berbew | 473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de

Analysis

max time kernel
92s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe
Size

76KB
MD5

7b33dd6131bdfa9f3b359ab1e310ad62
SHA1

1ed09726ee3e6cb4b52c7fcf29591a3b5dc55a2a
SHA256

473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de
SHA512

ada6c5ffe7218e0dc7f8fbd75c2114a6fc8e6f871e0f940f97d0121007b5ed0139e5cb10f52a4c87cdf9a8c79b2645ae95f4dee95f55f47e9ef4edb81912e2cb
SSDEEP

1536:LPe+ZLy67uGIxjy9MmHnvb0tHioQV+/eCeyvCQ:DqG9MmHnT0tHrk+

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 31 IoCs

pid	Process
944	Bchomn32.exe
4788	Bjagjhnc.exe
2640	Bmpcfdmg.exe
2864	Bcjlcn32.exe
436	Bjddphlq.exe
4800	Banllbdn.exe
4236	Bhhdil32.exe
3688	Bjfaeh32.exe
2344	Bmemac32.exe
2792	Bcoenmao.exe
2836	Cjinkg32.exe
3472	Cenahpha.exe
1652	Chmndlge.exe
3624	Cnffqf32.exe
4080	Chokikeb.exe
1056	Cmlcbbcj.exe
1908	Cdfkolkf.exe
2148	Cjpckf32.exe
2248	Cajlhqjp.exe
1044	Chcddk32.exe
2440	Cjbpaf32.exe
1532	Calhnpgn.exe
3496	Dhfajjoj.exe
4248	Djdmffnn.exe
464	Danecp32.exe
4664	Ddmaok32.exe
4912	Djgjlelk.exe
2312	Dmefhako.exe
3040	Dfnjafap.exe
1348	Ddakjkqi.exe
3864	Dhocqigp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1988	1092	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 944	684	473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe	82
PID 684 wrote to memory of 944	684	473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe	82
PID 684 wrote to memory of 944	684	473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe	82
PID 944 wrote to memory of 4788	944	Bchomn32.exe	83
PID 944 wrote to memory of 4788	944	Bchomn32.exe	83
PID 944 wrote to memory of 4788	944	Bchomn32.exe	83
PID 4788 wrote to memory of 2640	4788	Bjagjhnc.exe	84
PID 4788 wrote to memory of 2640	4788	Bjagjhnc.exe	84
PID 4788 wrote to memory of 2640	4788	Bjagjhnc.exe	84
PID 2640 wrote to memory of 2864	2640	Bmpcfdmg.exe	85
PID 2640 wrote to memory of 2864	2640	Bmpcfdmg.exe	85
PID 2640 wrote to memory of 2864	2640	Bmpcfdmg.exe	85
PID 2864 wrote to memory of 436	2864	Bcjlcn32.exe	86
PID 2864 wrote to memory of 436	2864	Bcjlcn32.exe	86
PID 2864 wrote to memory of 436	2864	Bcjlcn32.exe	86
PID 436 wrote to memory of 4800	436	Bjddphlq.exe	87
PID 436 wrote to memory of 4800	436	Bjddphlq.exe	87
PID 436 wrote to memory of 4800	436	Bjddphlq.exe	87
PID 4800 wrote to memory of 4236	4800	Banllbdn.exe	88
PID 4800 wrote to memory of 4236	4800	Banllbdn.exe	88
PID 4800 wrote to memory of 4236	4800	Banllbdn.exe	88
PID 4236 wrote to memory of 3688	4236	Bhhdil32.exe	89
PID 4236 wrote to memory of 3688	4236	Bhhdil32.exe	89
PID 4236 wrote to memory of 3688	4236	Bhhdil32.exe	89
PID 3688 wrote to memory of 2344	3688	Bjfaeh32.exe	90
PID 3688 wrote to memory of 2344	3688	Bjfaeh32.exe	90
PID 3688 wrote to memory of 2344	3688	Bjfaeh32.exe	90
PID 2344 wrote to memory of 2792	2344	Bmemac32.exe	91
PID 2344 wrote to memory of 2792	2344	Bmemac32.exe	91
PID 2344 wrote to memory of 2792	2344	Bmemac32.exe	91
PID 2792 wrote to memory of 2836	2792	Bcoenmao.exe	92
PID 2792 wrote to memory of 2836	2792	Bcoenmao.exe	92
PID 2792 wrote to memory of 2836	2792	Bcoenmao.exe	92
PID 2836 wrote to memory of 3472	2836	Cjinkg32.exe	93
PID 2836 wrote to memory of 3472	2836	Cjinkg32.exe	93
PID 2836 wrote to memory of 3472	2836	Cjinkg32.exe	93
PID 3472 wrote to memory of 1652	3472	Cenahpha.exe	94
PID 3472 wrote to memory of 1652	3472	Cenahpha.exe	94
PID 3472 wrote to memory of 1652	3472	Cenahpha.exe	94
PID 1652 wrote to memory of 3624	1652	Chmndlge.exe	95
PID 1652 wrote to memory of 3624	1652	Chmndlge.exe	95
PID 1652 wrote to memory of 3624	1652	Chmndlge.exe	95
PID 3624 wrote to memory of 4080	3624	Cnffqf32.exe	96
PID 3624 wrote to memory of 4080	3624	Cnffqf32.exe	96
PID 3624 wrote to memory of 4080	3624	Cnffqf32.exe	96
PID 4080 wrote to memory of 1056	4080	Chokikeb.exe	97
PID 4080 wrote to memory of 1056	4080	Chokikeb.exe	97
PID 4080 wrote to memory of 1056	4080	Chokikeb.exe	97
PID 1056 wrote to memory of 1908	1056	Cmlcbbcj.exe	98
PID 1056 wrote to memory of 1908	1056	Cmlcbbcj.exe	98
PID 1056 wrote to memory of 1908	1056	Cmlcbbcj.exe	98
PID 1908 wrote to memory of 2148	1908	Cdfkolkf.exe	99
PID 1908 wrote to memory of 2148	1908	Cdfkolkf.exe	99
PID 1908 wrote to memory of 2148	1908	Cdfkolkf.exe	99
PID 2148 wrote to memory of 2248	2148	Cjpckf32.exe	100
PID 2148 wrote to memory of 2248	2148	Cjpckf32.exe	100
PID 2148 wrote to memory of 2248	2148	Cjpckf32.exe	100
PID 2248 wrote to memory of 1044	2248	Cajlhqjp.exe	101
PID 2248 wrote to memory of 1044	2248	Cajlhqjp.exe	101
PID 2248 wrote to memory of 1044	2248	Cajlhqjp.exe	101
PID 1044 wrote to memory of 2440	1044	Chcddk32.exe	102
PID 1044 wrote to memory of 2440	1044	Chcddk32.exe	102
PID 1044 wrote to memory of 2440	1044	Chcddk32.exe	102
PID 2440 wrote to memory of 1532	2440	Cjbpaf32.exe	103

C:\Users\Admin\AppData\Local\Temp\473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe
"C:\Users\Admin\AppData\Local\Temp\473c89b3cb127fa127062ab1cdb1ff19912045d4e5f7ce506e5fecca615e17de.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\SysWOW64\Bchomn32.exe
  C:\Windows\system32\Bchomn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\Bjagjhnc.exe
    C:\Windows\system32\Bjagjhnc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\SysWOW64\Bmpcfdmg.exe
      C:\Windows\system32\Bmpcfdmg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 396
        34⤵
        Program crash
        
        PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1092 -ip 1092
1⤵
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Banllbdn.exe

Filesize
76KB

MD5
798770223debe69b0e2a641f4dd892cf

SHA1
e61d128b286a7f838ebb17d0a3409c57626d70d3

SHA256
b3c6fea2387fce6ef4bad954c40df9e870731cd26d4e65d797c8a464468abd02

SHA512
0ec4e2fa2c061f4a0df5e6c4681c78f744ec3da1cac3e3c56257a6264920a3b4db7e55993c8b7f6d32a3ab9a6d581d079fd04152b50dfd213eae334b121dff18

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
76KB

MD5
fcd691ea5567a2421d97e960d7cb9463

SHA1
b6a7ccc00bd1325a661db66203461aa404015700

SHA256
cbd258adf9a8404edc8d1f371fac142eca16e8d8c4478f11a7a32bc70d2a942c

SHA512
0b6bd44b50e0030bedf8d5c52fbd53b4e2ad603c5cd606478d4394f784bb8e3135065ba46b54fdf4e3d5775aa22b594656670510af54143388094f6e56fc76aa

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
76KB

MD5
96ff5f5841b29c3572a21123e235bd9b

SHA1
2e9063453a72bb5fd36256c68120dd65b686eb31

SHA256
af45f8c0ebbdf639a297b4cb4a7cd064a92cfa8fe7dcebbd858201474a4e8d95

SHA512
7b162794f3828898425102e8b01e9720b79a14ff9265b6dd883c2fdc91cf44ee8a48098bc7178da6d3950213b372f6334b5a82ec75b7769c389890fb23b34b62

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
76KB

MD5
00a4a483f66a3095b81ebe1a26e5bf28

SHA1
efe378cf18418dc5d0b515a62de0f672941b58e1

SHA256
8747801ab43abeed110906abf457f8ed646dbe5fcbe663c73ce1204e2f15f357

SHA512
4d57714074cb034d60821028390b07070847e6020d4a53a45b5dcd872e641655925d80f40b75e7a5f65af534b604fc76b22643018e974856ce82929ed87db959

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
76KB

MD5
1215a1dccc86d9f309642f04069d3789

SHA1
23558d6450dcad0fa3e2da9c88c9bf4bb41c9fb6

SHA256
ded9a90202b13791805b34e06c5ff373b5a2dc9f233e446f51811bded9d2cdc7

SHA512
3d2178670332401c905f5698e215217174b5eb6a2583177623279c3684a23ecf88ff988b3509bba49c85c6ed56115d9f5bed29cb08d57f99b77bebefe47d0109

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
76KB

MD5
9bed46b495d02a5903cb0f88f00e0cc1

SHA1
f3541feb835c38fbb81a6a3303b75571bce81606

SHA256
aa50e354e5a32d7625c09e192dcf63c84bf4c6ba85e0f688d1f6d2db79e599fc

SHA512
df1c969892d4b08f0462bb22f56cefa9288342c635eb3b40b94adc010a65fa663e8748b0c48a994032069a83c15d1d0eec4482a9a2af8ae61c8ff8e329275b2d

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
76KB

MD5
f391cee457493120b93ed5f8db308d04

SHA1
7aedb500663c598399983678cfe207507e369c16

SHA256
9276028b6774bc8d7441406e84caceb63bca74fb47d556c61d4d6f9cb0d7ed66

SHA512
14f2a23942b9f5e8cf064a43f91047236e2145da786c612254d095524ae1d789633de58a29231d414f7faf9ab7d997001a40ce6310ae90aaff1ff94ff18cb045

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
76KB

MD5
a1c30116ae1e5e53b57f9bdefa620482

SHA1
09fca34f440da4fdcde288316509eec30e1af397

SHA256
684be63db459ee1873761afbc7f246e6aafc28817c8fe976c65efbcdd602414f

SHA512
3a32d2a4001b52bb6e9e64943a528e5d5f78ec7a1a1dd0ae9a00670271567715169c0adb13965d4b3bb170bb9e482ce37365880b25f0dc51bb07e84e55a55893

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
76KB

MD5
ca657c86062e802973f54cc51f59c76f

SHA1
c1b945e4c73cb50144e344aff167314771bdffc9

SHA256
4d8722247dc59085532878fcccadb65f7b02df1f464b72c61cd8fcbb8dd09426

SHA512
f1e4a5838577a34c915695043e840d5b9716b472e2b4eaaf6575c3709002bce9b5e6240ad3841d77621164c1d75d2a039d2d4d0cc04e03abcd810627a4d5d906

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
76KB

MD5
4b44ce8796f6d7fe249a655a90d4feab

SHA1
91bbc7beb8155f949fff4fdc00a0b59687902257

SHA256
44ce1cba14590a9b1ea377b74e423fb8338eb2707eefc42e2dd714dda0b18d87

SHA512
f36943cc39ee1c6e7e0404b027e0944254c26e7e3910b07ed019db24c2ba8cb4fe2988df872d918b7e1fce63712a61a6b32f17e958097d6bc4e384e4cbacaca1

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
76KB

MD5
dfaf76861c236ddbc1fad4c5a797dcf2

SHA1
9d99fee31e7e41acd2b9320a77ccdcbf25585608

SHA256
b0f13343fd0407e46e2a1ee472c1a4908b51bb8a0a76edc19f84d648d7ded0b5

SHA512
eacc0d46ee66badfc284f90d98f24468a4e71b7652b57d9535a9a5d92cb568a767bd4f07444e3d6c7984fffb0b07791dced6a4d8a4a0f601e1c13b8fb2fdc092

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
76KB

MD5
494daa56ea2840cd9370801ccc2965fe

SHA1
e20cb880af724c2aa4b198987d71b3dd26bb2ee4

SHA256
9e6bba494a0bfcd286cb0f533d83bd479456600afe5bd53f1b66da22e07884db

SHA512
dafeb317c7060bdc10bfe217e46249aa3187ce8ec5970733d9f640a949089407d37eb015fe28fcec38cf039131a1b4a4118892befdd6720f218fa836548f393e

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
76KB

MD5
e8f795edbc46752060755f5c4bb66e28

SHA1
4dee979e7ee74fa0c9bd0814527549f38fe98873

SHA256
38a5cab7ff1221f555813b74426c383082083b12c4d14bdb3a346d3596f92a52

SHA512
e4f99e53356f02130230b9c42722b2cf3456accfb5ee8bcc4ac8806dbfd270a74c3045ab554e2f1ec7dfe8f3939d24779be9f968b8b7dc6eeb1c117855a5e423

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
76KB

MD5
6fc0085d317e60786e5f2b7b628c0d01

SHA1
9646380af7b7e5fed146ac9f8e90cf086f1e8752

SHA256
2b18f07c7b6389ded3bfbfedfda0ab2aadba377fed2c415fad84ae7bf70a57f7

SHA512
417ab49a6f9fa2200d797c9fc12e726c70b0e48b73c0602247998eb5cb7f9b97a2b5b2765e5de263ae87fef7ea7db0b53fe1c1abf4c11df8ca5ab7012d2c09b7

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
76KB

MD5
7008b79b7a59a9e3ecc9a250dce27c59

SHA1
25a747141c29a6a02a243b0fbf0c78a65b3f13a0

SHA256
8794e72ae33dab9f86ca0bb26f2cc67397a773967415cab132e018c6f3c5b67a

SHA512
6bcf34804ceed02dfa6cf94746408301cad47714b2ceb70915eac7f67ba96be8970cf7a18075d1cd3f7a2478d29f16ab500dc19fd93f0333c7d2dfb947d6b755

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
76KB

MD5
6d16dad355015363314d7fa32d531b26

SHA1
bba9c442af14b4cb1c4e58e7cec874107707c6c5

SHA256
6009b7680c2632413c48fac0f249b08c72f0d3e4dec5cb5c1ad5356217519312

SHA512
f0e57a1ca11665f1d7888f566640ba760219fb001de6cdd3e9098a9a4fb141b7b55d815a590e2665113c115f82b1f73657b68e8ee0a6a5a1f5a525e3cdb17840

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
76KB

MD5
5f113eab99c635f4f0ca6d63580fce95

SHA1
15e4833d38122f52cd1a3f599fd1b39cd9a55e31

SHA256
4e62976b6764325bb5bbb057a0654e5cdc37a17728f14c2a808c6322418fe2cb

SHA512
b8cc15aa045cf1e0754c8c1219e64a6725ff929d06994fd0073fd4a1e2b6965e7254bca39494a3008dbe61e20f33d29f448112cc04bdcd65afc6cea1d2031706

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
76KB

MD5
b98513d8f30ec89feab22df6213f83f8

SHA1
82414cb62d893060106d3da6fc79fe9e20b4687f

SHA256
b22372a74b51dbfd2ab3e2527cde13b2490f10a7ed8f2010d6db58f91f0c857e

SHA512
9d614a1263093abefc474cb9fed2d364b4890f07ca23e25087dc05af97eca277b24ec22b65144ff1dafe5562256d111fef86198909fdde67afb4e10c3fe5a31b

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
76KB

MD5
fc2b4e7af7f1473dc37501d1cc559e82

SHA1
ff4721f2912d839e8d6687c798fd86aea20fd62e

SHA256
18067988cd1eafda6385e165cfac409a29c6d7e5df1698c2b28dcd8e95e8a45c

SHA512
078236e13cc4c4973be1e3eb39d41513a1091f8d96a5f3104c36ee3e51ead4bdd5b6748cfa4009113cedcc94f25243280338a13f47103e6572500f05213efb3e

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
76KB

MD5
904bf0e4efb39971669cb663a98373b7

SHA1
8851ace1946a6eadb351e7472a5acba0582294d9

SHA256
bee582bd4bf15e86ea790564d96d71d94b8a898d8df3955091a50c6445d97e33

SHA512
06762c3f38cf6fd3a433cb2d60a2976d7150bbd85fc54ad1e02e373ebc079b13cf13e8c973aaae3986377866823b30e755a4ff7a3138911488d230f417f6bbe0

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
76KB

MD5
39bc308e73d1767e4cd76f064a552a54

SHA1
44bbeb31f60e4f7504121d2d5b2a1e024047857a

SHA256
c0b05b3b32fa060cecc8480fb22539e37338a3b0543a77eff430c74776a1c599

SHA512
9e5567454593e9b889a7cd539d91305b595747ac4e295077b6ad44da0cd26eca268ad478a72ccd466f39ee82c67cda55ba7208cc4de1f4d3c2a0784325d9a2b8

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
76KB

MD5
a11c0f6511e18d496bb452d2204dc42e

SHA1
c09a2ed94bd0d7f44997aa775c7726dbb1a59ea6

SHA256
fd3241533b6cefc9e345cf44f021c5b0c62bee70f3e0d0eb36d26651bfd82876

SHA512
77d6dde70a5580cdaa33255d28a1683d6dab900e007ac8434f8ed3415fbbfd0b50bccdb787fcfdeb1b5e8e2022182dc58e58aaca09f8da4ca4852c7e2595e6ed

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
76KB

MD5
1ad97918c5832598813aa7a6966edc81

SHA1
5929aafb018c23bdedb9147f4c8656b9225bcdfa

SHA256
93139a33538010a85875b0d74c76fabe5894184670dfd052d750b51e34ba7d52

SHA512
d55e5c1db8f6476998dba405df2679fa7e398b8123760b68d0ab44ff5008e49911a8e0bdd7671a3788e8abb99e203cd7d40b905daaf1dd89629fb91e783db0bf

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
76KB

MD5
49bd3266efa03f02dc71ecd56c0573c6

SHA1
6b7446be99e174145ecc8c8afcb208c729a8c3fe

SHA256
4afbea4285e41f8de072b398bd8375fd8f17b475dc18ce3e7a149d6b694d4259

SHA512
53e620eaf50cbdd47717cd41509dc9bb32631b00ce5a4bb4fae9014dabedb9f4d091c9acd44ec8acbf30204995cac1d9ba8063cb7ebcf80e5142a1b49542f48c

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
76KB

MD5
398709d5594c20d3b7fafd356eed68dc

SHA1
60a19c52732bef3842fe124f89b4736d682a0362

SHA256
eaef936b949f10333a0e95c8ab8605cf79408e9262ab1f5a88ba56217dd90bb4

SHA512
559e02054a170c35185500a56252f2341ff59f01fe85e1c9209d3d9c033ae4e360ec5ccaf21322ffffcc1abbfc3c7ae6c098925c78177641e14c086e8a460b49

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
76KB

MD5
f402a7f2afc162ffdf01402d9464ab75

SHA1
dd9f56e018445fcf2c423b6a92cf214ef8ca9872

SHA256
1c703d681351e78df6d1c9ba44cf10ba74882980e9f00ccbd4c3d05a020a8b3e

SHA512
a116560082921e240b1a34cd08bfff06af4579a91f9661976382277520545a0f7765b29767030be3fad14ea41a2b75cac78946a2c9ae6ccb28ffe89409d2641f

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
76KB

MD5
645f5e2cf99a2bfa737eaa0fb067be33

SHA1
eeb3a6611ccb46d33eeba0103eb12b95f959b62c

SHA256
28f509d83e24749f0904d63a76b973effda09068113aec8804568243f9cbebdb

SHA512
61e8dc7bce29807f699a95928f97d349910344b4189562015abf854772c26acd94383b69a8cae09ea1ab234331501e37ef80d1a91428795cbb9f0bd1b40a80f8

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
76KB

MD5
29a4cb962d173fd0982218b8e0c82c78

SHA1
136574319bc942f8a54af353ed1e1c8d0e9086de

SHA256
0ec1f19956b33b4b85b478fdd39e788694d5c66aaa9f8fbcd2027a26a96fcbf0

SHA512
71a6e3ed25299f4790f3625523375cb38fa64af81c0c1cccddcad0020178751fdcdc3d378f484d6ff0f176ef4a4d2356cee59455d15eb806ff9e8c3508ee181d

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
76KB

MD5
c36729f5ccb3ff8660deead0b03d5fc1

SHA1
90370c62f430b5befb6ae79bd4c634bf4b441304

SHA256
9ba763c8fe6590635f19a694836c0df71fa6174f748525e3986975ae7e06d228

SHA512
da862da75477a1cacb490c84cd576b5e7d321a3a1435ec34a5e69ed2aca1af9ad780e60c9f9977ce689ba89ed8d9ce312bfe1a7299578e94b6714075f1d72734

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
76KB

MD5
bf1d7dd690134957b1aaf0ff2e165290

SHA1
a9de193e64ab7efc4add0bd0dc7038eff3990e14

SHA256
e1685476b00afb508e35b4725554d1cb6756cb591ff3804c1f275d011149bf8f

SHA512
2ee0cf275c633df4b3aa661f891f864a683d2252c02e52340eb08ebcd3d9f6273ffaddc62a7d21c4c84cc8128f2303ad907cbd6a7b5c6c3284368ec8654491ff

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
76KB

MD5
4ac23e8318d9e99caabb6b0fde36981c

SHA1
1c21fe3b63c67a1bb750c16e039ec764dfa3e843

SHA256
2d9f23c7865253809f1097901b02772cab6655c33ddc5a30a9c1f3c8484658d9

SHA512
5b22a50a93f0ec53eebb87cfe0d9b67e12b3b6f438a85d918a2c6c1b8dd61562e53ba30221b39c3a434df67ac039ffc544b9823237d53264b5eac7da1b740e41

Download Submit
memory/436-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/464-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/464-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/684-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/684-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/684-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/944-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/944-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1044-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1044-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1056-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1056-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1092-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1092-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1348-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1348-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1908-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1908-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2792-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2792-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-91-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2864-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2864-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3688-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3688-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3864-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3864-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4080-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4080-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4248-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4248-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4664-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4664-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4912-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4912-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads