ef61891548d55c3bcad3b54c27477544e90a7eed737245bafd53a6

Download Submit
C:\Windows\SysWOW64\Ekhhadmk.exe

Filesize
163KB

MD5
b4a0c9457eaf04e1b8f9d814e4ac56ba

SHA1
676e36d5332cde93881487c8917b953ccd5dc49c

SHA256
6e753282d0e9dec2ebb266ebbcb3778c1e661e6625ba0751173869e40696c08d

SHA512
571b4ffed0e0b6ac0299f0a6e7160cfa6c4cb042acf2db9137dcdec16c2485453ffde3163a1da2bcfde2f3e45a21ed3a4b9c5eeb9c6db2e185478303f2501288

Download Submit
C:\Windows\SysWOW64\Emkaol32.exe

Filesize
163KB

MD5
61114b6aff63304bb6b6695711dcacfa

SHA1
6f103e80c5f373bde19260461b0d170c267b1950

SHA256
8b6eb84cfa41fc2231ada4e7a0d7de96e7c844f3bdec08c0ebade7363ed95f25

SHA512
3906d432ee632aacdaabd3524642048fc1f04aa2c3a56717c2b49180b4150f0be91fc28c37d470c598a3b6d4d4772b79c038bb97b924acc97d4fefb2ecd52f1e

Download Submit
C:\Windows\SysWOW64\Enakbp32.exe

Filesize
163KB

MD5
51809ce37655d28ec2f4b76f14f4eab5

SHA1
ec78ffd564e6820025c6783fb934a893aea68a00

SHA256
d26ae8801516940f877e2365366abf5a7902d556e90112d9a7c02f4a7c4bdd6d

SHA512
49752f73c9b9c422b0c8be4949c8c5e16e261202b4d5d500b93dde448043206a6c99c1248b33082a514a6d21cab6161174ea25d7e6da01954ddceb11c9eff474

Download Submit
C:\Windows\SysWOW64\Endhhp32.exe

Filesize
163KB

MD5
c53d3d1aef3c1d128140cb24b70fbf46

SHA1
3f25984c91525ce68004441b41dd1caa15e9e2f5

SHA256
1d4230f8a6119187b47d522aa481077cb73770189565ff6d3b702a5d1a0bea8b

SHA512
01a484db8d38e9a01a9d357ecd230a5e79e617d56b12ab5480851a77006a0d9ed36dd5330ada52880edb5f26c77094a3292b8932c8e14f210aa78045c12c0018

Download Submit
C:\Windows\SysWOW64\Enfenplo.exe

Filesize
163KB

MD5
ccc4d4bb5d2ebe72c1db234530024350

SHA1
dc76159a470afb1a2d09ed40cb207ebeeb0950f8

SHA256
49e1eefb9307bbb1c3506a141bf24683a1bdfef0db883d679959307e9a2924a6

SHA512
12c432ec47b94b22309723773642cba808e7ec295ceb0adabb8fe655d3572e48a5784096a168526fa4e43244d65235737b3b6085d1036fb1c2548de3d96c37cc

Download Submit
C:\Windows\SysWOW64\Eqijej32.exe

Filesize
163KB

MD5
de86084bcc4572de1152226902b4dbb1

SHA1
44465da3ed7e23b0de821b9be122dbe8ce0890c5

SHA256
cbaa10f7173c046699c379099340c46718efed7d1342e5c5d8bd0e8e363805c4

SHA512
97e1f3cfbdec0e82940e571a3c00750476b9ce4eaa2a36433ecb5bae72eb40f85b2dc442ab43924d8ed29f935d53a097820e3f86cfa5c99697868a18fe18e1bd

Download Submit
C:\Windows\SysWOW64\Eqpgol32.exe

Filesize
163KB

MD5
52f89dc295839fcc1ee246924dff7f0f

SHA1
d804ea748f627573e8dfc1716475fe79a6515698

SHA256
b9114fe8b10ae226c89355571a17c44d4d1852e9e459e4150bd441e598cdf15d

SHA512
57279ab09f3bde932c2ad7b403c6e3d0fc6f4e514c4bc403ef694f75d7a6e224a187967e11d1f412a271132e4c1e838370c5f79fa5400a0945ffdcd6c8e9f1af

Download Submit
C:\Windows\SysWOW64\Fjaonpnn.exe

Filesize
163KB

MD5
81c6ece686f5ab315e98dcaa36975b0f

SHA1
86580e3facb1e1d13fd3a1fece88f6b9eeae2221

SHA256
773328a8cffbf8dc3820715e0750defc8f1fbfdebdd58ea3515adf151aa33c4c

SHA512
dfb91fea32e71d27337b13fba1271bcfdbbe38005f0ed8bebc4e4838191b7a9fc1cf9c09ffb5e623119d39ba24505acc0405ee75fa66c2606b3f057c23f73f39

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
163KB

MD5
755e50025ee50b5cfd65b6870accb541

SHA1
180c254154ee54aea0be52341e171a3a4393989c

SHA256
2d0917b83ce887b671a73443dcb100aeb9630fa90c1f3e5a7c7e30e08fe7801b

SHA512
f2dae174639c20e4d2768fae6c633c4c6fafa6523b791bb7b0040957ceb73cb65f4884dd880c11912ba2819efe62cf6a8e42766f9486be893e8464c603c6ab34

Download Submit
\Windows\SysWOW64\Ccngld32.exe

Filesize
163KB

MD5
40d8a26dd7e8118a899fa92651f53795

SHA1
6cedbf9ab3d8beaa8f7f40d6bfb86488e8d2fe22

SHA256
345022a6778f5ed95f84c0a937829d055ad4b08ea7d552c24e09d6b008646000

SHA512
b285cdd2559827269d8323929564e675f83c1eca204f3b44b2a67439c005a35fd8e4106b013876231d8d69a19b88db2ba7b3c3c1b150d942b2931e6bfa3ccb08

Download Submit
\Windows\SysWOW64\Cgejac32.exe

Filesize
163KB

MD5
b33d707eee5f65f024b10b25ee468c49

SHA1
37357390c53d9a728277615569bef8899a7e6944

SHA256
e201755091d02b30b2d6f56c1cad86bd6f02a693c60a2da96c050018f260a1b0

SHA512
8ff8a20b89912f9ee5a9a855bf4ab6f687b1342fdbfeb0ea17e6b1cf5aa1123ef8c650c7b92b70d417841ef419d6a4d697bc64bec5c92d91acdf46b5726d201a

Download Submit
\Windows\SysWOW64\Cghggc32.exe

Filesize
163KB

MD5
7f16c292cef178cced15a87047030ae5

SHA1
94377f8916931efb5a13cd0c6f9465ab7ef5d64e

SHA256
160694d6f5d123bdca722ef812ebb2372a989b3c3b50576752c5d79e6823ab14

SHA512
7137d7f920b77ef2cce5de3ee83110d1dbe896b0afc9f6972b6ec42563000d3f9c8bfd659263e36df2b953bcc7e0c1ff97dedfbf103e08bdd631665f2835f6b4

Download Submit
\Windows\SysWOW64\Cjdfmo32.exe

Filesize
163KB

MD5
a192190a5d922f94b68e2f8944a2fe61

SHA1
5d19335b4856b89896a94385eabe0fab73d2e7e8

SHA256
cfc64c84d14ae4e91abf5e2154d13a911c10b8934fc38edfa88e3d99af0b5d71

SHA512
1687e3034c675af6bb52a3c5b9483bd58bc338b5686330c9bbb6e9e5a1c84f382d5d711b285401db48d4ae50351d1d7a3a8f632927e3f93b298c810d43496356

Download Submit
\Windows\SysWOW64\Cldooj32.exe

Filesize
163KB

MD5
7bb92cd263ec6820dcbcfb8149306b83

SHA1
04c91c095f361538a1ab60da9840a8866d0a242b

SHA256
6ddb9edee3fd9ecbecd6a884f9eaa901ab91506b680d28e5afd14c3b755941d3

SHA512
f45bbb8b3392f8c18dd16211d78d3730f62d526630c3fd159844581dd224d41945595523a57c77ba3ec1262c637edcc5382ce17703d73d7cb79d49eeaba89c9e

Download Submit
\Windows\SysWOW64\Dbfabp32.exe

Filesize
163KB

MD5
8d288d2315246dbe95643bb1e3d3435e

SHA1
0f85b9dfcb2695489933d5bb24f6fb3ec918d7e2

SHA256
c3bab760d2f7087296c702e8a822bb91374e6adc521f16a9e39eeba6af225371

SHA512
33e4e3a3838b47b7b074b796bf82cd69d8eb1c00dd0eedab413bb899f1254308d31d16720238dd87b078e105415543a02c77c1b66690b696b56fcebbb74fce88

Download Submit
\Windows\SysWOW64\Dfdjhndl.exe

Filesize
163KB

MD5
138eb685b92331139522f83d3b304750

SHA1
189dee5f4ea1f1a635e8e70a41af0c737959b75c

SHA256
4c582da6bc650e64b225e0a051fba851fc4befb6bc99b2c1a1847d3384cb6d3a

SHA512
4d95220ea6d564a2f055a3ddbe72a5826d86aee60e512a41821f47106aa6557f10a59e8443ae1c2e4fa1e270ccef58f7b49962fb2e8e0e9b35aac9f858d149f0

Download Submit
\Windows\SysWOW64\Dhbfdjdp.exe

Filesize
163KB

MD5
d7fd9aa96361d5480c75613e4d1bdbde

SHA1
6884db8648072c49b40fd2facf611fe47042ae17

SHA256
d3d3dfd8f69abb9026f3aa642a3f5891dcc44fe54b7042f072b9069cc222bfc0

SHA512
bec0dbf45c5ea6675019bf859978f9153295f3f2f6ab96400cb87c20709b7b5fee069dc835030cec998fd6d0709ef8e917308a248945ca7470fdbbdbf53e350e

Download Submit
\Windows\SysWOW64\Dhdcji32.exe

Filesize
163KB

MD5
c4158fe9918e4fd5420332deed43535a

SHA1
1b0a607f75de0caf072ed8378d6e4df9d5de91bd

SHA256
0c2b2c3045b31cd08401385fd101cea6f52e1e85aab4a378778ee17ca48d1155

SHA512
74f8dcbf2fc31dbfe15f40b427b44f537435885282af44f11e0743a11783673b72a764eb12624e6abd70d7fe003adf093dfeefc57f4f1d85c5b74369a2410b41

Download Submit
\Windows\SysWOW64\Djhphncm.exe

Filesize
163KB

MD5
fad96ee791382cd7444e299b944ffcf3

SHA1
0ecbb48e029e1ab8e88bb278e1dccf2120e930c9

SHA256
50c710f9024479ea83e85a838215e632b9ba71ded00af00682a70a517dfb7f77

SHA512
3a054500ee609667bc934449126e1912c42368fc75f8fee40c8d0942de315fd901e18f3249d775a63a74ca4ec1ae06f425ccbec4d67f531a96e6593b1ac343b8

Download Submit
\Windows\SysWOW64\Djmicm32.exe

Filesize
163KB

MD5
a2603b441211b4d479338b7f5b0de362

SHA1
3d8f50825e4e10dcf8d1f465f9d7454391fef85c

SHA256
8aa30b1f55dd67e9f051271d085377aa2b7a474038d4254be6cbf6a207ead7ba

SHA512
a3546ec161a5b1ede15e79c75291e2ac463b8cfaf8b5c5661e8e9ce81357dda6c45ad086d864f4a0e43e98d7058504a0e72f0fc23c29a2d11d7a87203d0f0fa5

Download Submit
\Windows\SysWOW64\Dliijipn.exe

Filesize
163KB

MD5
20f3fd9f048f8a53a96cbd7b280e812d

SHA1
a436bc7c231b11941dc7e924452366347fa5b5ff

SHA256
824d222564650067f456c016db40996329dd3bf91615486831f239d5342c722d

SHA512
902ebdc34401563020c930559da67aa63c21622e19f7b5f29aae0a5916f6fd42f557674f62cf3929f0dc6518cbc177b41d32ce78c28f2221106ec8b33fce018d

Download Submit
\Windows\SysWOW64\Dlnbeh32.exe

Filesize
163KB

MD5
e42dcb446b05c540d285b7c804028b7d

SHA1
805e358ec28f3d7b48e15ef8861ce8dcd7b9f3af

SHA256
934f3a29d8a452f05cda6b01f5f2d2f666f795ef426f9e11b78798e9e55b6615

SHA512
3cf2d20685fca6602f14dff2bf4e3a75f71d78e63872f99bd87a910eaca7d566a23637e8507c1e27eaa3f004639ecc3471e9fa1daa169dcc9d570ff3fa97d2d2

Download Submit
\Windows\SysWOW64\Dpbheh32.exe

Filesize
163KB

MD5
49c6b0ce35f890029b360687a48667d3

SHA1
14db3367a7fe2c4cd95b91d9ee0b6e1c4b166416

SHA256
b347aff69c5dd1d04667f4459a958c86159d61e94bf3ae996e8092612ffadf01

SHA512
a7bf5a2a7f1ec7665f9f882e24d5ac4c6fa0d537e17f1a62b06e23ffa6262889ad92882f382aac15caa5477cc3b6214308fa68ca703e6c69c1d28384ddfdc783

Download Submit
memory/264-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1168-253-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1168-263-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/1168-262-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/1168-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1344-326-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1344-358-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1344-327-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1344-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1404-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1404-406-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1404-408-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1404-112-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1456-194-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/1456-189-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/1456-181-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1456-382-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1724-383-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1752-393-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1752-207-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/1752-208-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/1892-316-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1892-315-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1892-362-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1892-306-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1900-90-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/1900-411-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1952-269-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/1952-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1952-273-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/1964-295-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1964-305-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/1964-363-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1964-304-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2020-387-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2020-385-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2080-403-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2080-351-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2080-16-0x0000000001FC0000-0x0000000002013000-memory.dmp

Filesize
332KB

Download
memory/2080-405-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2080-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2104-376-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2104-220-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2104-210-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2104-378-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2340-386-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2340-163-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/2340-155-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2364-291-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/2364-366-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2364-289-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2440-221-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2440-231-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2440-230-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2440-372-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2440-374-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2456-78-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2456-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2464-399-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2552-404-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2552-18-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2584-354-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2584-350-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2608-342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2608-355-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2608-348-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2608-349-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2680-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2680-341-0x0000000000340000-0x0000000000393000-memory.dmp

Filesize
332KB

Download
memory/2680-343-0x0000000000340000-0x0000000000393000-memory.dmp

Filesize
332KB

Download
memory/2680-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2720-409-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2720-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2720-34-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2720-26-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2816-280-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/2816-367-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2816-284-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/2816-274-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2820-400-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2820-60-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2820-52-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2872-252-0x0000000002010000-0x0000000002063000-memory.dmp

Filesize
332KB

Download
memory/2872-251-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2872-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2872-379-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2908-391-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2908-389-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2976-390-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2976-388-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2976-130-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3028-375-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3028-242-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/3028-241-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/3028-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3028-373-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads