berbew | fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d

Analysis

max time kernel
135s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d.exe
Size

163KB
MD5

2196886b8f0914ac13fe92b26e77649c
SHA1

5ee87522e6aee528948569ff34dc01cf77a408d2
SHA256

fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d
SHA512

341c138bc1eaacaa647e9bac46bfba69117d12cef72cadba3ab80556829db7c47f700269578709c7e21608c23d2ffd5cb2b6dbb47c7d141f6ee19931faed8997
SSDEEP

1536:PYJljc3ICD/dat4zBZHdjcjRJ44UllProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:ADbCRatGZCIrlltOrWKDBr+yJb

Score

10^/10

berbew bruteratel gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023bb7-160.dat	family_bruteratel

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 37 IoCs

pid	Process
436	Beihma32.exe
1616	Bhhdil32.exe
5060	Bjfaeh32.exe
3788	Chjaol32.exe
4484	Cfmajipb.exe
1548	Cenahpha.exe
3480	Cfpnph32.exe
3276	Cmiflbel.exe
4516	Cdcoim32.exe
208	Cmlcbbcj.exe
4860	Cdfkolkf.exe
1296	Cnkplejl.exe
2920	Cmnpgb32.exe
452	Cjbpaf32.exe
680	Cmqmma32.exe
3004	Ddjejl32.exe
976	Danecp32.exe
3032	Dhhnpjmh.exe
1180	Dmefhako.exe
1136	Ddonekbl.exe
4600	Dkifae32.exe
4024	Dodbbdbb.exe
2028	Daconoae.exe
4816	Deokon32.exe
1404	Dhmgki32.exe
2044	Dfpgffpm.exe
2148	Dkkcge32.exe
4660	Dogogcpo.exe
2456	Dmjocp32.exe
4460	Daekdooc.exe
1312	Deagdn32.exe
5076	Dddhpjof.exe
3312	Dhocqigp.exe
3892	Dgbdlf32.exe
4424	Dknpmdfc.exe
3748	Doilmc32.exe
4592	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3888	4592	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 436	4332	fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d.exe	84
PID 4332 wrote to memory of 436	4332	fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d.exe	84
PID 4332 wrote to memory of 436	4332	fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d.exe	84
PID 436 wrote to memory of 1616	436	Beihma32.exe	85
PID 436 wrote to memory of 1616	436	Beihma32.exe	85
PID 436 wrote to memory of 1616	436	Beihma32.exe	85
PID 1616 wrote to memory of 5060	1616	Bhhdil32.exe	86
PID 1616 wrote to memory of 5060	1616	Bhhdil32.exe	86
PID 1616 wrote to memory of 5060	1616	Bhhdil32.exe	86
PID 5060 wrote to memory of 3788	5060	Bjfaeh32.exe	87
PID 5060 wrote to memory of 3788	5060	Bjfaeh32.exe	87
PID 5060 wrote to memory of 3788	5060	Bjfaeh32.exe	87
PID 3788 wrote to memory of 4484	3788	Chjaol32.exe	88
PID 3788 wrote to memory of 4484	3788	Chjaol32.exe	88
PID 3788 wrote to memory of 4484	3788	Chjaol32.exe	88
PID 4484 wrote to memory of 1548	4484	Cfmajipb.exe	89
PID 4484 wrote to memory of 1548	4484	Cfmajipb.exe	89
PID 4484 wrote to memory of 1548	4484	Cfmajipb.exe	89
PID 1548 wrote to memory of 3480	1548	Cenahpha.exe	90
PID 1548 wrote to memory of 3480	1548	Cenahpha.exe	90
PID 1548 wrote to memory of 3480	1548	Cenahpha.exe	90
PID 3480 wrote to memory of 3276	3480	Cfpnph32.exe	91
PID 3480 wrote to memory of 3276	3480	Cfpnph32.exe	91
PID 3480 wrote to memory of 3276	3480	Cfpnph32.exe	91
PID 3276 wrote to memory of 4516	3276	Cmiflbel.exe	92
PID 3276 wrote to memory of 4516	3276	Cmiflbel.exe	92
PID 3276 wrote to memory of 4516	3276	Cmiflbel.exe	92
PID 4516 wrote to memory of 208	4516	Cdcoim32.exe	94
PID 4516 wrote to memory of 208	4516	Cdcoim32.exe	94
PID 4516 wrote to memory of 208	4516	Cdcoim32.exe	94
PID 208 wrote to memory of 4860	208	Cmlcbbcj.exe	95
PID 208 wrote to memory of 4860	208	Cmlcbbcj.exe	95
PID 208 wrote to memory of 4860	208	Cmlcbbcj.exe	95
PID 4860 wrote to memory of 1296	4860	Cdfkolkf.exe	96
PID 4860 wrote to memory of 1296	4860	Cdfkolkf.exe	96
PID 4860 wrote to memory of 1296	4860	Cdfkolkf.exe	96
PID 1296 wrote to memory of 2920	1296	Cnkplejl.exe	97
PID 1296 wrote to memory of 2920	1296	Cnkplejl.exe	97
PID 1296 wrote to memory of 2920	1296	Cnkplejl.exe	97
PID 2920 wrote to memory of 452	2920	Cmnpgb32.exe	99
PID 2920 wrote to memory of 452	2920	Cmnpgb32.exe	99
PID 2920 wrote to memory of 452	2920	Cmnpgb32.exe	99
PID 452 wrote to memory of 680	452	Cjbpaf32.exe	100
PID 452 wrote to memory of 680	452	Cjbpaf32.exe	100
PID 452 wrote to memory of 680	452	Cjbpaf32.exe	100
PID 680 wrote to memory of 3004	680	Cmqmma32.exe	101
PID 680 wrote to memory of 3004	680	Cmqmma32.exe	101
PID 680 wrote to memory of 3004	680	Cmqmma32.exe	101
PID 3004 wrote to memory of 976	3004	Ddjejl32.exe	102
PID 3004 wrote to memory of 976	3004	Ddjejl32.exe	102
PID 3004 wrote to memory of 976	3004	Ddjejl32.exe	102
PID 976 wrote to memory of 3032	976	Danecp32.exe	104
PID 976 wrote to memory of 3032	976	Danecp32.exe	104
PID 976 wrote to memory of 3032	976	Danecp32.exe	104
PID 3032 wrote to memory of 1180	3032	Dhhnpjmh.exe	105
PID 3032 wrote to memory of 1180	3032	Dhhnpjmh.exe	105
PID 3032 wrote to memory of 1180	3032	Dhhnpjmh.exe	105
PID 1180 wrote to memory of 1136	1180	Dmefhako.exe	106
PID 1180 wrote to memory of 1136	1180	Dmefhako.exe	106
PID 1180 wrote to memory of 1136	1180	Dmefhako.exe	106
PID 1136 wrote to memory of 4600	1136	Ddonekbl.exe	107
PID 1136 wrote to memory of 4600	1136	Ddonekbl.exe	107
PID 1136 wrote to memory of 4600	1136	Ddonekbl.exe	107
PID 4600 wrote to memory of 4024	4600	Dkifae32.exe	108

C:\Users\Admin\AppData\Local\Temp\fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d.exe
"C:\Users\Admin\AppData\Local\Temp\fad4c038749bfd1f6ffcc06685e8f763be1ba6cfad302dbcc92a88759965469d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\SysWOW64\Beihma32.exe
  C:\Windows\system32\Beihma32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\Bhhdil32.exe
    C:\Windows\system32\Bhhdil32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\Bjfaeh32.exe
      C:\Windows\system32\Bjfaeh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
      - C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 396
        39⤵
        Program crash
        
        PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4592 -ip 4592
1⤵
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beihma32.exe

Filesize
163KB

MD5
7990e90f5848114c93da9d5de7b6f0ff

SHA1
d01b65529a9310e37a482cf075b707518afa58ee

SHA256
ccbe5324ca0914950150e524f86911f9c182435f81f1e9661ac75fa265913b89

SHA512
01e3ee6b7acde8d8b2ed17ae16e6e53a5c92354d92265e7acd84d1959b96134cd5a12e33547326a504bf6ea73de545063622d4f188548ae082e527710322297e

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
163KB

MD5
0f4fcf86c79d5797d30a53e2e7c7e656

SHA1
34af3e9187608dcca41d6efe6a959e2ffa350c82

SHA256
653c801d5a38079cb8763998683d68440c8e4349553683a99cc482632f33517d

SHA512
4253588d327caab3a15eccc3f3e837fe77d80e917787196b74f52d90d9f1cc4789e03d199433ee4e166c9824a88c138d5427d09be15e0567adff741a3f3233f0

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
163KB

MD5
8fc17c3077471df83edde4fbe275b98e

SHA1
d89490a30357420a05ee01c34fedf109754ac688

SHA256
b03155e1a0129bf8786c10a1d7cbc3376936f7ee7436063ff9b6c1d572b4255d

SHA512
fb4b21572fabe1bc4c8bf2ec96b24b10ae3ea0c530506d7e780008c2870fccfa5ec44cd6111713ef147a592cf0055046478199600684f4269b164916ab4b0ec3

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
163KB

MD5
e0db4aee6cb1837af60b934fd36ad0ee

SHA1
8f16fdb309fdac5f5b0db5e84f4b8400c11bbddc

SHA256
3a717a04b95de9f111c095fb99d3a9cad35ca20aa72cea9da015d542e816de7d

SHA512
e29a9ef72bc30d468de367bc973a97240d448f92d658575847c30e1149026c025023ea03515a08faf9528b2fe939a3ff32b4f96f2f37a0c6f06818850a4d2f50

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
163KB

MD5
66a9b5e8670f250fcdfb95b4842585f8

SHA1
d79a7bf3ba89a7922227fd044e2aed5632f0d794

SHA256
705dece08143d1a7f282a83d8b3a72b3cb5beb32eef8719c016cb09f955b8d40

SHA512
96275a0b7eb5b0367eb76bdf968f0fc7cf42432559d0386c03e2ac95dd93b495fb9af11159df8dec426d459e21134b1914a996d3999a0481e6bcb2c0cbaad792

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
163KB

MD5
a3059b3c88fcc0d4da53ed0f432bd2ea

SHA1
cb7038f21b1e9de23163e6ce2875bc09a83ae83e

SHA256
002f0d70615076a7bc8f5750b83979d05290e563c1f9be710a3fdfe7f317565a

SHA512
b7f97c25d760751cf3d1c910308e34bc39d1ea198eb06c81ba7a9d3e0ef42f2c16cdc191c63765f04e4ff7ef19c0304a4ef996f02d8317fff5d64ec72d5e0d47

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
163KB

MD5
4d69c6d4b392114d3e785d2b17890b73

SHA1
77bf9aec6ec7ae017892576d9aa5fd4e3eb591c7

SHA256
4fcc52fcbf50d8c44ad9d4a369fcc13bc4bb9f6a867c5f9070135181fe0653b7

SHA512
3fc0165a78eaa4ad9df0cb397cd88d8e61da979866c032b98e47e6e92710402ed2fa5533feceeeb7558c862a488d1b0bfd0de4b45ff9208daed7e3877eaae07f

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
163KB

MD5
4a645d7cadf1f28b5d110f41a2b11ad4

SHA1
b37e62bbcb9cb630706823471cd521a6cee6e71c

SHA256
386d34fa57cab55b2d16eb0bdd79668584ae140cbbcd7221a652d6b51bfaf680

SHA512
9444e93a63857088d53ff010255ea82963d42e124179372c15f349973c3bc83a0fbf63e6258f1e723082f3ceb625eb44cbeb9725f38d583157f44004dc10549f

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
163KB

MD5
ab8dc3c1faa75dd2d0b60c0af8504111

SHA1
0a3d8b03e1f70f7f77c113307e0dc9f3cfba6525

SHA256
e85409847f8f637087b3673ca6289b1901a98746a6dcb33fd8c04a3784928e54

SHA512
a9060b72ff066f54bcd0fca5da226e7efe71ed020340958417ee5cb0a729a6fac9c362de40cc78412441e30ba7a7c8c39fa49372500aa2050c9c9863bc089cbc

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
163KB

MD5
ab3dfbc2e7db2564458c9059beb401dd

SHA1
8950a380fdf2b9856186e64633444e6ee5a7b381

SHA256
dd5b24a0c96cbef076e4906de2574e616aa05ff19baddbdc5dcf670e5599dbc5

SHA512
11dd6e6f2f47fb1aad952ae030e06079b14e23fd9bcec8ad0ddeb767c134168479bfc5cf3d333775a66e9ebe00370bc12d381b5f2eb3c6fedc5a670f30f1e5b9

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
163KB

MD5
5b384ef087044efef5101d4be74c94eb

SHA1
361482247ba3e41fb8f5c341409c47be3fdfc096

SHA256
3be8a4b305e16199c58f935503442d23ae8f6def5101cc0e59a9b5922ac55837

SHA512
748d326be249b3ad2382e512edc4948c61cc095b7599ea318fdd11d7a881ddc50ef6b53ce61f7a9a073bd12d222a313e06fcb0d144fcfbdae7bb2ce75f2ba9b1

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
163KB

MD5
65992d127f2d5bb0134bd7926f8ed07c

SHA1
02cded87d04c2357da0aad338f181d6b960bc4c7

SHA256
d13ae754114f417f4f54dd3adb7f7f3e364d69d26d702401378d75abf00e1f69

SHA512
399b5011a7f2aaef2236696f83a5a20243834cc86509bd2e2a5ab64070377c8b699160af5463a90d53fb043fb4393034d4f4ddfb12eec55b56a0a68c673030e3

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
163KB

MD5
80df395a6d8c8e7997dea35a53a638c4

SHA1
5da601acaeef3b23d7636f53d9648d69e2294ebc

SHA256
97693bb334139526f28b60f255dbe33d52a357a27afcdbf7e4588b7ad492f3c6

SHA512
3afd55b676dbe498d68be2e8c2f0f7148ada68e929682c975e73a4aba89f334681cff0d1167cb156fe8e8b3d54d6be73a7f329b83c0979502189d990efcab79e

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
163KB

MD5
b5cc895fca46fa1bc7a85f1e8d1e8fb1

SHA1
0eb28887c4ebcbd89cc128b57b4c6f4e5c5f361b

SHA256
171217c3a2b2e8ef9e439d3e82e6cf9bda79613122ddfd159f34d5edda39bd05

SHA512
2ee1dd0bd815c3580b9e78a4c129de4044e4119b0d87ef776752dd602f67bf4072fd2f1686e463e4cd5e73fbc1c1bc8bbabda037560b10a3a470c118df84dd59

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
163KB

MD5
31801c5fe748e1877eccda1691699aa8

SHA1
36c91a5e2576c64de5dda235328424a8c315ff00

SHA256
d10b2c632c045a6b6d7cc263794c5044f367b6e6a5d4cfa899f31baad8ff0a60

SHA512
f3bebd7f1b6b6d577b970d58a122eabf48680c09c5a2e961704ef340f342f98b8d2a7c98729888f9260249697b64b16322d66362e1ebb596cd8bf585fba1c0b4

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
163KB

MD5
7612db57e78bd3bf5f2cbeab3d32c451

SHA1
095a02f5b9fb5f7e3db063d7930b4cba9cee19f3

SHA256
8e86eeffd566676e9eecc67d06d26c8f0b0451b67b8737358b60d77b95f276db

SHA512
8b30f60ee091b8e2b239848e9a34681f326128043cf476ce6a1f0311d1eb7d6210cdb9f538eb78c920b8f74c77371fd6ccf942cf6004ec7e6515f7c069e374f4

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
163KB

MD5
63a28cfd5acc1975455a8cc5609fbee0

SHA1
7b5ad340e1955863cbc51a4f254fb38f2ae9114f

SHA256
db0840d783ca71383a7a5943f822657d88750211fd1d6b308fe61ec35c392d71

SHA512
b4eec2e44ffb07833a70ec593d8b75917bf4dae5a52320fac69d2696e756d2882a01052ed1bb3759c72c1306292648270ff8780787c3b80e515d7128d0d28f39

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
163KB

MD5
3dbfff4ee48fdd12c3fa2122cbb4bbac

SHA1
bbdaad1b1b703caf2706c44c791e20b91388893d

SHA256
ebbb756953aeb80c6067264954a126693701c84d3b4aa669518f4a7cea08ab76

SHA512
06c86db24568d26739abca409c20a92f6e8fcdbf8db30806eb9930c430fdeea7a7844cadc55b35f5d84df557c3074900fbf3cf72f29fa0aa46491acec4a92d9c

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
163KB

MD5
f1ec121246128edc629aa7c32d3127bd

SHA1
d394019b369e6458d3b7da6269987ca4b32aeb53

SHA256
c45a91a3de83d2420fab2b5349b281648da39b86c7e104f70b7e47b70a3f937c

SHA512
3bd5e3cf9435da7487031b897b4ef1a8362ef9b92a6a20b26d0674b13ee53ab9306ff9dabdc638319cd34dd7b9a39c2ad16f47fd42dc5c768b462dd34ff71320

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
163KB

MD5
9ce421373f9ff5af32ea691d6cc1a02c

SHA1
a672fafd3b5c484bf20b3a4419cc722110155107

SHA256
01cb8119567e1684ca6f5ac256bb64583ff4330b28694e9b8d89435578b5fbcf

SHA512
9c519549efb4d9f9f2e29d99148de61821ba69fb5ecd2a67731d9745be1357f9b2120ef3d393ec61375590dfb24481f261b3eea9e04cd41281d7bafdeea9ed09

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
163KB

MD5
40eef73f1e80a3f351e7fc06d0a2dc6c

SHA1
5274c08dbfebb8e3f65a75e7a1ed49e78385ba9e

SHA256
583f0279787b8b84f00cafcfcdae00b7f5d2e64f69d4ede599b95c83f8264ba4

SHA512
86d3a86508c0313890a48637e0d4dc2c5664126fa0c1b2f4b8942f4fd76ab33883dcb5affd0d391237d0e1ca00783180adfaf3c424a070895c3883f6cc19c624

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
163KB

MD5
a6e2ab349bd9db477f37d1e093ce8fa3

SHA1
9b215480fde3f8ae19a2ac418623a83884698af8

SHA256
e7d54504154931473e390782ea800271dc978c7e98af232a6f7db08c8f1e88d0

SHA512
e15820f0def9b95b09b4c708208b03068aef810485ffaee79b698e69af3f4e5d5b68da49afef068f5e7bc1bac003f5b7cb97d79d487ab4f0cf2118ea983f9370

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
163KB

MD5
17af9368d8478c8a435cd78f0be50b0b

SHA1
217b0fc7d5fb46ab381214a1dbc32eb0dbacd9c8

SHA256
c93c52e0e271abf8002bd0ea50f8834a60f2fc37aa0a740424aa4d750d55d076

SHA512
28b56bec2fb5b7897b42717df5be753aa7cfc827a1f0ad52f625dda333b9b826325db98659d8970d78b54f89ce22fca8b830d01f4a5a8e293a874bc1089f330b

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
163KB

MD5
3ee00ff21c68aeaf69b58482410f2d33

SHA1
c292a5597efcfb57d347c19ce45dea1b310f9512

SHA256
a2a10e11d1b39c1cda9f72339df42272cad7cf9d19a6e34d2a98161c78dacd4f

SHA512
f5e6b5cb8a2c8cb812c067248eb5ea571e99c62490ebd7c1160ec8a7419df34eb3144613175a3e8ed09c1c33180048b46d196df9b53361948ac4e00bec7b83f6

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
163KB

MD5
536898eac627220beb73716ab5a31011

SHA1
26ff5561332ff6a284f65a3fb385cd3c5c4846fa

SHA256
f43712f04214a0d9fad9683d0622838ceccf4657fa6b275cbf6d70ee5d553e71

SHA512
da2dbae6fd189cb1484e13965febc5e8428c830a4491b38420fb56edaaa2b470eaaa1f97e0549b8818c900324da6a0d84743489c1693bad1365acb541a5535ab

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
163KB

MD5
1ee1b24ea9aade764c00d54eee8ea90a

SHA1
76af5857fdff9304aa4704071118831a67971e80

SHA256
8cb77841ee51404eb3c28d00d56ce2dd1d59db84b2e87dd9d6797f25be29f0f6

SHA512
eced00b9585d353a65e1a7dd08b722a7e2461a45e25ba1c2a676525a36bdadb4c8efbdfac1acdadd431e5723d63a69e71c220257c281ef8607edc4227f3b9c73

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
163KB

MD5
4520fd4cc0cb8d383baafa1436c82e1e

SHA1
d973f3c4331e03ad4b430813e7dc442a74b3b4a0

SHA256
d031b5a1be60d6469c7c04378ef5eecf801a9896df885b4c0b77b51d1e3bcc3e

SHA512
ebd987144cd8afd4086664da7e2121031264248d5dfb2b501083eec2e45fd88f0533ce9840a5ff60a7f2f44b92bd06e94fc8701d5542beebc7329e84019ff93c

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
163KB

MD5
3e6d8914b8946f761c60b04aed18a524

SHA1
28cfa26b7f6fef90a7b1c9cafaa4bf357fe2d85c

SHA256
641a6c261627039a254b0d97fc17b8469d81506cc5857c308d230695a5880e63

SHA512
479ca6d331f13143a389acf42491a9be63f104a0cccbe54b2516f9877765b5aa07abc013568241e8c6de2e72a2421cc81bd3f79384175be53a41246f9a8a987f

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
163KB

MD5
b52fc6f938f7bd59853f96f2dd95435e

SHA1
5736fef90f832443c36eabc57aac635f6ef0ceae

SHA256
349d9a2fb01ac7956fd39dd8d984239cda40cf7803b44b9adea4862d0c604ef7

SHA512
014bdc5f83cbd1255c725b979722e2b416b308fb3144140150adffd8a3a14bbf1074eb35398f4689503a3d4aa457c3de7a6890bcb39d94e40ae55b6b3b67ed3e

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
163KB

MD5
eb4248e6cd7d41639ae0a10b546d8bc5

SHA1
2f49625fe2246d597fd324f27ffe598aae72243b

SHA256
a7fd0fcb07b3168cade80a5ca1b664825b5b4f620b5fbf3a919f58f11f577887

SHA512
ac83de84eb23b024d8e41fd4dab7e84a2d3006b6bfe8f87c69e4bf74a317c8f742bed0587daff4b72c157658a5e8d85e086a53b9c7abee9d0a2015f12628dfb7

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
163KB

MD5
8d7dfe3d032cf4457e717c6904728aeb

SHA1
739ed6f417bdb11101974d60f4c62d0ad7d4beb3

SHA256
fe2b2809c94b3c10e5fe940588aa6e305588adc2da2f7591a4268c743227b112

SHA512
f0f18295184a5a441c27cf36cfab2226480342b9e7775c261b0c226b23664246f53714216d2e8886ab0974cc0aed7b622fb496791da8c42a54dc307a0c116447

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
163KB

MD5
d7d59cf2df12d9058fb17d19d70216a0

SHA1
16dde2c62b2f8a3a7ebff6f10ce8a73beeafd9fd

SHA256
ee62a9eb484e5db3647b6508efcd14ab3709c26f557a1fc40422ee0077b6c950

SHA512
ccad981a948542f35170f87dee60a8d1dd955395078c1fd5c6c060ce3b219d05340ec91ff6ac23c9089b76887c1cb579bc81284949242cc01e74f987760a6457

Download Submit
memory/208-340-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/208-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/436-358-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/436-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/452-332-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/452-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/680-330-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/680-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/976-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/976-326-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1136-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1136-320-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1180-158-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1180-322-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1296-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1296-336-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1312-298-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1312-280-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1404-274-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1404-310-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1548-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1548-348-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1616-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1616-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2028-273-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2028-314-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2044-308-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2044-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2148-276-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2148-306-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2456-302-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2456-278-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2920-334-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2920-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3004-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3004-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3032-324-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3032-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3276-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3276-344-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3312-294-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3480-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3480-346-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3748-283-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3748-288-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3788-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3788-352-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3892-292-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4024-316-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4024-181-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4332-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4332-360-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4332-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4424-290-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4424-282-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4460-300-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4460-279-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4484-350-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4484-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4516-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4516-342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4592-284-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4592-286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4600-173-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4600-318-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4660-277-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4660-304-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4816-312-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4860-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4860-338-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5060-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5060-354-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5076-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5076-296-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads