berbew | 60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe
Size

180KB
MD5

03970828f26f4ac7d7cd39286185de01
SHA1

eb965897db1f630fedf642af3644e71330c84e04
SHA256

60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41
SHA512

b67998cb07aed7dc70f2071d1b1f4aee2d8866b58a770f9b09b74ebcbb38413140d091d1563aa4b237f26c28846ad8e6e7253314a6f74320673399e9b5ca7d8e
SSDEEP

3072:bReNvzTvzKfC3g5uoRe7a6miE6Wj4/glEeqZYLtLw32NX/qs/YTJv1tFk+Fkkujl:d8TvzKfC3otU7LdE6D/gaeFq32NX/qsH

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cccdjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfahaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eifobe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eclcon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmmffgn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eclcon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fipbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmchcnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgqion32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emdhhdqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djmiejji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfcmlg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfcmlg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doqkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emdhhdqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Camnge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccqhdmbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjnkkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdjno32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camnge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhdfmbjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fipbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cccdjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbadagln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbadagln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmiejji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coladm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Einebddd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epnkip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmchcnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgqion32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnjnkkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncolfcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cncolfcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmmffgn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceeqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfahaaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccqhdmbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhdfmbjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doqkpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efjpkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Einebddd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 30 IoCs

pid	Process
2676	Bceeqi32.exe
2760	Bdfahaaa.exe
2092	Bhdjno32.exe
2600	Camnge32.exe
2992	Cncolfcl.exe
2016	Ccqhdmbc.exe
2280	Cccdjl32.exe
2932	Cjmmffgn.exe
2532	Cfcmlg32.exe
1656	Coladm32.exe
2324	Dhdfmbjc.exe
1176	Dcjjkkji.exe
2008	Doqkpl32.exe
1324	Ddmchcnd.exe
2032	Dbadagln.exe
1348	Djmiejji.exe
2504	Dgqion32.exe
996	Ecgjdong.exe
1864	Epnkip32.exe
2628	Egebjmdn.exe
1000	Eifobe32.exe
2104	Eclcon32.exe
1204	Efjpkj32.exe
2900	Emdhhdqb.exe
2780	Efmlqigc.exe
2552	Elieipej.exe
1584	Einebddd.exe
2820	Fnjnkkbk.exe
2564	Fipbhd32.exe
2548	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
880	60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe
880	60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe
2676	Bceeqi32.exe
2676	Bceeqi32.exe
2760	Bdfahaaa.exe
2760	Bdfahaaa.exe
2092	Bhdjno32.exe
2092	Bhdjno32.exe
2600	Camnge32.exe
2600	Camnge32.exe
2992	Cncolfcl.exe
2992	Cncolfcl.exe
2016	Ccqhdmbc.exe
2016	Ccqhdmbc.exe
2280	Cccdjl32.exe
2280	Cccdjl32.exe
2932	Cjmmffgn.exe
2932	Cjmmffgn.exe
2532	Cfcmlg32.exe
2532	Cfcmlg32.exe
1656	Coladm32.exe
1656	Coladm32.exe
2324	Dhdfmbjc.exe
2324	Dhdfmbjc.exe
1176	Dcjjkkji.exe
1176	Dcjjkkji.exe
2008	Doqkpl32.exe
2008	Doqkpl32.exe
1324	Ddmchcnd.exe
1324	Ddmchcnd.exe
2032	Dbadagln.exe
2032	Dbadagln.exe
1348	Djmiejji.exe
1348	Djmiejji.exe
2504	Dgqion32.exe
2504	Dgqion32.exe
996	Ecgjdong.exe
996	Ecgjdong.exe
1864	Epnkip32.exe
1864	Epnkip32.exe
2628	Egebjmdn.exe
2628	Egebjmdn.exe
1000	Eifobe32.exe
1000	Eifobe32.exe
2104	Eclcon32.exe
2104	Eclcon32.exe
1204	Efjpkj32.exe
1204	Efjpkj32.exe
2900	Emdhhdqb.exe
2900	Emdhhdqb.exe
2780	Efmlqigc.exe
2780	Efmlqigc.exe
2552	Elieipej.exe
2552	Elieipej.exe
1584	Einebddd.exe
1584	Einebddd.exe
2820	Fnjnkkbk.exe
2820	Fnjnkkbk.exe
2564	Fipbhd32.exe
2564	Fipbhd32.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Eclcon32.exe	Eifobe32.exe
File created	C:\Windows\SysWOW64\Cefllkej.dll	60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe
File created	C:\Windows\SysWOW64\Djmiejji.exe	Dbadagln.exe
File created	C:\Windows\SysWOW64\Peqiahfi.dll	Dbadagln.exe
File created	C:\Windows\SysWOW64\Elfkmcdp.dll	Djmiejji.exe
File opened for modification	C:\Windows\SysWOW64\Ecgjdong.exe	Dgqion32.exe
File created	C:\Windows\SysWOW64\Bdfahaaa.exe	Bceeqi32.exe
File created	C:\Windows\SysWOW64\Bhdjno32.exe	Bdfahaaa.exe
File opened for modification	C:\Windows\SysWOW64\Cjmmffgn.exe	Cccdjl32.exe
File opened for modification	C:\Windows\SysWOW64\Cfcmlg32.exe	Cjmmffgn.exe
File opened for modification	C:\Windows\SysWOW64\Efmlqigc.exe	Emdhhdqb.exe
File created	C:\Windows\SysWOW64\Jmhdkakc.dll	Cfcmlg32.exe
File created	C:\Windows\SysWOW64\Dbadagln.exe	Ddmchcnd.exe
File created	C:\Windows\SysWOW64\Hhejoigh.dll	Ddmchcnd.exe
File created	C:\Windows\SysWOW64\Fnjnkkbk.exe	Einebddd.exe
File opened for modification	C:\Windows\SysWOW64\Dhdfmbjc.exe	Coladm32.exe
File opened for modification	C:\Windows\SysWOW64\Dbadagln.exe	Ddmchcnd.exe
File created	C:\Windows\SysWOW64\Fipbhd32.exe	Fnjnkkbk.exe
File created	C:\Windows\SysWOW64\Cccdjl32.exe	Ccqhdmbc.exe
File created	C:\Windows\SysWOW64\Bnfoepmg.dll	Eclcon32.exe
File created	C:\Windows\SysWOW64\Cncolfcl.exe	Camnge32.exe
File created	C:\Windows\SysWOW64\Dgqion32.exe	Djmiejji.exe
File created	C:\Windows\SysWOW64\Eifobe32.exe	Egebjmdn.exe
File created	C:\Windows\SysWOW64\Ieoeff32.dll	Egebjmdn.exe
File created	C:\Windows\SysWOW64\Jcngcc32.dll	Fnjnkkbk.exe
File created	C:\Windows\SysWOW64\Cfcmlg32.exe	Cjmmffgn.exe
File opened for modification	C:\Windows\SysWOW64\Elieipej.exe	Efmlqigc.exe
File opened for modification	C:\Windows\SysWOW64\Bceeqi32.exe	60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe
File created	C:\Windows\SysWOW64\Iidbakdl.dll	Cncolfcl.exe
File created	C:\Windows\SysWOW64\Ecgjdong.exe	Dgqion32.exe
File created	C:\Windows\SysWOW64\Diaalggp.dll	Dgqion32.exe
File created	C:\Windows\SysWOW64\Efjpkj32.exe	Eclcon32.exe
File created	C:\Windows\SysWOW64\Eclcon32.exe	Eifobe32.exe
File created	C:\Windows\SysWOW64\Nmkmnp32.dll	Elieipej.exe
File created	C:\Windows\SysWOW64\Ccqhdmbc.exe	Cncolfcl.exe
File opened for modification	C:\Windows\SysWOW64\Doqkpl32.exe	Dcjjkkji.exe
File created	C:\Windows\SysWOW64\Pnenhc32.dll	Ecgjdong.exe
File created	C:\Windows\SysWOW64\Egebjmdn.exe	Epnkip32.exe
File opened for modification	C:\Windows\SysWOW64\Egebjmdn.exe	Epnkip32.exe
File opened for modification	C:\Windows\SysWOW64\Eifobe32.exe	Egebjmdn.exe
File opened for modification	C:\Windows\SysWOW64\Efjpkj32.exe	Eclcon32.exe
File created	C:\Windows\SysWOW64\Almpdj32.dll	Efjpkj32.exe
File created	C:\Windows\SysWOW64\Lgdojnle.dll	Bceeqi32.exe
File created	C:\Windows\SysWOW64\Fopknnaa.dll	Bdfahaaa.exe
File created	C:\Windows\SysWOW64\Qaemlqhb.dll	Cjmmffgn.exe
File opened for modification	C:\Windows\SysWOW64\Dcjjkkji.exe	Dhdfmbjc.exe
File created	C:\Windows\SysWOW64\Epnkip32.exe	Ecgjdong.exe
File created	C:\Windows\SysWOW64\Ngbpoo32.dll	Epnkip32.exe
File created	C:\Windows\SysWOW64\Mgnedp32.dll	Eifobe32.exe
File created	C:\Windows\SysWOW64\Emdhhdqb.exe	Efjpkj32.exe
File opened for modification	C:\Windows\SysWOW64\Bdfahaaa.exe	Bceeqi32.exe
File created	C:\Windows\SysWOW64\Camnge32.exe	Bhdjno32.exe
File opened for modification	C:\Windows\SysWOW64\Ccqhdmbc.exe	Cncolfcl.exe
File created	C:\Windows\SysWOW64\Coladm32.exe	Cfcmlg32.exe
File created	C:\Windows\SysWOW64\Apafhqnp.dll	Dcjjkkji.exe
File opened for modification	C:\Windows\SysWOW64\Fnjnkkbk.exe	Einebddd.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Fipbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cncolfcl.exe	Camnge32.exe
File created	C:\Windows\SysWOW64\Cljamifd.dll	Ccqhdmbc.exe
File created	C:\Windows\SysWOW64\Cjmmffgn.exe	Cccdjl32.exe
File created	C:\Windows\SysWOW64\Ddmchcnd.exe	Doqkpl32.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Fipbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Epnkip32.exe	Ecgjdong.exe
File created	C:\Windows\SysWOW64\Elieipej.exe	Efmlqigc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2604	2548	WerFault.exe	59

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fipbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eifobe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Einebddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmchcnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eclcon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emdhhdqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfahaaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccqhdmbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmiejji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgqion32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efjpkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdjno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cncolfcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efmlqigc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjnkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcjjkkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egebjmdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdfmbjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbadagln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elieipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceeqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgjdong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cccdjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfcmlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Camnge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epnkip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmmffgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doqkpl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhdjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidbakdl.dll"	Cncolfcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cccdjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhejoigh.dll"	Ddmchcnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbadagln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eclcon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdfahaaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfcmlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnenhc32.dll"	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdojnle.dll"	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelafe32.dll"	Bhdjno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmchcnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmchcnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoeff32.dll"	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efjpkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cncolfcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmhdkakc.dll"	Cfcmlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbadagln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfkmcdp.dll"	Djmiejji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecgjdong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emdhhdqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefllkej.dll"	60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Camnge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhdfmbjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peqiahfi.dll"	Dbadagln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efmlqigc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elieipej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfahaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nceqcnpi.dll"	Doqkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbpoo32.dll"	Epnkip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emdhhdqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoedaep.dll"	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cncolfcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cccdjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booqgija.dll"	Coladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcjjkkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djmiejji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almpdj32.dll"	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkmnp32.dll"	Elieipej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Camnge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eclcon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Einebddd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaaie32.dll"	Emdhhdqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcngcc32.dll"	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaalggp.dll"	Dgqion32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlkfk32.dll"	Einebddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopknnaa.dll"	Bdfahaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbdimmi.dll"	Cccdjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmmffgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhdfmbjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doqkpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djmiejji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccqhdmbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljamifd.dll"	Ccqhdmbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2676	880	60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe	30
PID 880 wrote to memory of 2676	880	60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe	30
PID 880 wrote to memory of 2676	880	60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe	30
PID 880 wrote to memory of 2676	880	60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe	30
PID 2676 wrote to memory of 2760	2676	Bceeqi32.exe	31
PID 2676 wrote to memory of 2760	2676	Bceeqi32.exe	31
PID 2676 wrote to memory of 2760	2676	Bceeqi32.exe	31
PID 2676 wrote to memory of 2760	2676	Bceeqi32.exe	31
PID 2760 wrote to memory of 2092	2760	Bdfahaaa.exe	32
PID 2760 wrote to memory of 2092	2760	Bdfahaaa.exe	32
PID 2760 wrote to memory of 2092	2760	Bdfahaaa.exe	32
PID 2760 wrote to memory of 2092	2760	Bdfahaaa.exe	32
PID 2092 wrote to memory of 2600	2092	Bhdjno32.exe	33
PID 2092 wrote to memory of 2600	2092	Bhdjno32.exe	33
PID 2092 wrote to memory of 2600	2092	Bhdjno32.exe	33
PID 2092 wrote to memory of 2600	2092	Bhdjno32.exe	33
PID 2600 wrote to memory of 2992	2600	Camnge32.exe	34
PID 2600 wrote to memory of 2992	2600	Camnge32.exe	34
PID 2600 wrote to memory of 2992	2600	Camnge32.exe	34
PID 2600 wrote to memory of 2992	2600	Camnge32.exe	34
PID 2992 wrote to memory of 2016	2992	Cncolfcl.exe	35
PID 2992 wrote to memory of 2016	2992	Cncolfcl.exe	35
PID 2992 wrote to memory of 2016	2992	Cncolfcl.exe	35
PID 2992 wrote to memory of 2016	2992	Cncolfcl.exe	35
PID 2016 wrote to memory of 2280	2016	Ccqhdmbc.exe	36
PID 2016 wrote to memory of 2280	2016	Ccqhdmbc.exe	36
PID 2016 wrote to memory of 2280	2016	Ccqhdmbc.exe	36
PID 2016 wrote to memory of 2280	2016	Ccqhdmbc.exe	36
PID 2280 wrote to memory of 2932	2280	Cccdjl32.exe	37
PID 2280 wrote to memory of 2932	2280	Cccdjl32.exe	37
PID 2280 wrote to memory of 2932	2280	Cccdjl32.exe	37
PID 2280 wrote to memory of 2932	2280	Cccdjl32.exe	37
PID 2932 wrote to memory of 2532	2932	Cjmmffgn.exe	38
PID 2932 wrote to memory of 2532	2932	Cjmmffgn.exe	38
PID 2932 wrote to memory of 2532	2932	Cjmmffgn.exe	38
PID 2932 wrote to memory of 2532	2932	Cjmmffgn.exe	38
PID 2532 wrote to memory of 1656	2532	Cfcmlg32.exe	39
PID 2532 wrote to memory of 1656	2532	Cfcmlg32.exe	39
PID 2532 wrote to memory of 1656	2532	Cfcmlg32.exe	39
PID 2532 wrote to memory of 1656	2532	Cfcmlg32.exe	39
PID 1656 wrote to memory of 2324	1656	Coladm32.exe	40
PID 1656 wrote to memory of 2324	1656	Coladm32.exe	40
PID 1656 wrote to memory of 2324	1656	Coladm32.exe	40
PID 1656 wrote to memory of 2324	1656	Coladm32.exe	40
PID 2324 wrote to memory of 1176	2324	Dhdfmbjc.exe	41
PID 2324 wrote to memory of 1176	2324	Dhdfmbjc.exe	41
PID 2324 wrote to memory of 1176	2324	Dhdfmbjc.exe	41
PID 2324 wrote to memory of 1176	2324	Dhdfmbjc.exe	41
PID 1176 wrote to memory of 2008	1176	Dcjjkkji.exe	42
PID 1176 wrote to memory of 2008	1176	Dcjjkkji.exe	42
PID 1176 wrote to memory of 2008	1176	Dcjjkkji.exe	42
PID 1176 wrote to memory of 2008	1176	Dcjjkkji.exe	42
PID 2008 wrote to memory of 1324	2008	Doqkpl32.exe	43
PID 2008 wrote to memory of 1324	2008	Doqkpl32.exe	43
PID 2008 wrote to memory of 1324	2008	Doqkpl32.exe	43
PID 2008 wrote to memory of 1324	2008	Doqkpl32.exe	43
PID 1324 wrote to memory of 2032	1324	Ddmchcnd.exe	44
PID 1324 wrote to memory of 2032	1324	Ddmchcnd.exe	44
PID 1324 wrote to memory of 2032	1324	Ddmchcnd.exe	44
PID 1324 wrote to memory of 2032	1324	Ddmchcnd.exe	44
PID 2032 wrote to memory of 1348	2032	Dbadagln.exe	45
PID 2032 wrote to memory of 1348	2032	Dbadagln.exe	45
PID 2032 wrote to memory of 1348	2032	Dbadagln.exe	45
PID 2032 wrote to memory of 1348	2032	Dbadagln.exe	45

C:\Users\Admin\AppData\Local\Temp\60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe
"C:\Users\Admin\AppData\Local\Temp\60067e5ac3e003e60500989bffcafd2df9ad8f8ce8d7c2b69161b0507704cc41.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\Bceeqi32.exe
  C:\Windows\system32\Bceeqi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\Bdfahaaa.exe
    C:\Windows\system32\Bdfahaaa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\Bhdjno32.exe
      C:\Windows\system32\Bhdjno32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\SysWOW64\Camnge32.exe
        
        C:\Windows\system32\Camnge32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\Cncolfcl.exe
        
        C:\Windows\system32\Cncolfcl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Ccqhdmbc.exe
        
        C:\Windows\system32\Ccqhdmbc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Cccdjl32.exe
        
        C:\Windows\system32\Cccdjl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Cjmmffgn.exe
        
        C:\Windows\system32\Cjmmffgn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Cfcmlg32.exe
        
        C:\Windows\system32\Cfcmlg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Coladm32.exe
        
        C:\Windows\system32\Coladm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Dhdfmbjc.exe
        
        C:\Windows\system32\Dhdfmbjc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Dcjjkkji.exe
        
        C:\Windows\system32\Dcjjkkji.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Doqkpl32.exe
        
        C:\Windows\system32\Doqkpl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Ddmchcnd.exe
        
        C:\Windows\system32\Ddmchcnd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Dbadagln.exe
        
        C:\Windows\system32\Dbadagln.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Djmiejji.exe
        
        C:\Windows\system32\Djmiejji.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Dgqion32.exe
        
        C:\Windows\system32\Dgqion32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Ecgjdong.exe
        
        C:\Windows\system32\Ecgjdong.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Epnkip32.exe
        
        C:\Windows\system32\Epnkip32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Egebjmdn.exe
        
        C:\Windows\system32\Egebjmdn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Eifobe32.exe
        
        C:\Windows\system32\Eifobe32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\Eclcon32.exe
        
        C:\Windows\system32\Eclcon32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Efjpkj32.exe
        
        C:\Windows\system32\Efjpkj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Emdhhdqb.exe
        
        C:\Windows\system32\Emdhhdqb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Efmlqigc.exe
        
        C:\Windows\system32\Efmlqigc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Elieipej.exe
        
        C:\Windows\system32\Elieipej.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Einebddd.exe
        
        C:\Windows\system32\Einebddd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Fnjnkkbk.exe
        
        C:\Windows\system32\Fnjnkkbk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Fipbhd32.exe
        
        C:\Windows\system32\Fipbhd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 140
        32⤵
        Loads dropped DLL
        Program crash
        
        PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bceeqi32.exe

Filesize
180KB

MD5
a881cc9a0732237e32a0e77047ef276e

SHA1
fe1fcfb1a800271bfcfb2070f5d91c06d14b6afc

SHA256
9aed4b7fccdc601dd1159f9b9ca02343973b34286d8ee96ebe57a5942cc60749

SHA512
864253ef8e59506ff32d251ae896f8ac64b80b221430908375944841775f9a6c194076b1ef89dc3acd6845534c0792963b911f98184ca8255f17fdddbcab40f0

Download Submit
C:\Windows\SysWOW64\Bdfahaaa.exe

Filesize
180KB

MD5
db49297cfc9074bcaaa570ed4fa22c22

SHA1
e0abca811baad318c046a564496017efb26513a5

SHA256
be2210e5cba70c01c3d138b6d7e306002a910490bd8c2eaccb5cffc2989045e3

SHA512
25e02e97f2713d0dd97be546c8dbe9c9ca2a7cb28470e2668f3933094a53d209673ddf3982f9f9d3744e1293a781f671d3e260ef1f1310a8000096d4e92107df

Download Submit
C:\Windows\SysWOW64\Cccdjl32.exe

Filesize
180KB

MD5
0f707113432f369f227a4bef64bb87b8

SHA1
8e0eb91ad5b40019ffa11c1708c1bf81b8d68dc4

SHA256
a8247efe5de6aaa4a79dd6a50d74f4e568887e848e12934a3069a7c3d22581aa

SHA512
76ef93a1ac3a87a6e83e79aa5761d6219c8de39e0bcb5fe9bdc17d81ebdbeb12bf18ec3eee21d0e439897e5d6bc0f61bb4071b2b4f2d5a8b85622338e25caff6

Download Submit
C:\Windows\SysWOW64\Ccqhdmbc.exe

Filesize
180KB

MD5
cf3944ee242f8679cd950c74d446723f

SHA1
8f5085c1c2b5faa3f734b281fb28ea89f81aa266

SHA256
32d6937e2cb0154995f65da0aff2eb9304d36982ac187e54e0895245ba775836

SHA512
93a530c3425b75e5d9b775edc0bf8d6fa1abf1a7a6484c8dc8952a6bb487aff9d185276b03d2cd8d3989de5512a97ad59657e151166a95a42ec7ad91c35d287b

Download Submit
C:\Windows\SysWOW64\Cjmmffgn.exe

Filesize
180KB

MD5
cd0130bcd335e640fc24e67395b32dc1

SHA1
2c6788c6473d0c991b984c425db7ad9f1c890bf6

SHA256
4fca68d7fe288801a58305be74fe892e24754f5ca68bbe5030465ff7f0bc384b

SHA512
ef3f9a2bcfd7700e2b1db2b524cc08ad0fed91a4d447be790cd0fa0d11f980427c8f3ea9b7e21efeda38b85d8813ca95fee653462a40db89682751a051b7e447

Download Submit
C:\Windows\SysWOW64\Dcjjkkji.exe

Filesize
180KB

MD5
e022e4aedead22c2b4b8eac8214a48d0

SHA1
e8eef8f28055720569a5e32995b2a35eb9465904

SHA256
de290ee7a4f9e2884f3999fdc6b186394f7949ce4a5aa7f2ae988c6fd4f9586d

SHA512
d7a73161cc94c0fb68cd16bb83dec1d69867385cc1149897bd22e97a37f0a13b0f5c57fd333757cd82a741e8e67e00cf69eeff37d73818a1c4b6ff67f0f42f57

Download Submit
C:\Windows\SysWOW64\Dgqion32.exe

Filesize
180KB

MD5
aed53746b3c30cd2ba918baebb967f36

SHA1
5a94a8128c13fa68836e519bc7b9dc907c170934

SHA256
ea756d54d0ff7a7b2087bcbf721d721aad3d1ccc88ba75b5905b33f3890e2841

SHA512
49f8e85dbd3f090165122fbbb894975d0eaa07c8297d7161b697b8fb462efd997e2aa8a94a77000f3e8eb176dd2549bc6d39a92c8337b18c5d38b4733b50101d

Download Submit
C:\Windows\SysWOW64\Djmiejji.exe

Filesize
180KB

MD5
455101f8da65b4dfa2d73424d609f46e

SHA1
482c42f728427754bee734adf6fb398025f1f85e

SHA256
b4d0cea6cde0ac77a314565942202fda38fa44473129509dfd9f36f5a1c86845

SHA512
448e032b2b097bca542c5eab7e89d0aba4fdd41556ddd9c63b3cabd79bf356f3d4a2f78d9db0ab62ea0ec5490404779a4e52bbccbd188bf4d6185aca67a829e6

Download Submit
C:\Windows\SysWOW64\Ecgjdong.exe

Filesize
180KB

MD5
6755ddd1e43e34547a8031fd96a4a804

SHA1
a8168741435e1dc5c849cf47c0583e0724580048

SHA256
d08a26f8c0078384a5ae0fdfa0add1c6e19371d6c658d5b653c427155bb3c736

SHA512
a4cf695ea23bdfe27b205c8606307f1ba24f0efd6d699bb91dba4d276ffd6d7506251a9125a697ab82fd9df20357e4f833d16e5fe8a793877d5053e10c67ff4a

Download Submit
C:\Windows\SysWOW64\Eclcon32.exe

Filesize
180KB

MD5
812fe622e7876868757fcfc17d27e287

SHA1
4f9fc5aaf304ff7223feb36611d362cf03983c20

SHA256
f5b79fbd161977b50b139087202022e5a5cfa2b3a194219ceb9bc6c1d71035b9

SHA512
14a8f788cadd66507ed5309455119cb257fd4586a54ade11ed5aaaf5eed42f1568a96b06ccfb16939ae59bd302d0f02112c422fa75b2e7e432655ff5aad991c5

Download Submit
C:\Windows\SysWOW64\Efjpkj32.exe

Filesize
180KB

MD5
e50f8be4bdae6672d860c0b9968c9f7b

SHA1
a9efc49b31de05c1ba8f443ada86c73388bbb2dd

SHA256
6b7644507bb391a06a5fb0d244b992ac9508f0568d846ff1d9e15236cc761213

SHA512
fefcca5bc38d4f6e449ce3da79d681e1ad4c719d6c769f8443b0a066f6c2d6b0c3d6bfecf0ee22bedb1d1da16d9443047d9f4f828be88d69220eaba79fd090ab

Download Submit
C:\Windows\SysWOW64\Efmlqigc.exe

Filesize
180KB

MD5
a7c03b9c230ea5f0faf8de762f4de935

SHA1
8df331621fb10ffd8fae1d870ccc1c9cf270ecec

SHA256
c9ced47e2023f44fbfe028c1ce845a54f213c3203d10144368705ebc5e4a48c0

SHA512
c1232cebb697fd7e4a0aec6c395ebbcb6880447950ed8a2e32f4726dac99fdf61cb5816660f38c50811be96119b7df0c87c787654bf5c0cf4cd3630c0964af12

Download Submit
C:\Windows\SysWOW64\Egebjmdn.exe

Filesize
180KB

MD5
4cf5d06cfcc20fd74434e59d1699d3ba

SHA1
90434015a6c6b03f1c35241164e9e2a0229f4267

SHA256
e79c3f4dc41c321296260db6059fd4b9a3d0a72584e825a1797294d48adc78ad

SHA512
b96481691880fc088e0f86c7ed2b0bf007f716f42bdbb0c93a07ac643f7dbb8e659d4267101f3c12d5e4c89f53213e222c0374b5b375473b9a6be4c84641ff65

Download Submit
C:\Windows\SysWOW64\Eifobe32.exe

Filesize
180KB

MD5
390f923c355c8ca741a549bef3e08572

SHA1
11321881c94aba16b115503ec648cd5c04337792

SHA256
b9f7446a8a40f682fe0e511a075e98a4a26bba72aadd78b404582de882b01e21

SHA512
43a34aa75ec64465b21d6467b5331b41e00f8fe684cba2427fd95365c5f6cc0c32c67489f520c23e78d230330c1dac34906f2ad3736759132a578cda89d141b3

Download Submit
C:\Windows\SysWOW64\Einebddd.exe

Filesize
180KB

MD5
bb8212b575a06117e5a5fdf94f1946d8

SHA1
9033dbb9f30ba714dec77580dfb3b3d8800f901f

SHA256
564bfed8820acb45b8cf1f0fa802ee1c723e2cfce9604a3d7f226a39d83df272

SHA512
23dd9d91986bc36d7670e887eb6e2f467d5c35700cc7d840263a8be33b85a86b8b0c8e81827a49b9fed9ee962f60d12b7ca14c1662f5e76e224062f8e86d3697

Download Submit
C:\Windows\SysWOW64\Elieipej.exe

Filesize
180KB

MD5
4e923d083e89e392cdf25749f0217d41

SHA1
57d78cb302ab32e4409fdfa564c4fa9bdaed0fc9

SHA256
5e34027e6534ba470f73ad159fac31e3d7c71c25294f2f40585aca8bb6821119

SHA512
60fed86f009a13cc31de7793749dacad98d041a82f32798a777120b491e63e1af4f44253658eb298e7bc3ebfa5e82ead84507ee7781739c11202966f63f49165

Download Submit
C:\Windows\SysWOW64\Emdhhdqb.exe

Filesize
180KB

MD5
503cb833484fdbedb0cda808235ca191

SHA1
bc4ee4ec383ba7c02d82a32651cf076abd7afaba

SHA256
5327c85e494f18d6fc17fb891eab54e0d338a0b24acba352bfe8723149649dcd

SHA512
d5283694dec6fe13ae228130c220082bd1c0e615f72bec13de0418fb9c4d129cd1359c4229e9672bd2d935ea2cae0d1e2ada4da3b906f90a6b4132c1641e1a2d

Download Submit
C:\Windows\SysWOW64\Epnkip32.exe

Filesize
180KB

MD5
72e49efb0c3c8370c0459740c78cd6c2

SHA1
ae1eacbb891c6dfa55bd1f2502c2e5f92da6c29b

SHA256
6bbcd57697670e8aa536896009528b4e18603d519e138b8f63d65f5c61401bb0

SHA512
ec16e28d1bb71acdb07f62c234a686342a28d570adf129df4070db956e1bf6efa9373112682d76d13a551cd4796ab7fd4e761777ed4ef164c76bffd77977e59f

Download Submit
C:\Windows\SysWOW64\Fipbhd32.exe

Filesize
180KB

MD5
9e4090c846a4caafccc25f6114c1ff2b

SHA1
62e82badef201767fdfdd35c82d4c218172a5ec5

SHA256
7a2964fb493b6673b76d8228cb68b7aa64ca1530823df9b290a210d424a2ea8d

SHA512
6ead749089d34e1db7c9271ae5781250a2e362325b0b0966167b12ad9552476fd8830abf60d6321ffb9e12d73c5a341c97990a0726a23c0e6f52b36ab765e681

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
180KB

MD5
77537170d46fda84d1a156afb72c3470

SHA1
2ab214c4c35d4f0c83687638cf06e2583910725c

SHA256
f29560433aeb24deac19d12ea07b25cd1fc8e8bff66a4dfd68754c46723bccd2

SHA512
6fe0dd18bae32f44f703d7685938e502766a13737f65988218dde2199491ec815e17062fb70e935c603c246ec8835ab4541aa957d20b80efbce314a4254d2f7d

Download Submit
C:\Windows\SysWOW64\Fnjnkkbk.exe

Filesize
180KB

MD5
0f1f3e707d910ced16eb495f3bf7de10

SHA1
f94eef51cf1bc01ad42d59e497a8404388c02da9

SHA256
3354b6ad7e9cec174d28f312342bad507ea221ade91c1dd6093214b15fb23714

SHA512
d7a216e12045512fa95c593a140fc253cbbc32bddea02a642d290dfed119ce1198e791973086595415a88a4cb4a7d25a21ff4862ea49cbad4428ab5a129c14e3

Download Submit
\Windows\SysWOW64\Bhdjno32.exe

Filesize
180KB

MD5
c907a68e315ace8fd4458c12d6134bf2

SHA1
60d2571dd3cea03ab36a6e8a60ec37ffc86a2d24

SHA256
4dc0d3ecdef666e137bca84942876f1d785502003d2035169bfe96955c0ba08b

SHA512
3312e3a4b7eedc916a849fdbbf220a801e5a30dfe6a8259f1aa61a457f9102ba559075c40e7c1ae8d136844788b7e3d6bfcadbe6dabb4eb5ce16f3aa35e40393

Download Submit
\Windows\SysWOW64\Camnge32.exe

Filesize
180KB

MD5
2e060714f71481f1539b0467350d1a9f

SHA1
f50228876b3c314fda37d197f3646a96cccf2760

SHA256
353e343f6d7e1bf78248ac5961648a83e7f742babb695cbcaee37d3bb3622d1e

SHA512
b97a88292aa6ac0184a7a7cfa9c0f2b9f121ac15f0a32fad1f253ba1b4f20f9d5c6f8f35ccd6932fe140ab3372b73d6ace4727cf17213dfb2513436078ff8c32

Download Submit
\Windows\SysWOW64\Cfcmlg32.exe

Filesize
180KB

MD5
85e57a48a7e6000431d751358eee3c36

SHA1
a71d0af39c2362240287c8ec5fa9ce986658f015

SHA256
71ed595b71c66c23b03a35ace2e397ca340f1f49c90848cad81df0314c08e01b

SHA512
e6578254f6c698a25a7199a606236ce7d24d7b803053982578e5c2d9460bdf31bae17b5fd8e5eb3b0f6fade32cbd605c531046cb400f354f15cf6e2713110751

Download Submit
\Windows\SysWOW64\Cncolfcl.exe

Filesize
180KB

MD5
5237745efb0754c2ce1e0aede2d16adb

SHA1
239fbf8f07298260b81c5b0740fbcfea4f01abc4

SHA256
fcf2359d752a97bc3e28de84501661db7adb43ad8164ea7549ac306cba8424f6

SHA512
405e112b326db9c58bd7b3d1b6a91edded5b6e19916e7f876730134a32e2c407abaae0fac6314416bbe2117e50811ce93eb5321a5a528b9185ab5d24a68a6420

Download Submit
\Windows\SysWOW64\Coladm32.exe

Filesize
180KB

MD5
7792d3e4b9a441b7d2865773e286a6b6

SHA1
4a0a86243068c9298e41b6810ffc5eacfd26254e

SHA256
283cf3b7babd79097d0249a3b5a8b1f7c12251c112fae48d91d41becde4417b7

SHA512
2c8a1f0e4f4993724fcba493d16e1ebcec8efa9cab32e6c061d29bc78e0d8720a679f77e36ae1a49513b7b38b67d38a0df8be5b513e76763e56cbd3751d608f2

Download Submit
\Windows\SysWOW64\Dbadagln.exe

Filesize
180KB

MD5
248cf22640893da317196e7e1264940c

SHA1
755b68868cb8619fd1e6f6c21ca55e5f58c69be9

SHA256
7307dede4242b18e3d109fbdd74a6bacb1b9ff2bc1916ff06071840e4d5f9f2a

SHA512
c49a2ebc887ff72d22cc5ddd2c3e1b2474a2de0f33d045865e86486c09a4b61dd9aef9449870caca101db056dd37fcf2facc002f9c55fa5d8b2bb6cbf23dfa4c

Download Submit
\Windows\SysWOW64\Ddmchcnd.exe

Filesize
180KB

MD5
f1a1ded03d87c791691c34afe1f4de5a

SHA1
c80e4f95df872c9a8be7a5ea10805482c12425d4

SHA256
c04a6224731b127042d051bcfcbd2fa4d9f66ffeeccddd1f6a21cdef6a6bb1ad

SHA512
66098a0dc9ab9ca49c80e9c8971cec5a88b16cbdcf470ad054f33d8527d90919a99c6cc4c675cfcc644be59dac3f640ab363a3c7c029417d5cd8aab6a9165b19

Download Submit
\Windows\SysWOW64\Dhdfmbjc.exe

Filesize
180KB

MD5
e53ea2e28fc47d5ba019aed721515df9

SHA1
3696513b5ef7ea6017de1befad87969680ca7f95

SHA256
cc2a258495d5ce0bccc4a9bbc14b83e6a218c25c879440e322240eeaa79f7fe6

SHA512
ee7bd76903b27d2ecb7904a41ac059b088837998d665a8f5816db2562a88e790aa075716b3f96bdf6e179dc2bfd6254161192eceea6a252bf3670c4e2aa973c3

Download Submit
\Windows\SysWOW64\Doqkpl32.exe

Filesize
180KB

MD5
c1ea067cc88dfc635479a5c1bd126401

SHA1
eea99d0ac6f6082b10d494c3c02273e5c01f33cb

SHA256
2cb11c75b04a2d9b1022bbcb7eaf87b0fe071f8a111cd8410b512516638215f1

SHA512
4d01441ce7611e1270f5fe124616eba9b1e5b1867aec47879b2915a735c613a0545e3b5a0af9cc5e2cd1756b032c2618071d96afd45b036aa3e5285d0ab88367

Download Submit
memory/880-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-18-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/880-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-17-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/996-247-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/996-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/996-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-169-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1176-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-296-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1204-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-295-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1324-198-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1324-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-225-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1348-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-228-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1584-336-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1584-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-340-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1584-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-143-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1656-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-188-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2008-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-94-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2016-89-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2032-216-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2032-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-52-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/2104-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-285-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2280-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-234-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2532-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-328-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2552-329-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2552-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-362-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2564-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-62-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2600-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-263-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2628-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-34-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2760-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-364-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2760-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-318-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2780-317-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2780-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-349-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2820-350-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2820-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-306-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2900-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-307-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2932-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-117-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2992-79-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2992-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads