berbew | ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea

Analysis

max time kernel
138s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea.exe
Size

163KB
MD5

402cdfe5d9d9ba1ae3940db9fda6a0a0
SHA1

0fe3c36f37331247c91f922cba7025db9a8da30d
SHA256

ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea
SHA512

c778bf3d8ba97b4244c9e8c4e188b6cc68169fb4242239260ca4e82f54b66c378d1c71c5e2a9f12994186012275505b80b5081764760e0562e7be0960c70c589
SSDEEP

1536:P37Sybod+kQ+exWF8o99ZKZ7q2TI6eJhYUXJpmFT29TlProNVU4qNVUrk/9QbfBR:2ybod2+1Fta3K3+kTltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 35 IoCs

pid	Process
724	Bcjlcn32.exe
3920	Bnpppgdj.exe
4132	Bclhhnca.exe
1220	Bnbmefbg.exe
4860	Bapiabak.exe
3548	Cfmajipb.exe
2552	Cmgjgcgo.exe
1824	Cdabcm32.exe
1864	Cjkjpgfi.exe
744	Caebma32.exe
4804	Chokikeb.exe
2368	Cnicfe32.exe
4520	Ceckcp32.exe
2828	Cfdhkhjj.exe
220	Cnkplejl.exe
1212	Cajlhqjp.exe
1364	Chcddk32.exe
3852	Cjbpaf32.exe
740	Calhnpgn.exe
3600	Dfiafg32.exe
1012	Dmcibama.exe
4656	Dejacond.exe
3992	Dfknkg32.exe
2496	Dmefhako.exe
1452	Delnin32.exe
4028	Dhkjej32.exe
1528	Dfnjafap.exe
4220	Dodbbdbb.exe
4368	Deokon32.exe
620	Dhmgki32.exe
3360	Dkkcge32.exe
2976	Dogogcpo.exe
1152	Deagdn32.exe
3648	Dknpmdfc.exe
4588	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3136	4588	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bclhhnca.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 724	3128	ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea.exe	84
PID 3128 wrote to memory of 724	3128	ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea.exe	84
PID 3128 wrote to memory of 724	3128	ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea.exe	84
PID 724 wrote to memory of 3920	724	Bcjlcn32.exe	85
PID 724 wrote to memory of 3920	724	Bcjlcn32.exe	85
PID 724 wrote to memory of 3920	724	Bcjlcn32.exe	85
PID 3920 wrote to memory of 4132	3920	Bnpppgdj.exe	86
PID 3920 wrote to memory of 4132	3920	Bnpppgdj.exe	86
PID 3920 wrote to memory of 4132	3920	Bnpppgdj.exe	86
PID 4132 wrote to memory of 1220	4132	Bclhhnca.exe	87
PID 4132 wrote to memory of 1220	4132	Bclhhnca.exe	87
PID 4132 wrote to memory of 1220	4132	Bclhhnca.exe	87
PID 1220 wrote to memory of 4860	1220	Bnbmefbg.exe	88
PID 1220 wrote to memory of 4860	1220	Bnbmefbg.exe	88
PID 1220 wrote to memory of 4860	1220	Bnbmefbg.exe	88
PID 4860 wrote to memory of 3548	4860	Bapiabak.exe	89
PID 4860 wrote to memory of 3548	4860	Bapiabak.exe	89
PID 4860 wrote to memory of 3548	4860	Bapiabak.exe	89
PID 3548 wrote to memory of 2552	3548	Cfmajipb.exe	90
PID 3548 wrote to memory of 2552	3548	Cfmajipb.exe	90
PID 3548 wrote to memory of 2552	3548	Cfmajipb.exe	90
PID 2552 wrote to memory of 1824	2552	Cmgjgcgo.exe	91
PID 2552 wrote to memory of 1824	2552	Cmgjgcgo.exe	91
PID 2552 wrote to memory of 1824	2552	Cmgjgcgo.exe	91
PID 1824 wrote to memory of 1864	1824	Cdabcm32.exe	92
PID 1824 wrote to memory of 1864	1824	Cdabcm32.exe	92
PID 1824 wrote to memory of 1864	1824	Cdabcm32.exe	92
PID 1864 wrote to memory of 744	1864	Cjkjpgfi.exe	93
PID 1864 wrote to memory of 744	1864	Cjkjpgfi.exe	93
PID 1864 wrote to memory of 744	1864	Cjkjpgfi.exe	93
PID 744 wrote to memory of 4804	744	Caebma32.exe	94
PID 744 wrote to memory of 4804	744	Caebma32.exe	94
PID 744 wrote to memory of 4804	744	Caebma32.exe	94
PID 4804 wrote to memory of 2368	4804	Chokikeb.exe	95
PID 4804 wrote to memory of 2368	4804	Chokikeb.exe	95
PID 4804 wrote to memory of 2368	4804	Chokikeb.exe	95
PID 2368 wrote to memory of 4520	2368	Cnicfe32.exe	96
PID 2368 wrote to memory of 4520	2368	Cnicfe32.exe	96
PID 2368 wrote to memory of 4520	2368	Cnicfe32.exe	96
PID 4520 wrote to memory of 2828	4520	Ceckcp32.exe	97
PID 4520 wrote to memory of 2828	4520	Ceckcp32.exe	97
PID 4520 wrote to memory of 2828	4520	Ceckcp32.exe	97
PID 2828 wrote to memory of 220	2828	Cfdhkhjj.exe	98
PID 2828 wrote to memory of 220	2828	Cfdhkhjj.exe	98
PID 2828 wrote to memory of 220	2828	Cfdhkhjj.exe	98
PID 220 wrote to memory of 1212	220	Cnkplejl.exe	99
PID 220 wrote to memory of 1212	220	Cnkplejl.exe	99
PID 220 wrote to memory of 1212	220	Cnkplejl.exe	99
PID 1212 wrote to memory of 1364	1212	Cajlhqjp.exe	100
PID 1212 wrote to memory of 1364	1212	Cajlhqjp.exe	100
PID 1212 wrote to memory of 1364	1212	Cajlhqjp.exe	100
PID 1364 wrote to memory of 3852	1364	Chcddk32.exe	102
PID 1364 wrote to memory of 3852	1364	Chcddk32.exe	102
PID 1364 wrote to memory of 3852	1364	Chcddk32.exe	102
PID 3852 wrote to memory of 740	3852	Cjbpaf32.exe	103
PID 3852 wrote to memory of 740	3852	Cjbpaf32.exe	103
PID 3852 wrote to memory of 740	3852	Cjbpaf32.exe	103
PID 740 wrote to memory of 3600	740	Calhnpgn.exe	104
PID 740 wrote to memory of 3600	740	Calhnpgn.exe	104
PID 740 wrote to memory of 3600	740	Calhnpgn.exe	104
PID 3600 wrote to memory of 1012	3600	Dfiafg32.exe	105
PID 3600 wrote to memory of 1012	3600	Dfiafg32.exe	105
PID 3600 wrote to memory of 1012	3600	Dfiafg32.exe	105
PID 1012 wrote to memory of 4656	1012	Dmcibama.exe	106

C:\Users\Admin\AppData\Local\Temp\ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea.exe
"C:\Users\Admin\AppData\Local\Temp\ce1ea0b73daab1b2bea395d14be470f6c2a00cb9c371e0ecd01423e09c534eea.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\SysWOW64\Bcjlcn32.exe
  C:\Windows\system32\Bcjlcn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\SysWOW64\Bnpppgdj.exe
    C:\Windows\system32\Bnpppgdj.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\SysWOW64\Bclhhnca.exe
      C:\Windows\system32\Bclhhnca.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4132
    - - C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
      - C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 396
        37⤵
        Program crash
        
        PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4588 -ip 4588
1⤵
PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
163KB

MD5
4984a56255b501ece94dadbd1bd11a69

SHA1
dae095e8fcf5a377a35447580572104f5c08162f

SHA256
6cecfdc266bb5ba1de79e897ecd86f367de5c333662a73780c19527c86b5364f

SHA512
23d86150034161a72220ce7a50fba572f6f9c0480fc348cf8c3a08700d1104376aa08e6ff6e0b9e2a2e2cd9dac67913397ecf094047c5daa0063d9ea24b9b27c

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
163KB

MD5
1de0d74f8336c7464540f7c9e98b3b9c

SHA1
b1e090b185ce85b5648726ed1d6190dae9328e71

SHA256
88b66551534cf214658b56c39b7856c0e56bce171a5d42c604483bae5deb88ec

SHA512
7c7319bc43ee32ec29213bd89efd9d81a1eb729e47d29494d1d62cf0ab513802a9474f73dbc916b190449472c56778a238d5c1282a5f397fad0fa3724034b795

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
163KB

MD5
90e70dea281fca0970981ec1a8019a0b

SHA1
d4983efda2eb65a640feb5c5bfd1c6410b5e6098

SHA256
a25c6b5348dad4e5c7e99364c1c0f1b8736e1419089dfd00b07d5475c668a356

SHA512
4114b9bdd1b06380eba612c557ab6b57384b83c0fea8c94ca391f64b4758e5803a139f61d1fe1d6c557dd7a9898804dcd5f83449e74ffc0679a1b01f45215947

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
163KB

MD5
a96236d7be52a58a6c85214fa29c2576

SHA1
066d6917dd7964eaa1b89f75fdea92666e151c3a

SHA256
e9d050f44f234a310b043ebe41313cdce0e64492394782d6c83e135e658a605b

SHA512
76367ae87489ee02f56fe10829552b045a3842fd035ebce0a4f46d4a19bf35e110f9b82767267612b928dc1aecc95a91428af8168044d6ec3c372498e277a42f

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
163KB

MD5
c976491ecf935c82b74b0d706d2d0a45

SHA1
89d431381ed55095de7b8deafdf90b564b51db8d

SHA256
8b4dc44012915f3b81eeddb3559dc899c3f568ec51e45c1bbc77374daf7147c8

SHA512
837224fdf29968b5632df331e6bb905a2b41a30ae5e5cc65ee3a1889a7b9de3a4c7dac0dd3e9d1ba59958feb5fcf830a6eb03964b25a77faf88f6c86119a9821

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
163KB

MD5
6f8f6bdd9c8228487d2beb67550b3654

SHA1
ae0273b96b85661bc16d6ec38665a679d655c29d

SHA256
2197807dcb0a73f1560e87657a6568c49dbe33a699984c609746ac553127f671

SHA512
979f47517f7c3dfec2fb05afa6baacda0554c8bead45a99eb864f123140f3b5cd413dacff94bd7ae9b9ecf15c0c3a1898760ba009a609fce478513e5afb30384

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
163KB

MD5
aa4159f3f22da16454209cce45412a5f

SHA1
c054f0330c5f60ba0d3bb8388c0bbedb1a29118f

SHA256
d9ed535bee6d18c94004c5a5809c88aedc56c961543e8921b9eee83fc2a33d29

SHA512
307a189a61e09e1eafd6b1e112c48253fb546c367fd6746f206a98bb59514631760b693d6a987e70c69021f305f8c013b90e5f3138cd5bbbbe6e9fecd7ef5430

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
163KB

MD5
65603d5c22974d60674c0c8f20e37aca

SHA1
0db72bb2db0a9bc08c13811e7ac9f2f01bf541a0

SHA256
440a34240fc3dbc0a1e09895ca7d48e706d22b96afda0d64b6e2057b37cc5870

SHA512
df8e901888c62df96587865b38e9a96e456b0aa42994f26843c41218590b5825faa64d97b3606b618ead85394bdf1e15305f2cbb45d14986bfd12e2a446452c7

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
163KB

MD5
fc7be9703f1d507c37377af8897b344a

SHA1
187c1e8c202db12327319470be8075c00b78b6bf

SHA256
25dd7dc1137ee7b859e6791d9beccd9ec0097b500fc6aed27fdf11636fd54006

SHA512
adb53e79f1108927116852e29fb949537a180b41d5029546ac903497a0518c73ae39bb91f1551bbf086401cfcdc999fe83b8e0e67169301ebca9b70c2fc9af7a

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
163KB

MD5
84cd64e67e0a54ddaa9aef32366ac83d

SHA1
1311121f7f2b9b625f601bf43ffab9dde56d73f4

SHA256
92bfc38c686f7c6679119e550823271d7a754ef58e6193a49cdfb18e349a99a5

SHA512
801217806f56400887935e2e0ed79dbc07c23eeaa9179822ce3192abdf9e53edc988855497d6f94b6eac135d7c14d6a51058bb5c9994540cf51ed0da4a6c933e

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
163KB

MD5
b6aef0816101a7b47e35f7e5a3758367

SHA1
5d3989111968390cca8cbb8178ebc3888468a795

SHA256
a868886f84fa0cf8112473b40a42b4537692064db61d39016072b8c5c9db80ae

SHA512
e01d473b4f5c91b19246692e1794822755808e88d32a54d68c67eca97d9dc1a0aa67ec563b23710b96f2fef0b8136771cee5acfcba60438e3e87c1b3d358d374

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
163KB

MD5
59ae59e036b9560ac4095229a387e288

SHA1
045f3e9f7b84104c0fa0c8bdd2b7e38d14a4bfa8

SHA256
351b57176cceb9134198cd2517350fd49c458df25f4b8a2fa165ae44fef8dcbb

SHA512
ac9795e25ed4077d3f178ce0cd32cd45fbea2f11d62c4f31043e80db6c6f3c72182e61e2c32519ad33820a44006fd4cd9c2d8c1b56c460111e2b14a21dc9dfd8

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
163KB

MD5
ec561d2e854bc05fb81bc553f0ce8a21

SHA1
274a8030840d5ece5f12a660823bac192f1f7157

SHA256
72c4de0d865e3a1526258c3574a0de799b7408fbd4c1a26ae3679585bc33f4f5

SHA512
bca033050940b3bb9f7b7237b2717c047e064ef7f770a255c61101de825aff66676ec0445288c5cf9d31c0d8719d950759f0f0b3eaac5420600fe11b704de6ac

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
163KB

MD5
3c1a0501a9c1125e6fee0f0ffcaac801

SHA1
4e17b616bde21847bd28fac95a19f13e67eb76cb

SHA256
c83a59451b641c878bdb4eab37bc99317c2116a3317ce9fb15c9015f7e2eb915

SHA512
44c856049eed1456098efb2be2b7897375511a3a7b3d4ffe2a015750c6f5ce6f52a0843c8389f9fe37e26b929d382b5f7e4788fcb885d884fc3b9d2dfdab1817

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
163KB

MD5
ab3dfbc2e7db2564458c9059beb401dd

SHA1
8950a380fdf2b9856186e64633444e6ee5a7b381

SHA256
dd5b24a0c96cbef076e4906de2574e616aa05ff19baddbdc5dcf670e5599dbc5

SHA512
11dd6e6f2f47fb1aad952ae030e06079b14e23fd9bcec8ad0ddeb767c134168479bfc5cf3d333775a66e9ebe00370bc12d381b5f2eb3c6fedc5a670f30f1e5b9

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
163KB

MD5
8155598729b88151307587fb129da5c5

SHA1
2678865067ffdc5f1c7b2414013fa5d44d69c633

SHA256
624a2e474f16b130f36939f80c7aaa623abc6e6203c2d301330efc1396e8324c

SHA512
bae2f40cf61144a90ad83a136838e38b02a7060fb59dffabb4627b8119fabf2737e94219043cab663163c887a3c1874e6e0d7e4c3d0a088f17cd6e102d2a99f4

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
163KB

MD5
3b6621c7210781d67ea5e885a513f60a

SHA1
f1d7b717af2e5bbd17c8de154791f7ce07cb52be

SHA256
f1e4fee07b2d26511e7c5ca8d994fcf60e3e9db9ebb65ae6e7a9e14b55323b02

SHA512
2f7745193db1b9880550233f87dcae78eb203120b15973726383a988f8a0a78b83b86e7593030f2d24b5b73acf9172535cd00a2f1b9db9396d4c8275025b0f02

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
163KB

MD5
ebb0f6746472de64a0bc2a34c669f585

SHA1
ec9396e8a66f1873aa8ec3b4fe2e9b09f6e156e4

SHA256
c3079ff2de0ac45362e83d21fe9077026d40815056d215abc1582c9735375ca1

SHA512
0c6e6cf73cab6e765c2e8997331e538bc41f9bf450a03e70b7be3a45a2e44ded8a34b9ddb383f92e04754e8286487f64253932541968d41745d1e82b0b621672

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
163KB

MD5
0ec26d88e4fee01c8d26005328c41374

SHA1
f2a632537dc604949a84c6f6a526d5de01afd6c0

SHA256
c7a23d034e3a6c52506b4da44a8d68e53d5286fca94245f0e6134a7e216642c4

SHA512
1978676150ce7dfe087131e21d034e47f92f08e0d330b775af1234cad8cc017db39798884b4be65f32e2b30bcdff8415e10d6abc399889d510d0183a0cd3c67d

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
163KB

MD5
357fbaad72e814e8ae22e47aab483cd6

SHA1
86a80df2642cd38a0d8e0df247d0a96a2d541726

SHA256
e0186afeef97a5b8853f884a2f58036511868107fa4574ddc4c68b5c479a2161

SHA512
26c0ffac515fc6c7fb96be5a41858cdf29ae2fad4bb3c7e10cd6763a759e9d7584d12268aa3f68a4722336ab13933b8903a048146a969f39c7dfca23f9e71e85

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
163KB

MD5
3eaa6394381a27091f7796cc0f96dbb9

SHA1
64e267ad10139c71a7c727be53c46fea107aa1b8

SHA256
904dc5c1ad6319ab49a7b7d56c476383cd923a372e2935f67169ab021fe8f0cf

SHA512
165126bf7c58f77fb97e9b7c5d3bd9b1c0cd2533d31c8043d448e64c0bbb158b380e9f6351bd7c6ea5943d5cc63e0f190948e1277cf97b61557907cd927099ff

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
163KB

MD5
17af9368d8478c8a435cd78f0be50b0b

SHA1
217b0fc7d5fb46ab381214a1dbc32eb0dbacd9c8

SHA256
c93c52e0e271abf8002bd0ea50f8834a60f2fc37aa0a740424aa4d750d55d076

SHA512
28b56bec2fb5b7897b42717df5be753aa7cfc827a1f0ad52f625dda333b9b826325db98659d8970d78b54f89ce22fca8b830d01f4a5a8e293a874bc1089f330b

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
163KB

MD5
4836bc0b383e992be62d80a66ed3d937

SHA1
48a5d3887a3576d4fe8a44c6888e2b21770aba93

SHA256
5044908ec4fab7d112b7b7f78bebc4908d47324e05d26bdd2914928df8105785

SHA512
93203a027d345c5c1895134ce71b0a6b29acc6d98c7dd11cd7a59db201503c26ffe59db49e20d068515f7daf84b24220dbbe700bd9d3818dfd290ab53e61d475

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
163KB

MD5
bb53061816a2af27e79b42cd28b73417

SHA1
6ed766dd701c76e1092c3f0d61465918c148c847

SHA256
693839aaeacb8f354a60060c3d31658c05629a8018a37719d8bd97d2ec3394c6

SHA512
69a51dd7e682722a13da557f95843eb28f8f523c385a55167b18866cb3bc1298af679e210a55a5b16b072dc8db1dabcaac3c70ae7f128795a5716be22d1918fa

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
163KB

MD5
92bb7ea87bf05902046f9640c84e8aed

SHA1
765e1de3ed9fcad2d43cbf8027e45f984c9e983b

SHA256
c33f859e4c22f8e97a7b4fabad97dc365ebca471a96eda3b66c50255b698f0b9

SHA512
cf6b127c28cc795f900ad237f909caea21f1bdf05b316f37ea558bae75abaf30d01c86369c492ce8206aa3b8a2c8d4f1975a94f8bc71ad38838b001fa5b760b6

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
163KB

MD5
4e398b03d66629ba5637529fe76fda28

SHA1
6e73f054b2a4792c91fd8079ad38cbfba07f9a72

SHA256
06bdf52a950e8b79d84f77f90d3f540cd8ee99026b41773a53c89c11bbadcff0

SHA512
f1e311f268aea15d457e26745867da1767ad9c8d2211384d4675f2ba8b8ac3fa4e1da0405e763301a590812daa483219b5be6d9dc8d6f1c93dd50be98552a116

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
163KB

MD5
1ee1b24ea9aade764c00d54eee8ea90a

SHA1
76af5857fdff9304aa4704071118831a67971e80

SHA256
8cb77841ee51404eb3c28d00d56ce2dd1d59db84b2e87dd9d6797f25be29f0f6

SHA512
eced00b9585d353a65e1a7dd08b722a7e2461a45e25ba1c2a676525a36bdadb4c8efbdfac1acdadd431e5723d63a69e71c220257c281ef8607edc4227f3b9c73

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
163KB

MD5
3e6d8914b8946f761c60b04aed18a524

SHA1
28cfa26b7f6fef90a7b1c9cafaa4bf357fe2d85c

SHA256
641a6c261627039a254b0d97fc17b8469d81506cc5857c308d230695a5880e63

SHA512
479ca6d331f13143a389acf42491a9be63f104a0cccbe54b2516f9877765b5aa07abc013568241e8c6de2e72a2421cc81bd3f79384175be53a41246f9a8a987f

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
163KB

MD5
d37a40393b055d590e0ea17ab13c37c8

SHA1
d60387cccf35761bd5e00be501a69847457a9db0

SHA256
baabc90800bb7667fa89d3a115e50f22b29edd6d5a125aa826fb8c81b89caf54

SHA512
bde52c83c73b8e817edca674fa85c827b0c10285ea2625fff422d59a120b6e3d711c7974efb91b5a876ef51c5ddcda690367ff48ef6f96115aa85ef58342ee7d

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
163KB

MD5
b52fc6f938f7bd59853f96f2dd95435e

SHA1
5736fef90f832443c36eabc57aac635f6ef0ceae

SHA256
349d9a2fb01ac7956fd39dd8d984239cda40cf7803b44b9adea4862d0c604ef7

SHA512
014bdc5f83cbd1255c725b979722e2b416b308fb3144140150adffd8a3a14bbf1074eb35398f4689503a3d4aa457c3de7a6890bcb39d94e40ae55b6b3b67ed3e

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
163KB

MD5
8d7dfe3d032cf4457e717c6904728aeb

SHA1
739ed6f417bdb11101974d60f4c62d0ad7d4beb3

SHA256
fe2b2809c94b3c10e5fe940588aa6e305588adc2da2f7591a4268c743227b112

SHA512
f0f18295184a5a441c27cf36cfab2226480342b9e7775c261b0c226b23664246f53714216d2e8886ab0974cc0aed7b622fb496791da8c42a54dc307a0c116447

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
163KB

MD5
d7d59cf2df12d9058fb17d19d70216a0

SHA1
16dde2c62b2f8a3a7ebff6f10ce8a73beeafd9fd

SHA256
ee62a9eb484e5db3647b6508efcd14ab3709c26f557a1fc40422ee0077b6c950

SHA512
ccad981a948542f35170f87dee60a8d1dd955395078c1fd5c6c060ce3b219d05340ec91ff6ac23c9089b76887c1cb579bc81284949242cc01e74f987760a6457

Download Submit
memory/220-315-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/220-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/620-286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/620-244-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/724-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/724-343-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/740-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/740-307-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/744-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/744-325-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1012-303-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1012-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1152-262-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1152-280-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1212-313-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1212-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1220-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1220-337-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1364-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1364-141-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1452-294-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1452-205-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1528-222-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1528-291-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1824-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1824-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1864-327-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1864-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2368-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2368-321-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2496-297-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2496-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2552-331-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2552-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2976-282-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2976-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3128-345-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3128-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3128-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3360-284-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3360-252-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3548-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3548-333-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3600-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3600-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3648-278-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3648-268-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3852-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3852-309-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3920-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3920-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3992-346-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3992-190-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4028-213-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4028-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4132-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4132-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4220-292-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4220-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4368-288-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4520-319-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4520-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4588-274-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4588-276-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4656-301-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4656-182-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4804-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4804-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4860-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4860-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads