berbew | c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2024, 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52.exe
Size

93KB
MD5

c110559770e47d710b8f0d2b6e2b13d2
SHA1

636ceb15a463de796e7d2103cf9ba8adf93ad37a
SHA256

c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52
SHA512

1fc1815fa5ddfd800cab29ccb384deb75f86589f0d93728148cd0625dd988f0c7e44ab0284c6fdaf98bde9683af0d970957d2a03144a65c2874a434e8f6aef55
SSDEEP

1536:1vCPzPAMJZlWdHyCUYvJbe0ISfPeqdKtf1DaYfMZRWuLsV+1R:FMcMJrVWyVSfPefgYfc0DV+1R

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 39 IoCs

pid	Process
3804	Bcjlcn32.exe
1376	Bjddphlq.exe
2572	Banllbdn.exe
3096	Bhhdil32.exe
1976	Bjfaeh32.exe
2180	Bmemac32.exe
3080	Bcoenmao.exe
2920	Cfmajipb.exe
3404	Cndikf32.exe
2804	Cenahpha.exe
848	Cfpnph32.exe
116	Cnffqf32.exe
2848	Caebma32.exe
4088	Cfbkeh32.exe
2056	Cnicfe32.exe
4864	Cdfkolkf.exe
1404	Cmnpgb32.exe
4328	Cdhhdlid.exe
3384	Cjbpaf32.exe
1940	Calhnpgn.exe
4092	Dhfajjoj.exe
2224	Djdmffnn.exe
3884	Dmcibama.exe
5096	Ddmaok32.exe
2856	Dhhnpjmh.exe
4536	Dfknkg32.exe
3780	Dmefhako.exe
4748	Delnin32.exe
4936	Dhkjej32.exe
1704	Dkifae32.exe
872	Dmgbnq32.exe
4288	Daconoae.exe
4904	Dhmgki32.exe
4784	Dkkcge32.exe
2948	Dogogcpo.exe
2812	Daekdooc.exe
3916	Dddhpjof.exe
1964	Dknpmdfc.exe
2988	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
404	2988	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 3804	1980	c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52.exe	83
PID 1980 wrote to memory of 3804	1980	c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52.exe	83
PID 1980 wrote to memory of 3804	1980	c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52.exe	83
PID 3804 wrote to memory of 1376	3804	Bcjlcn32.exe	84
PID 3804 wrote to memory of 1376	3804	Bcjlcn32.exe	84
PID 3804 wrote to memory of 1376	3804	Bcjlcn32.exe	84
PID 1376 wrote to memory of 2572	1376	Bjddphlq.exe	85
PID 1376 wrote to memory of 2572	1376	Bjddphlq.exe	85
PID 1376 wrote to memory of 2572	1376	Bjddphlq.exe	85
PID 2572 wrote to memory of 3096	2572	Banllbdn.exe	86
PID 2572 wrote to memory of 3096	2572	Banllbdn.exe	86
PID 2572 wrote to memory of 3096	2572	Banllbdn.exe	86
PID 3096 wrote to memory of 1976	3096	Bhhdil32.exe	87
PID 3096 wrote to memory of 1976	3096	Bhhdil32.exe	87
PID 3096 wrote to memory of 1976	3096	Bhhdil32.exe	87
PID 1976 wrote to memory of 2180	1976	Bjfaeh32.exe	88
PID 1976 wrote to memory of 2180	1976	Bjfaeh32.exe	88
PID 1976 wrote to memory of 2180	1976	Bjfaeh32.exe	88
PID 2180 wrote to memory of 3080	2180	Bmemac32.exe	89
PID 2180 wrote to memory of 3080	2180	Bmemac32.exe	89
PID 2180 wrote to memory of 3080	2180	Bmemac32.exe	89
PID 3080 wrote to memory of 2920	3080	Bcoenmao.exe	90
PID 3080 wrote to memory of 2920	3080	Bcoenmao.exe	90
PID 3080 wrote to memory of 2920	3080	Bcoenmao.exe	90
PID 2920 wrote to memory of 3404	2920	Cfmajipb.exe	91
PID 2920 wrote to memory of 3404	2920	Cfmajipb.exe	91
PID 2920 wrote to memory of 3404	2920	Cfmajipb.exe	91
PID 3404 wrote to memory of 2804	3404	Cndikf32.exe	92
PID 3404 wrote to memory of 2804	3404	Cndikf32.exe	92
PID 3404 wrote to memory of 2804	3404	Cndikf32.exe	92
PID 2804 wrote to memory of 848	2804	Cenahpha.exe	93
PID 2804 wrote to memory of 848	2804	Cenahpha.exe	93
PID 2804 wrote to memory of 848	2804	Cenahpha.exe	93
PID 848 wrote to memory of 116	848	Cfpnph32.exe	94
PID 848 wrote to memory of 116	848	Cfpnph32.exe	94
PID 848 wrote to memory of 116	848	Cfpnph32.exe	94
PID 116 wrote to memory of 2848	116	Cnffqf32.exe	95
PID 116 wrote to memory of 2848	116	Cnffqf32.exe	95
PID 116 wrote to memory of 2848	116	Cnffqf32.exe	95
PID 2848 wrote to memory of 4088	2848	Caebma32.exe	96
PID 2848 wrote to memory of 4088	2848	Caebma32.exe	96
PID 2848 wrote to memory of 4088	2848	Caebma32.exe	96
PID 4088 wrote to memory of 2056	4088	Cfbkeh32.exe	97
PID 4088 wrote to memory of 2056	4088	Cfbkeh32.exe	97
PID 4088 wrote to memory of 2056	4088	Cfbkeh32.exe	97
PID 2056 wrote to memory of 4864	2056	Cnicfe32.exe	98
PID 2056 wrote to memory of 4864	2056	Cnicfe32.exe	98
PID 2056 wrote to memory of 4864	2056	Cnicfe32.exe	98
PID 4864 wrote to memory of 1404	4864	Cdfkolkf.exe	99
PID 4864 wrote to memory of 1404	4864	Cdfkolkf.exe	99
PID 4864 wrote to memory of 1404	4864	Cdfkolkf.exe	99
PID 1404 wrote to memory of 4328	1404	Cmnpgb32.exe	100
PID 1404 wrote to memory of 4328	1404	Cmnpgb32.exe	100
PID 1404 wrote to memory of 4328	1404	Cmnpgb32.exe	100
PID 4328 wrote to memory of 3384	4328	Cdhhdlid.exe	101
PID 4328 wrote to memory of 3384	4328	Cdhhdlid.exe	101
PID 4328 wrote to memory of 3384	4328	Cdhhdlid.exe	101
PID 3384 wrote to memory of 1940	3384	Cjbpaf32.exe	102
PID 3384 wrote to memory of 1940	3384	Cjbpaf32.exe	102
PID 3384 wrote to memory of 1940	3384	Cjbpaf32.exe	102
PID 1940 wrote to memory of 4092	1940	Calhnpgn.exe	103
PID 1940 wrote to memory of 4092	1940	Calhnpgn.exe	103
PID 1940 wrote to memory of 4092	1940	Calhnpgn.exe	103
PID 4092 wrote to memory of 2224	4092	Dhfajjoj.exe	104

C:\Users\Admin\AppData\Local\Temp\c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52.exe
"C:\Users\Admin\AppData\Local\Temp\c6a903a47c65ec9649a314801ad915e87676962b6cb0db40a05d355c9c71aa52.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\Bcjlcn32.exe
  C:\Windows\system32\Bcjlcn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\SysWOW64\Bjddphlq.exe
    C:\Windows\system32\Bjddphlq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\SysWOW64\Banllbdn.exe
      C:\Windows\system32\Banllbdn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3096
      - C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 404
        41⤵
        Program crash
        
        PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2988 -ip 2988
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Banllbdn.exe

Filesize
93KB

MD5
aef3455adbc6a125dc1d99405c51a7cb

SHA1
55c8b2094a8e0d8b9260a2dcd3f4a3e44f36423b

SHA256
f6a9f227a2648e618c1a35197670cdba80ebb75ca356135701146a79a135d006

SHA512
87437e6d17936c2565b1ed1a0a3cab72fc44e9bbef7f2d306f79ac3668ebbb8dae6c23e2024eccc297b10d0dcd200d064f971ed71aa5c92a356814aa3cbd7b67

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
93KB

MD5
d59d9cda4bd6da16f6729d39adb7e157

SHA1
291a6af2e872ea8cfc741b35d8fb5ea9afb527f0

SHA256
2a5a88413a3eb59e73e564a72de6b1285f2b3cafcd403ddf65eb735f005645d4

SHA512
c6c97d866b131547614aa96755e6a4e980675eb28f97401bde3ad37321b5a86c410e9c2205963bb17b86e4cdfd1f86d4e0d077634ebd5a1abb28abf0f8c11c9d

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
93KB

MD5
901140b0e2fabc56f4013499e04a028a

SHA1
e8cf018004b1aef2e8bffeb932e3a84a6e6eacfb

SHA256
3d18e8dc7f65f586900dca6bee86f35b979aae360178e749224070335e0b5347

SHA512
bfad21b22cac4a1b79570ea026701edb84368082c59cf2eb958adbb6e21b50b7bf2b7698524c2ba2f781ce6a612a54aef79a545e702c640e32d5bc60a395c131

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
93KB

MD5
035fd6d0e833d8ef6ee059f03b356ce9

SHA1
0b49cd21e26f135b6ec2c6dad90c16d93ad55d16

SHA256
054160ce6155e8e6a33d824cb9f3737acee9c20ee2393ad5c4e370e292956db1

SHA512
746637665faa3e2310bbf306b6f9a7f38f06eba2b1cd6ce45bf88cbedae57790354aed490dea49968cb40f9ed525c550d8339c8203dccb378d3bb482f61d4f57

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
93KB

MD5
fb81f394ecf6bb7bfb279c775e8bee11

SHA1
738977f9926fce55ad4eeeff343df4ec3d1c549f

SHA256
3ef7acf2845212b820cbda9f53c804b19c563e58aa2c62513e2cbaab6a9b400b

SHA512
f741169092aaf8b3dc95d4cb0fe6cbc4ed9bc2570dbeac3e422c24a3288fab38ad4933a4feea9ada7fbbc7f847c6947af035a37eaa6492a8af167134d96bfe62

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
93KB

MD5
91c5925628b767e6dc8222321f084377

SHA1
9477fbb0309142c63fa5a8dc29ad5613169c92df

SHA256
03973f19bec1951b105def8594fe7907cb8d7a55004934480aae587a37c8b7c4

SHA512
d7f21da4cce431b30d8698c67cd63e131f12dd68768dfce988b124ceedac973a89ff25f45bd3ce82feddf97f86546d35de03da7198a6bff79a28ad837b993af8

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
93KB

MD5
2f7d1d936cc5aefd642782879f6a2b51

SHA1
7bec55ce27c10c4c68a5cf30bec088a4f5011829

SHA256
ebfa8c6cb357e4c06d46b94423e548867b9261d00d29fdeda85f153aedddde13

SHA512
1650fd347301a14073b119a53be551ecef79d375fcc72638c2492f8b32f62e6089485cd2f6267219bf4b544e44c792b32d132bdb699c238b6c061071a469cb66

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
93KB

MD5
da98c8064f920d805e3706e687b4d602

SHA1
17efc9d26d897e1779bf0384f8bb9d5075d10753

SHA256
68953963d23dff2de3832dc5f56351412b9b9225a305d43cd018dc626233f499

SHA512
13f89c2429e7740ab030be9eadf9014ceb87fe6e1b6405f754506b82cba940bdc1f8acad958f1f464ba548147e7adad8e7e1e4d7f6d2c0dcaedade1039a34599

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
93KB

MD5
77005fbb24d294a930459660e51e2336

SHA1
69bb9308ac0ea5330f8835f36277d0f9f6e7fb5d

SHA256
0599068e3f6b1191669caf12d9df91ed09da6be8031bfc83241e13f6a2b36ab5

SHA512
5743444565e346cfb6f9a55dfbfd59517310fe142b9f12401598b42bef0bdb998adf2676b53c8fe32382f5378bf2fdfea3cef7cd4cadd0d8b7bc0ea77d78eee1

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
93KB

MD5
82b71bf2a1827ca5af076562c9f76145

SHA1
3f686601d714d292049ddfa251eb8107789bc476

SHA256
787ac46a0add980709e45549974c26580df23d104fdd3fc4764c6011a7151b04

SHA512
e51d760030ae2f5d39bb54e04e047bcf78ae97a1bcfb045ec434c8ab297175e32148bf97338ded17a445220efa009b321b1faf236dd249ca2b64cb33e146cd92

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
93KB

MD5
58c830aed6ed3252d5f236c60dcb33ee

SHA1
673fc01ddb7cccd2b43a493a0cc051ba1a94d096

SHA256
1a84864bdd829aabf6920058c2eeccc074451e5b6adf8f84174085a0066c46bc

SHA512
e729c0aaca2d2670947c946c4b824e7819f004d6711a0d1ed19263525650c0304ca21f797bc82669cd4542190e0e52d9277eb3394ece0e1e5ab171024e096523

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
93KB

MD5
a44c0121b8c5ac2bf2a8dfd74373e379

SHA1
3068b7349b70b10cdcae07e350679ee441db62c5

SHA256
3e426e33e24d7a1e5ef0b6c34a7889d2155515a8c88bf8f5a1f907f97e882656

SHA512
0fca810d1a89bef8bd8b09b64da97f5ccf1fc5d978db1eabd8f78fe45ed522e5111c3cf00987dbb2c530badd553b3e83be559b425a8bf9f859330f10ce64258c

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
93KB

MD5
99e9561c72f4cf76d024538e13773374

SHA1
ddc87b9f5b1d2d4d617e4d68c1823d26b11e217e

SHA256
4c3b52c093e41d1d10dcf3f4d160651e472ecfafaf16e7f06f1cef4fde00216b

SHA512
b47bf1ec62e1626e49d990f03d4c21410a4024d1bb2033a701ebd9295fb92c69ff3e6cea32045b0303f6ef3c843d497e33b4c0693c1ffbb8caa26b7be13be729

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
93KB

MD5
7a00cf618de090bd7817e456ad3c1bcd

SHA1
ec34bb647e4019fb5492cfcd464cbe740866bc74

SHA256
cc5f2cc4d195250a161d5f0bf3255f0383f5449959302842da8eedac13096d30

SHA512
f784c2a4291cfef1c6d9ce05b2ecc7606cbc1d27e06d6016d9edb3f93a05b998460aff3b5f94386cd30a11643f197497508287f73595a945f81cf06c63191191

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
93KB

MD5
c38ec4a658d2559c2150fd8a9684571e

SHA1
99029f282d90a8ff531cfdbab730ce14831e760b

SHA256
e2b611de557f32fccab32ee288b8fffaa857f1962a259fccf14d4b9e0c7578b6

SHA512
dd84ce3989648b1a9187ccebe8ad039e8d0cf5a319bb404ca6ad4d4a0f8ed957102e77089cc64202cdde7d7186c463e96b6a42ca1b8ddb3d44d816a08e48e639

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
93KB

MD5
33d670a1f5c109ef8274b1173a64d2ef

SHA1
b31e1ddb213e4a3cd8c47cf6b14bff8344550a74

SHA256
813930074d5c6356f1c3f3a34fe8e633b96ce95d8525c00bc77bfaa17ebc6ebd

SHA512
e52b1bbf881bfe8f2f879f907ae77de78e0a8aba94f3fa520770e2ab27a2e15d118598952326016c210086d0d7a3f3a23c662c6007cc23095d8daa3e3614c8ba

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
93KB

MD5
81a17d9b5ee7b52ad4550651057f35a4

SHA1
ef9943a684c7e202c4dd4a287fbf827b5a2ff72c

SHA256
f1c278f929c56b38e7bda11cc22a9671f13d6c96261391d4a31048ac50783d40

SHA512
54ca334cb61a58e94c2dd3fa35b0265aa0816aaaed84cae306e3229f3b7a1352dd780cc124cb8c938009205a068389558d59a6e9dc59bb53bee6f9bd5e34abbe

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
93KB

MD5
f6dc49d0b880495969d754e19039ed83

SHA1
7249d3c7ac7e50daea95e201f25b0c5b6471362c

SHA256
24c6900a81ae42feba95e0b2e6846d3d21b575f7d3009b63ae3c5eba760aee13

SHA512
89f1fcc1287737cdd82bf74bd28915707d3f2e31de0967e951cfa5862889930831268c11572004ae7267a866dd9186b5faaa868b2cd1ef7f94e21eacc93a8c2e

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
93KB

MD5
8f82e1d0539b70b55e991ca1dc33a498

SHA1
2ee0af9a195d6cde94391eb954f711d88389422a

SHA256
daf04549399b2bd245841bd82ab39a5f15d5095aaa6b12a320b465a000faa9ae

SHA512
3f1f394f1e567604636152355da52fd68b727a4f06e3a5223c012d779f9c04c520ecb8d77e0eecd547071ce2b49c74d4f266f0ce983b5c7ecd67e9fee3fd7c12

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
93KB

MD5
7936cc688a2b27287abaaede4b3e7fc3

SHA1
45989a8b10924e5260dbd7568037e020d1420bdc

SHA256
91ad36e8854c666e9cf53b04cff255d53bc7fe6f2f6ae3203c8c5374d0b44324

SHA512
ef42fdff8d60c245a21ed398532c66005b98cbb594e0c8fa965a91fe24aff532346b453b90e0db51759917291840e39ab682a11779d323653a5832fbc19bc36c

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
93KB

MD5
26693c94b50949f198d69b15fe45c634

SHA1
c72cee4ad21286009aac8e35f3fc6726944cfae7

SHA256
3e3e6157a347982bde755bb13d2da0c0951172d9282e354eaae02fcfeca676dd

SHA512
a237d3c318c135e577b54cd4a2e6fcdb7ee2c332fd8e1d4f1d004f16c69068e8b6d5c5506cd3ab359292789e8e2e6298e61f045316db3e00215e65041ae50364

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
93KB

MD5
8c2ef8941643d75c4e1862691758ca9b

SHA1
1b19c9e8c00c47526ae6f0eb4bcf8c74083d78d3

SHA256
7f4926b356e418970f23ca46ffdab2a37f1384573ea00a79d0bd1c52cdd3b518

SHA512
8a6b171c46ab026d5fd617004c68f8dc5e2905daa1fcc07768ee6f8e34d327a6063c409f9ccd317763643d48f4b9e5caad0f0acf307fd44a0ebbe1355540cb28

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
93KB

MD5
6a58ed9a774f6e0e0f61ec26eb1c5047

SHA1
b7e71b980055d970dd9df92673181146ebc11625

SHA256
d05277ca6a89b3436dc7da466c5c40174872ad1e0e3910c2aa810280f4d74a0d

SHA512
145e404b1117ea52f704fe5909cb02c912c3c309b143cbf69e9c2b4e4d32ddec3da2db0680b626f56f8e1fb92ae57b44954c356a90a7c43f2322aa38fcd7aae1

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
93KB

MD5
2ccf46b7286840e3286521a7b0119fd6

SHA1
38f2c087e420e556ee530b8080a8083311d076c3

SHA256
8be87e464bca1b533b6ca67cd58dda93d4b41a98769f86f6404a0fcd143842e3

SHA512
886936f436cd1a1bb49b08757c09e6ddfea00a2627f69b9628eff489e51875e73d34c8c432624db736f0a91a6093c4eb791c8194e0ced79f382817c47d3dab7d

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
93KB

MD5
265c8010aa1246929876c6d07a8a2e4e

SHA1
858297897a5390bbe699acc316417c9b524e4a6d

SHA256
4f05e913f9a8611286da856f6f1bfad4e90dbb9a0c9e765abff6880c728f17c8

SHA512
c2434a7df4000a1af4b9b2d06c002582277fe4c4a3642c8073dfa28e32d915fa7bebc536d92d1af1d0e3d3598f52554aa7e544878fcbd2ccf492dd8d12139821

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
93KB

MD5
5b15e0527c373b1d759aac1dc8f64e5d

SHA1
0f1f9465f31e00ae76b5748ef047c74c36be7e59

SHA256
93f544f5726a256d8463ac5050b88da991c872f5e61ec0f9837f2e6c4412ba5d

SHA512
5850f1c1c799750846ebeab60b6a845661a81ec2063a7d35e0aa2262c81771d1137912443739ac30b83d822c73b1e414b58f7e77f5c0a8d3780d9ca97af73848

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
93KB

MD5
9efd0eae71b182d2a2a23312e350802c

SHA1
479c3d8c132c8e88daa4ad5fccc62c455de2e00e

SHA256
30272c6c8e461553a291d3ca37595ab05d711a3e23c28a39393e1774fa60422b

SHA512
d6b99b02a64a6be1967d62992dba46b37f510fbce729f5a5b5ba7ae61550c4291341acb6c430cd91f1f44f7119f70738915b6b2b5b35ef335a3695b34a542faa

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
93KB

MD5
55728cc87867c052b84744e3147a679b

SHA1
3751580d653e43ffab8885fa77b38b4048fc8cd0

SHA256
62b080f29689be1e0254e39e44ca63e6eea4f48b6cc943af47ef4f6719632729

SHA512
871641531c05bae46164445624c7574bc00d9af5e7d52aec129c75d2701310a40ce159ec39f58429a07c783bfce84a856de7686120812f15ce4a2bd0a6b1e8a3

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
93KB

MD5
dabd03e63817bcaff30c37c8ac7d5506

SHA1
780873ff53619455b79a5d26a37ea44286ff6164

SHA256
c7722ae6fe9d3513e63a5e1a997227ee0b2e465c6afdc9f8d4d147cf6ef349ba

SHA512
73e1f0f5d2580c9f64004c03e360cab9f51b745156692fe3dca5cd8b15e1fb6aff37129093df7ef35579f6ceb5f239f589b2cabb66b2940bff8f3303ba6b9031

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
93KB

MD5
9c1fd1e804549fb44d0c427e14d27bad

SHA1
88cc2d54310947f465d6e41e8f26329af9a7805f

SHA256
675968235e6fd9e7d5c4bfba80dafec58580995e60de774c387a3a71c4b84d31

SHA512
30157e97490496e6cddc36ed3088e096d2fa15604771309df3de60826bd10ac57e3d6d570d8d545d3f2341aee540bcc7f1cd51f494c62e52376cf0950a141b2e

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
93KB

MD5
b1d1c1507c218753e4d628a1e2e74cb2

SHA1
a0eb9a5f3c7244429440cd9999d98453db300a7c

SHA256
43b3aafa54b9453dd87026de85addfc9f4d838d7decce80a3f00b14647780117

SHA512
3aa0b06f4bf7d6982c96b6dba55c8a489ce5208d282b95e7376d3c31f434121ed5ba65f394b8eef03e36fe57ae35da1fe5821a904375611e0591ffb8341bf74e

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
93KB

MD5
6383ee75c223c044bd8bf03153d8fa7a

SHA1
9fa2c80ebaac52b197b01f997a473ca21c765482

SHA256
446f09e2d061308c8ac96a4033d3121828ce5fe23a050e027981860e352cbcf2

SHA512
c900c84c219dc3009169112655243b88e8947e25ebac324b8d7b06af1c36db483de2b068fa3c77adf0cfcfa067523d2c05f7ac934826094cda2f5fd0ff4d0696

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
93KB

MD5
e69549c329dfcc48400e1121427b7848

SHA1
009d35f407e12af467a3731f309166b33e2042e5

SHA256
a4a0ac788cfe1d986c5070bcd7859e973aaf459dadebbc19c1ed62e468e7f955

SHA512
d326dd6fb73532cdff6c45fb3d7066b182c58c07818a6fa9de9185bc76b156767cd7704bb26d884c79ef2b50391ec6364e6e3784ddb3a23c1c87023d03bd0a89

Download Submit
memory/116-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1980-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads