berbew | dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbb

Analysis

max time kernel
75s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe
Size

93KB
MD5

d94d6c689d1089b763c4ff682b84e930
SHA1

6ecf9ae01ea2e914b5328abb6e04d330d056a3ab
SHA256

dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbb
SHA512

6539b29836aab0ecfe3b095e9e084b56d7f4ec697f77ef34911eb3efae52f545fc1d242633a7fb9e99493bbf21b0424dc1deda54c6e3b7d112d0d4e5bdffe13c
SSDEEP

1536:3DnsZNv4CDFk31EBR//JUO1DaYfMZRWuLsV+15:zns3nBt/JUOgYfc0DV+15

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 29 IoCs

pid	Process
2440	Cmedlk32.exe
3056	Cocphf32.exe
2744	Cocphf32.exe
2748	Cbblda32.exe
2576	Cfmhdpnc.exe
2808	Cileqlmg.exe
2556	Cgoelh32.exe
2936	Ckjamgmk.exe
1816	Cpfmmf32.exe
1256	Cnimiblo.exe
1344	Cagienkb.exe
1524	Cebeem32.exe
976	Cinafkkd.exe
1768	Cgaaah32.exe
2348	Ckmnbg32.exe
1808	Cjonncab.exe
1692	Cbffoabe.exe
760	Ceebklai.exe
932	Cchbgi32.exe
1672	Clojhf32.exe
1288	Cjakccop.exe
2220	Cnmfdb32.exe
2292	Calcpm32.exe
1472	Cegoqlof.exe
2256	Cgfkmgnj.exe
1576	Cfhkhd32.exe
2112	Dnpciaef.exe
2624	Dmbcen32.exe
2240	Dpapaj32.exe

Loads dropped DLL 61 IoCs

pid	Process
2072	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe
2072	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe
2440	Cmedlk32.exe
2440	Cmedlk32.exe
3056	Cocphf32.exe
3056	Cocphf32.exe
2744	Cocphf32.exe
2744	Cocphf32.exe
2748	Cbblda32.exe
2748	Cbblda32.exe
2576	Cfmhdpnc.exe
2576	Cfmhdpnc.exe
2808	Cileqlmg.exe
2808	Cileqlmg.exe
2556	Cgoelh32.exe
2556	Cgoelh32.exe
2936	Ckjamgmk.exe
2936	Ckjamgmk.exe
1816	Cpfmmf32.exe
1816	Cpfmmf32.exe
1256	Cnimiblo.exe
1256	Cnimiblo.exe
1344	Cagienkb.exe
1344	Cagienkb.exe
1524	Cebeem32.exe
1524	Cebeem32.exe
976	Cinafkkd.exe
976	Cinafkkd.exe
1768	Cgaaah32.exe
1768	Cgaaah32.exe
2348	Ckmnbg32.exe
2348	Ckmnbg32.exe
1808	Cjonncab.exe
1808	Cjonncab.exe
1692	Cbffoabe.exe
1692	Cbffoabe.exe
760	Ceebklai.exe
760	Ceebklai.exe
932	Cchbgi32.exe
932	Cchbgi32.exe
1672	Clojhf32.exe
1672	Clojhf32.exe
1288	Cjakccop.exe
1288	Cjakccop.exe
2220	Cnmfdb32.exe
2220	Cnmfdb32.exe
2292	Calcpm32.exe
2292	Calcpm32.exe
1472	Cegoqlof.exe
1472	Cegoqlof.exe
2256	Cgfkmgnj.exe
2256	Cgfkmgnj.exe
1576	Cfhkhd32.exe
1576	Cfhkhd32.exe
2112	Dnpciaef.exe
2112	Dnpciaef.exe
2624	Dmbcen32.exe
2624	Dmbcen32.exe
2968	WerFault.exe
2968	WerFault.exe
2968	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Aqpmpahd.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Ckjamgmk.exe

Program crash 1 IoCs

pid	pid_target	Process
2968	2240	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2440	2072	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe	31
PID 2072 wrote to memory of 2440	2072	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe	31
PID 2072 wrote to memory of 2440	2072	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe	31
PID 2072 wrote to memory of 2440	2072	dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe	31
PID 2440 wrote to memory of 3056	2440	Cmedlk32.exe	32
PID 2440 wrote to memory of 3056	2440	Cmedlk32.exe	32
PID 2440 wrote to memory of 3056	2440	Cmedlk32.exe	32
PID 2440 wrote to memory of 3056	2440	Cmedlk32.exe	32
PID 3056 wrote to memory of 2744	3056	Cocphf32.exe	33
PID 3056 wrote to memory of 2744	3056	Cocphf32.exe	33
PID 3056 wrote to memory of 2744	3056	Cocphf32.exe	33
PID 3056 wrote to memory of 2744	3056	Cocphf32.exe	33
PID 2744 wrote to memory of 2748	2744	Cocphf32.exe	34
PID 2744 wrote to memory of 2748	2744	Cocphf32.exe	34
PID 2744 wrote to memory of 2748	2744	Cocphf32.exe	34
PID 2744 wrote to memory of 2748	2744	Cocphf32.exe	34
PID 2748 wrote to memory of 2576	2748	Cbblda32.exe	35
PID 2748 wrote to memory of 2576	2748	Cbblda32.exe	35
PID 2748 wrote to memory of 2576	2748	Cbblda32.exe	35
PID 2748 wrote to memory of 2576	2748	Cbblda32.exe	35
PID 2576 wrote to memory of 2808	2576	Cfmhdpnc.exe	36
PID 2576 wrote to memory of 2808	2576	Cfmhdpnc.exe	36
PID 2576 wrote to memory of 2808	2576	Cfmhdpnc.exe	36
PID 2576 wrote to memory of 2808	2576	Cfmhdpnc.exe	36
PID 2808 wrote to memory of 2556	2808	Cileqlmg.exe	37
PID 2808 wrote to memory of 2556	2808	Cileqlmg.exe	37
PID 2808 wrote to memory of 2556	2808	Cileqlmg.exe	37
PID 2808 wrote to memory of 2556	2808	Cileqlmg.exe	37
PID 2556 wrote to memory of 2936	2556	Cgoelh32.exe	38
PID 2556 wrote to memory of 2936	2556	Cgoelh32.exe	38
PID 2556 wrote to memory of 2936	2556	Cgoelh32.exe	38
PID 2556 wrote to memory of 2936	2556	Cgoelh32.exe	38
PID 2936 wrote to memory of 1816	2936	Ckjamgmk.exe	39
PID 2936 wrote to memory of 1816	2936	Ckjamgmk.exe	39
PID 2936 wrote to memory of 1816	2936	Ckjamgmk.exe	39
PID 2936 wrote to memory of 1816	2936	Ckjamgmk.exe	39
PID 1816 wrote to memory of 1256	1816	Cpfmmf32.exe	40
PID 1816 wrote to memory of 1256	1816	Cpfmmf32.exe	40
PID 1816 wrote to memory of 1256	1816	Cpfmmf32.exe	40
PID 1816 wrote to memory of 1256	1816	Cpfmmf32.exe	40
PID 1256 wrote to memory of 1344	1256	Cnimiblo.exe	41
PID 1256 wrote to memory of 1344	1256	Cnimiblo.exe	41
PID 1256 wrote to memory of 1344	1256	Cnimiblo.exe	41
PID 1256 wrote to memory of 1344	1256	Cnimiblo.exe	41
PID 1344 wrote to memory of 1524	1344	Cagienkb.exe	42
PID 1344 wrote to memory of 1524	1344	Cagienkb.exe	42
PID 1344 wrote to memory of 1524	1344	Cagienkb.exe	42
PID 1344 wrote to memory of 1524	1344	Cagienkb.exe	42
PID 1524 wrote to memory of 976	1524	Cebeem32.exe	43
PID 1524 wrote to memory of 976	1524	Cebeem32.exe	43
PID 1524 wrote to memory of 976	1524	Cebeem32.exe	43
PID 1524 wrote to memory of 976	1524	Cebeem32.exe	43
PID 976 wrote to memory of 1768	976	Cinafkkd.exe	44
PID 976 wrote to memory of 1768	976	Cinafkkd.exe	44
PID 976 wrote to memory of 1768	976	Cinafkkd.exe	44
PID 976 wrote to memory of 1768	976	Cinafkkd.exe	44
PID 1768 wrote to memory of 2348	1768	Cgaaah32.exe	45
PID 1768 wrote to memory of 2348	1768	Cgaaah32.exe	45
PID 1768 wrote to memory of 2348	1768	Cgaaah32.exe	45
PID 1768 wrote to memory of 2348	1768	Cgaaah32.exe	45
PID 2348 wrote to memory of 1808	2348	Ckmnbg32.exe	46
PID 2348 wrote to memory of 1808	2348	Ckmnbg32.exe	46
PID 2348 wrote to memory of 1808	2348	Ckmnbg32.exe	46
PID 2348 wrote to memory of 1808	2348	Ckmnbg32.exe	46

C:\Users\Admin\AppData\Local\Temp\dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe
"C:\Users\Admin\AppData\Local\Temp\dee6928347f49abcde86e084b342361c48da93259112ca0d212ac7c33ce02fbbN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\Cmedlk32.exe
  C:\Windows\system32\Cmedlk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\Cocphf32.exe
    C:\Windows\system32\Cocphf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\Cocphf32.exe
      C:\Windows\system32\Cocphf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 144
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aqpmpahd.dll

Filesize
6KB

MD5
c0fe2e287a2bfa0e132d172b2b43d374

SHA1
44cedcbb13a9c2913bae862ff80393b8bfbb8d80

SHA256
ff17cfcabdce3af7d6dad370b091b27d29d84fdd838fd6645ceb12863500d319

SHA512
c43d27939610a098aef4da310e4d681b1c2326cf37edd18d8a828208d7372f8043d515aeddd6567c9223b8641723b6f1f6ebf34c4f54da944c7c2296e4045f75

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
93KB

MD5
9ad27d5afb1cf7ffd9c9f60d97ac2926

SHA1
d6f79cd1e633758172c60f01b5a09514ac992ec5

SHA256
ca3eafc5a65658884964860824a8087ec55e4c6ff13a164b399fa3d622fbb656

SHA512
bc8d53223d698f77a1e7b9c667611180b0cb83bb1e18a06554b9114cb4b2a93fbee8ddd5f5b367384d9e33036aaa0fc582d0e231c19c160108d5f83c917ad71f

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
93KB

MD5
273f80f4145f690a3971d2485ebdfb52

SHA1
15a01895784393a7598fc9b9d7e243b2390047f1

SHA256
e620cfd2f53e3d3a1289c1a8df979bc5e34a9309df3d6a8d80af7540a57ac293

SHA512
385754359ed497049e0358bf9cefeaf376193fa143e30bb728e73bf92eff8b2775f95c6c860a379e6f87eda349a8e901eb82427c7a1f639ecdb9b6115d71ed80

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
93KB

MD5
d8d83ab45df9165fe713688e94a40140

SHA1
c488281fd165600025466718c3dc31139ebe8001

SHA256
1ddf0333c909b6e63f9beaeba06c25d26eb6ba19103bb2d2272623d38589e377

SHA512
211a64817055a25f4be84be8d3c228bfbfd3bd535a5a2feeae8abc0396a4a44388c419cfbdfb678914c5a4085e5815bab66848d47098bb1c422bddfe7aa77db9

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
93KB

MD5
0ed4ec5bab5ece8584cb093f9caa651c

SHA1
98755b86c3a15ce67834f2c4d7178b0644f7bdf7

SHA256
44be5d67df309ddcd87566b1e6bc9252c157086869093bc1dff70e396b1147b1

SHA512
4969189452806dbb5f3c5c598a38e79b96d041ada309cc73587359cfac88f1e571a17b445b2e3751e706fa0a8d036907726a9f496d936946a77a42673f331370

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
93KB

MD5
82d5ef8783d2454b01977c06ab2ccd64

SHA1
5166bc4d86018ca1789a2ba7ef15545c5be3be29

SHA256
bc877dc0338ad8078bb431927dd3718153ecab93ed0cbbf6079282622e6eea5b

SHA512
fc4840d8d13f9db5a323f6a5e24b26d610b1f76d6fe23514e1d33b7f81b427c53d1123486f233aab103e46f0addd12a4e9751e257962cbcea67bf840fda8b980

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
93KB

MD5
253d9622560e8b57da286b923fedc643

SHA1
5aeffcad7f81b2636f7983eb3b163c17ae124adc

SHA256
1b93f46678b81e30e4f4a0af9ee06c45be48e3166810ba31e265751c20da8b40

SHA512
90be9581b5b32d9e09426582db1b538d3c2cd0f92344b32e34bfd9039ba2dcb4b14e224fabd1c0607e5a5977d12a799b77e338c2e4be6b0eee1043e6c0c33a31

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
93KB

MD5
9ef6776e1ed18be3e30e3972391dba2f

SHA1
cc789a5e1928f254ab01757900b6226a3abf6b20

SHA256
33ba5bccc8be465bf85b22d505523f117c5d5697b2d249c77923ad3761ebc47a

SHA512
cd7e61c2001f996e03e207327e2856559b955cda67df26f4ca18fdde46971f2b5a773a884125d8879dd0e478a60c7a76ea370ec1efa260c38ed3e3f95b27b7f6

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
93KB

MD5
61fbac7e41be2158fa3fa7330d1ad3e9

SHA1
3b62665481d1a3d0d407cd6a53625a4f5d0fe79f

SHA256
5e77817422d581fd32d118e703d4ec44d042ff2c7637a8d63e9db84d2aa4f58a

SHA512
9e0b6bad5d7f6a98c5b4e12c4b108303d110e7f20367ca9833bb87794f3865bc03102026c39db27092e296549df3b226809c09b01d5ef5f04ed7f1ae4b1d9d8b

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
93KB

MD5
d1946ecd1b5adad8221e87b0faa8fccc

SHA1
f379e072228603e2b81eb135160075471a07c74a

SHA256
4291f44e7baa78a8d51e2a2e85742a4d2d06a752764e1e550e8e55125690db2b

SHA512
1d1e9bd37e237c71dd3b1fd69d16708675143f15ce7130e34196726b8dc22f2d07c1b4af94a321e31434b5c94115a9cdec9b433d04bb7adb1a19ef71a17b797d

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
93KB

MD5
6ffe6d7f910f62f4ff0e7384f041594b

SHA1
ca69e644d494c3cb488c97f5cee382bf7d760159

SHA256
e63da140cfdcdce3fa02a6a6b605bb608341161526c3f774ebd9f44920bfdd2f

SHA512
ba4fcf146c36f34a0d2eb9107b18a2536d09bafafef6b29a794f9ed7b6f2f1cdd549b01c104c68a03e94901b6b3d5cce4d795cf40cba16127c5a56f8bbe55d1d

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
93KB

MD5
95fe7e1bb96b8b2a3c9017bccc612d67

SHA1
85318f21164b7e106528f5e41e35856be72cf1a9

SHA256
f50fd3edbda5f54502a5995fc9159fb8f0f6c245ae68d6b6979618d8f4183ef6

SHA512
05264de5c2588b59724597736bcfefef5ec17e99fd4f8045adc17d48d44740fdfee9d1a3ac74b7236efb80bc1e3eb3f24decea38df79fc134ca4a02e9cb6a2e9

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
93KB

MD5
ec0edc23f627b9e57e6c3c1c4c6decdf

SHA1
2fd492a30cdf2b72d56d6dceabb9720415a80f48

SHA256
2b7e09186331fe89d5c2eb29918b2ab1909187f3aabc5a1ceaabddf59e7c3347

SHA512
0e746f6806fed1dce0ebd87ec0d87b37b0c331367e94198e376c27d03f19ae9ecafeacecdf6fcd161cae509eec7c0cd707fc5ef105905c7a0f9be5da4ff3008b

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
93KB

MD5
db8297b8e4e7432f2f90428845a3544c

SHA1
8dc2d3a4853ff742a15d0f69ce5a93efac14b1aa

SHA256
d31090134a6f184dc13643691bbdc6ebce866492ef2ceac0c8140e98f6b06863

SHA512
ecdb7aea2d16ebd821598084c847c82316323fe1f861290198a3505eb7b94acf8d2516870cbc1666a739dcad666b7147a62c2ca20f4dbd6aa4f7cf820e292009

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
93KB

MD5
d0856ee308c90f38e83c4cb4394452d0

SHA1
e668e54dd968aad5c129785bad5e08a9d566e066

SHA256
968f76bcaf8ff909feb2a5d32ba95afe0c59c371f709f803dc471a2fb3359c42

SHA512
88137297df150472f18eb0ec82e58827dc3f7f599e7aa03d217bd955455da5c4a033fcb42e77d2de7318b921813258392e0720e8def95120cdf3f95220bee0f2

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
93KB

MD5
87ae9aef6c66b6906b04e8765d264dc1

SHA1
52bdba8f280e497e4dff4fb01159df0456ea647c

SHA256
60d6b80d95f0ec8799819c8582b8a7ed533ece8fd4c9439e56c59cee858e99dc

SHA512
785072d65b1b44fde04bc1e1edb1691e82db2c93fa73d463f7035f7d1a8dcf28c921874360eb021b2ce53d5b89408cbc9d14ddbf452084345c43af82aba7ab38

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
93KB

MD5
341102f6356e4d0834f3a80841c917cd

SHA1
1dee187a2be227197d8501ee9f9b42cebddcdb61

SHA256
cefe86bfe80a472048b7b88fac6bfe4f25728252b05b7bc9b52984aab26cad7c

SHA512
0e337489e89b9896eb928258ee5f80eedbabe2d25878175d32381ccd8a8310b757cdc2c3b72fbbcb5a01296ac9802c1d82ea1a8fa40a869445e1de88be2ddbc6

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
93KB

MD5
d2c9ae76478c677f373e0fa622402834

SHA1
dde8b90e7cf3534db270013bdb58e765079303ce

SHA256
25f3f39f2d2ea60a28f440da11da51d18369c864e2fac70c7327349938b0c348

SHA512
f0dd5492b95aff485442710062913e4b9dd582c109e0da08fe6760dada1b98acb07a5fbcfa25def73e3dbe79d313f6ab8a867f60b13de8952caa846c8c44e5b7

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
93KB

MD5
293a73db3def4049475b810491e3bee1

SHA1
c60afc33450cc775b003032d059eb9407f981bf3

SHA256
22e758df95c73194c0d98f1d5600da78d50660e189de1b3cce8221af10e7e779

SHA512
cf26879d32dd60e08f5303371a516124853130146836f929bcc4cda707bfe34b47d49967c02992de689a2e863b46a367b5b888adc73bc7993260875815dc44e1

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
93KB

MD5
d1ef5bc0a477862f632bb034871cfdec

SHA1
51b2c997e28fac8b36047b3d6740a05f67dcadbd

SHA256
37558e33549c4152a94b091282bb05967512d14f6ca69698dd36108aeef12bdc

SHA512
1357500957eb25b2c74f0ef9981a926eee9a312bf5c01fff30e4a5e01a0f99d985641c8dab39abc236f3f1fe07528b8f11235001c85469e1524098f1e92d7a4f

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
93KB

MD5
94a3df4378efd0b57befa59754ea723a

SHA1
78d83f323b5f791621df717c9e6380a00640e659

SHA256
8e6e3991742fa79129f65b61afb4e9b7249f3d450c1f4c96fdf65c73f8691f8b

SHA512
b2c05359a510dbfd43b9ec5b1a0ff1228244e8a58da70384f838f56ac11ed3fbe11a143fd8e71afef9a39ec87d06d8f02eeb22dfe40578b245c19e3fe7aae0b2

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
93KB

MD5
5ac2d8b1ad7bf992606896a57327857c

SHA1
a4c1a11caecf325ed3baef66e9055555fe0f442f

SHA256
65dcdc013be8739e9a17861341cb6e2b3e6d9469970028d14a5b37788e0ad1bd

SHA512
bd98a7865ea113e5ec0676d70ad0eaa636d0260809744d2dce724c1ddc4945123ec75f8889bb1471a2fa22a71408098900f361ad5942ecfa42e3921eb10d59c2

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
93KB

MD5
dd54a24946210b7d33c812f9708d521f

SHA1
077b0b141dcc7672b558e18a27753bb6d392bf0f

SHA256
e92830065cebdbe7cf612084c4347e01366410af6a56eb64d9ba4e22d3146c98

SHA512
63050117addca6c8c5bff4e10c77a9d43674e1ade94b0cecf76345a2dd3e03180bc28ccfe15046c1c3397e14050a203372f48fe0a40b1d28c4b0588f49db4b8a

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
93KB

MD5
7ef1b130deee756f947a5ceb39e93aee

SHA1
e5e30ade58c52138efb5a93c1dde0ed5f5c6847a

SHA256
74a6106488930c8b2945f1d265e2a510f8a2fa64cfeeec74cfe2aa37962ec764

SHA512
bdb88ffab6dd78a1b7fd7e84daced8629afb911761b858204bf2312c3212896be4dfbb4a587a5efe2e9600f390fac54786b5525aa01bb5226b8563e9c313bc06

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
93KB

MD5
79dc30aa6a7526ea1ba5f8e3aa1cf1f1

SHA1
4ca4d2fb36ceac117bce1676d50a051dcfaeb84b

SHA256
ccb30b06ecf6a58f5405b56e49e801bd5bd2843a7bfc28db11a72949e1c602a6

SHA512
e17144dc30dce7d01c76ddf6cb3eda4c6898f3a3f8987f07d5e4e2c2decb42e5704a00784b45563afafde55a5d41bf554ffa16159bdd9904d04358f95a3f35f3

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
93KB

MD5
b3ba86c83a478dd337d4b4dc6aaa7c2d

SHA1
039e3da9126a9fc81a763fea1e503b0843fed4da

SHA256
34c07e184933e56aa16bf3add1ed9a122f4d5871ab192e76c52a8bce4c0df306

SHA512
e8fdcc1d592d584d31ab20ac210efb9dea7d525ccf1f3101e707764748afddf3d5c15c4363a8dbd7f9bfc0c9cfbead5943da235440e8f4467cd2a8e7cf95a9f1

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
93KB

MD5
1cf740e970d8608e8e14c15ffe263381

SHA1
25e057b3b864537d87512a85937238e42c5d6683

SHA256
b7bf54934cd0c8b5014e5c301bf5d76ec8d3fb114ef557bfb671203ceacb8094

SHA512
9f686fc59b1320b442c38b1eba4222316099c6562929d5c9be1d7cc033ef73110d95aa1b6604b0506a19c61daeb3ddf9f19dd278ea6b6047ab9c43f75cb3810b

Download Submit
\Windows\SysWOW64\Cileqlmg.exe

Filesize
93KB

MD5
f06e719b83698ffdce2360fe6e24f1db

SHA1
22652519198716cffff335dc66e25b2fba017101

SHA256
4e299aaad71c7f5cc65a7e0969e3d5d57fcc9524ff3a9933078dda4844e8fe81

SHA512
2f930b8eaddcd157e9fb300b592549ecc00bd1005a88dda086491fa7d15c6e580a2d661cb6d0330edef57c29329c6a43046cf18674b03b83465f523a8de2cfe6

Download Submit
\Windows\SysWOW64\Ckjamgmk.exe

Filesize
93KB

MD5
6600ae5af1fe25e6eeea738339a9f82a

SHA1
3a37f7f7ecfdea84a8f983e3a243f2bad44b22d4

SHA256
b9a34d59a6e5cbf2a32f600c1bfcb26552f929dac20ee2c2753dd45055912232

SHA512
8d39f27b98b0bc436941533ff8a91d7888a53bfdd53be113d3f028d4f19e35b8ac3f3a4bc8f3e6ad55f23dfc5a79dde5e5e0d1ff74828d50176f9b08b7ca9b18

Download Submit
memory/760-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-229-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/760-233-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/932-243-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/932-239-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/932-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-132-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1256-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-259-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1288-263-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1344-145-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1344-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-293-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1472-289-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1472-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-160-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1524-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-313-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1576-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-315-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1672-249-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1672-253-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1672-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-219-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1692-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-189-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1808-210-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1808-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-119-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1816-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2072-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-11-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2072-339-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2072-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-321-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2112-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-273-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2220-269-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2240-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-299-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2256-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-283-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2292-279-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2348-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-197-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2440-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-94-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2556-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-66-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2576-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-334-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2624-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-333-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2744-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-39-0x0000000001F70000-0x0000000001FA3000-memory.dmp

Filesize
204KB

Download
memory/2748-53-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2748-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-79-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2808-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-106-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/3056-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads