berbew | 73aca95635b041b4db9ee5e00a3e75802c4e1609d913f7e581ed4d8c538fbba0

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73aca95635b041b4db9ee5e00a3e75802c4e1609d913f7e581ed4d8c538fbba0.exe
Size

273KB
MD5

d7e4a994974959920ea6cdcc95893c5f
SHA1

aacb5663730d42fa185ea74767390e69b99de824
SHA256

73aca95635b041b4db9ee5e00a3e75802c4e1609d913f7e581ed4d8c538fbba0
SHA512

ee0245ce0598799c898da123fe01377db38832a138987a007773e9c5e0c9a9d1867d3d624145898aa97806ec5523efb9965c6bf4e17db74afb7869673e6986b2
SSDEEP

6144:4zJeFG8cibfvlsZRkTebwBhGv4dC+1R8pvBgL0eXkUbGKl9veOPSV3uo97fQ6uPL:8S

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	73aca95635b041b4db9ee5e00a3e75802c4e1609d913f7e581ed4d8c538fbba0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	73aca95635b041b4db9ee5e00a3e75802c4e1609d913f7e581ed4d8c538fbba0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 33 IoCs

pid	Process
4672	Cjinkg32.exe
4156	Cmgjgcgo.exe
4420	Cenahpha.exe
864	Cdabcm32.exe
2312	Cfpnph32.exe
2712	Ceqnmpfo.exe
932	Cdcoim32.exe
1028	Cfbkeh32.exe
448	Cnicfe32.exe
1592	Cmlcbbcj.exe
2584	Ceckcp32.exe
1416	Chagok32.exe
2080	Cfdhkhjj.exe
2228	Cnkplejl.exe
2208	Cmnpgb32.exe
3632	Ceehho32.exe
3132	Chcddk32.exe
4848	Cjbpaf32.exe
1396	Calhnpgn.exe
2916	Cegdnopg.exe
5004	Dopigd32.exe
3536	Danecp32.exe
764	Dhhnpjmh.exe
4488	Djgjlelk.exe
3872	Daqbip32.exe
3984	Dhkjej32.exe
1504	Daconoae.exe
1728	Ddakjkqi.exe
3820	Dmjocp32.exe
116	Dddhpjof.exe
3556	Dgbdlf32.exe
4668	Doilmc32.exe
3344	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	73aca95635b041b4db9ee5e00a3e75802c4e1609d913f7e581ed4d8c538fbba0.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	73aca95635b041b4db9ee5e00a3e75802c4e1609d913f7e581ed4d8c538fbba0.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4872	3344	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73aca95635b041b4db9ee5e00a3e75802c4e1609d913f7e581ed4d8c538fbba0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	73aca95635b041b4db9ee5e00a3e75802c4e1609d913f7e581ed4d8c538fbba0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	73aca95635b041b4db9ee5e00a3e75802c4e1609d913f7e581ed4d8c538fbba0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 4672	2124	73aca95635b041b4db9ee5e00a3e75802c4e1609d913f7e581ed4d8c538fbba0.exe	82
PID 2124 wrote to memory of 4672	2124	73aca95635b041b4db9ee5e00a3e75802c4e1609d913f7e581ed4d8c538fbba0.exe	82
PID 2124 wrote to memory of 4672	2124	73aca95635b041b4db9ee5e00a3e75802c4e1609d913f7e581ed4d8c538fbba0.exe	82
PID 4672 wrote to memory of 4156	4672	Cjinkg32.exe	83
PID 4672 wrote to memory of 4156	4672	Cjinkg32.exe	83
PID 4672 wrote to memory of 4156	4672	Cjinkg32.exe	83
PID 4156 wrote to memory of 4420	4156	Cmgjgcgo.exe	84
PID 4156 wrote to memory of 4420	4156	Cmgjgcgo.exe	84
PID 4156 wrote to memory of 4420	4156	Cmgjgcgo.exe	84
PID 4420 wrote to memory of 864	4420	Cenahpha.exe	85
PID 4420 wrote to memory of 864	4420	Cenahpha.exe	85
PID 4420 wrote to memory of 864	4420	Cenahpha.exe	85
PID 864 wrote to memory of 2312	864	Cdabcm32.exe	86
PID 864 wrote to memory of 2312	864	Cdabcm32.exe	86
PID 864 wrote to memory of 2312	864	Cdabcm32.exe	86
PID 2312 wrote to memory of 2712	2312	Cfpnph32.exe	87
PID 2312 wrote to memory of 2712	2312	Cfpnph32.exe	87
PID 2312 wrote to memory of 2712	2312	Cfpnph32.exe	87
PID 2712 wrote to memory of 932	2712	Ceqnmpfo.exe	88
PID 2712 wrote to memory of 932	2712	Ceqnmpfo.exe	88
PID 2712 wrote to memory of 932	2712	Ceqnmpfo.exe	88
PID 932 wrote to memory of 1028	932	Cdcoim32.exe	89
PID 932 wrote to memory of 1028	932	Cdcoim32.exe	89
PID 932 wrote to memory of 1028	932	Cdcoim32.exe	89
PID 1028 wrote to memory of 448	1028	Cfbkeh32.exe	90
PID 1028 wrote to memory of 448	1028	Cfbkeh32.exe	90
PID 1028 wrote to memory of 448	1028	Cfbkeh32.exe	90
PID 448 wrote to memory of 1592	448	Cnicfe32.exe	91
PID 448 wrote to memory of 1592	448	Cnicfe32.exe	91
PID 448 wrote to memory of 1592	448	Cnicfe32.exe	91
PID 1592 wrote to memory of 2584	1592	Cmlcbbcj.exe	92
PID 1592 wrote to memory of 2584	1592	Cmlcbbcj.exe	92
PID 1592 wrote to memory of 2584	1592	Cmlcbbcj.exe	92
PID 2584 wrote to memory of 1416	2584	Ceckcp32.exe	93
PID 2584 wrote to memory of 1416	2584	Ceckcp32.exe	93
PID 2584 wrote to memory of 1416	2584	Ceckcp32.exe	93
PID 1416 wrote to memory of 2080	1416	Chagok32.exe	94
PID 1416 wrote to memory of 2080	1416	Chagok32.exe	94
PID 1416 wrote to memory of 2080	1416	Chagok32.exe	94
PID 2080 wrote to memory of 2228	2080	Cfdhkhjj.exe	95
PID 2080 wrote to memory of 2228	2080	Cfdhkhjj.exe	95
PID 2080 wrote to memory of 2228	2080	Cfdhkhjj.exe	95
PID 2228 wrote to memory of 2208	2228	Cnkplejl.exe	96
PID 2228 wrote to memory of 2208	2228	Cnkplejl.exe	96
PID 2228 wrote to memory of 2208	2228	Cnkplejl.exe	96
PID 2208 wrote to memory of 3632	2208	Cmnpgb32.exe	97
PID 2208 wrote to memory of 3632	2208	Cmnpgb32.exe	97
PID 2208 wrote to memory of 3632	2208	Cmnpgb32.exe	97
PID 3632 wrote to memory of 3132	3632	Ceehho32.exe	98
PID 3632 wrote to memory of 3132	3632	Ceehho32.exe	98
PID 3632 wrote to memory of 3132	3632	Ceehho32.exe	98
PID 3132 wrote to memory of 4848	3132	Chcddk32.exe	99
PID 3132 wrote to memory of 4848	3132	Chcddk32.exe	99
PID 3132 wrote to memory of 4848	3132	Chcddk32.exe	99
PID 4848 wrote to memory of 1396	4848	Cjbpaf32.exe	100
PID 4848 wrote to memory of 1396	4848	Cjbpaf32.exe	100
PID 4848 wrote to memory of 1396	4848	Cjbpaf32.exe	100
PID 1396 wrote to memory of 2916	1396	Calhnpgn.exe	101
PID 1396 wrote to memory of 2916	1396	Calhnpgn.exe	101
PID 1396 wrote to memory of 2916	1396	Calhnpgn.exe	101
PID 2916 wrote to memory of 5004	2916	Cegdnopg.exe	102
PID 2916 wrote to memory of 5004	2916	Cegdnopg.exe	102
PID 2916 wrote to memory of 5004	2916	Cegdnopg.exe	102
PID 5004 wrote to memory of 3536	5004	Dopigd32.exe	103

C:\Users\Admin\AppData\Local\Temp\73aca95635b041b4db9ee5e00a3e75802c4e1609d913f7e581ed4d8c538fbba0.exe
"C:\Users\Admin\AppData\Local\Temp\73aca95635b041b4db9ee5e00a3e75802c4e1609d913f7e581ed4d8c538fbba0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\Cjinkg32.exe
  C:\Windows\system32\Cjinkg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\SysWOW64\Cmgjgcgo.exe
    C:\Windows\system32\Cmgjgcgo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\SysWOW64\Cenahpha.exe
      C:\Windows\system32\Cenahpha.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 404
        35⤵
        Program crash
        
        PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3344 -ip 3344
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
273KB

MD5
357f897d696a91afc42e314c16dd4697

SHA1
99266430daba846e0ccbe7e41bfe40cc66b2067e

SHA256
20cf90785b08c74a22f059a5df8884ac35b9a3c0331e98cf2092735442a6c9fb

SHA512
b888c5e3ff219f28388f914e043fdb25963a43d21e37abd2f150779df5f9eec48c259eeb35e940827dca226a54173102bfeabefc2c1fbda928d75f859910e0b1

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
273KB

MD5
cb1c35c75702bf63984f53b5c20708bf

SHA1
14f8335f3b99d595a0ae65f149ea3474dc2ea06b

SHA256
3052822ff4c39127135b80e9d91a860b436a38949d3315092185ee116ea48d91

SHA512
604baeb8ad8c59483a3b5c46a6a856f478cd1a4d88c8f8146ffb063e53f942d16053cb302c6f4745cd90936f6995e50c5417025707f8e5498a8487f656420fd0

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
273KB

MD5
26194e40e6ca5a9ab3ffdf9e177570f7

SHA1
31c9ebe5d9e09bc704a49989849072e242467fc5

SHA256
2372d241dd1f5c8922fa495818a6fb09edc2a85ed3ef74b8633c09bdaddf88fa

SHA512
632c9a7609713695b752fb30cbf06b8b0b0f0a2ec0e3b04ae6827c95ca10ad78375569bd4eaa890412f1a847d7555f9b604f25c18102ca55782f8bd4308c81e0

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
273KB

MD5
71f0994aada34ea6685bba33c2d5e76b

SHA1
fcf41d1cb65d3fc43a32e88de5ecd9b067cc13c3

SHA256
302f1bbf13bef52f3af60d71d2508b1c69517739ea6953bdf2cccdbc2fb11b89

SHA512
9a5e0af0bc4933e6028484c658f513a6dfbc697bea8bd455f191260e3ff4c6c1d292ba26e4851bc1a03f0014a8ea09e94028c2182cf1e11535de671dc368edd9

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
273KB

MD5
005aff05697daf5f2f94c27bc80fc9a1

SHA1
154982899ad49f195773d92d7ef52ed4ba1a9e1d

SHA256
7e33c8ee17b0722fb4a7d410b5a02ec67f009d95fcac3e8de99143bb2ec7bf8b

SHA512
811ee38690a6b35904b0cd6c18a5e8183ff68e5e3cbc236f55b3ab3dd3b505efccb2f7793f908e0f182361b9a16591431d87d27bf7442604d61b803faa08177c

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
273KB

MD5
9acb84b0b5ac1d207c9aa682a13cf583

SHA1
8b568790b9c4d61649659cd89102b31fca1019b5

SHA256
8f2acf819fb956cabc27a5b097c2d02d1a7abd04f6ad7775554a7793d7ab1b53

SHA512
0c26285e663b5347b475786b54c1a79ace7da8a6303d6777f26f2a8ec5ada5619d83c65933d325b015a020ed1df77695cf3589dba921aee75daebd730107f3c2

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
273KB

MD5
311e71b51ea349f334e7bc859f1eb880

SHA1
3eac1d3f56a3ef59575373a422c5eeff0799c515

SHA256
c09171ff01e80bdf61afdee8a096e0277389630f0ed70aaf63ecce64f1d02451

SHA512
c205bc8c79d582b8c881bbf483927f6f65bf8a284b62b10c54f7ec004d393b74d631e8a32ab40222b00eb99fd7dc641896d0b80da66c83e28e27f88093b620b2

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
273KB

MD5
68f2c9492d77eea94528471cb0745984

SHA1
8f998f88a74cbbc4da5dc98a3a9b9bbbc2afd89a

SHA256
4354282c26cfa359a2d2ce259f579390993c34e85809e23494c00531e7b6d780

SHA512
5f59405213e62fa400dcef4effd2fac8719c3078f4a82ff1d999c23bbe4415acbed6ad446e4bab4dc330d4a65b60fcbe1eb9519720107da65a7bf86da9155b46

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
273KB

MD5
b591987c4c0196e96da0b464330f9a8c

SHA1
0e82990aebe6adb6c2846d4869361699200a088a

SHA256
91f836b39cec56bae6c3ea555463ad2764b66946c6f3edaa2a9ee1488e5aef40

SHA512
7ff4214a8f40f6b8070e78d3eeff0b091a5bc39ca5a2c65904734fc84e6be669c11207ea82f5652782ca249220a3b9fa2ca10e8dd6486033c6b9dae13323b76f

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
273KB

MD5
a976c0d03aad8b53060dc8e0dca0d160

SHA1
11a0928898169c25bdb6170e5521eadc350307e3

SHA256
455a06bd61d55f4e38485448c7d34f836bbc91dfb56fba66a089e820dd703c98

SHA512
d85717d808a04e0caa85b5b590f8f5512cd293eb151a8dee701b5f799bb481b84b07aa7bdd7cb383624e9b7ed77578a9feb63190679161b2b32dbf63c0a2bf97

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
273KB

MD5
515bc06029ccf56d81f31d45c6940aad

SHA1
6590c04dd451012867cec4a684449cf2fa4825bd

SHA256
a31d8457be335d7462c5a276f23c5ec7f7bc11709c616bd3450b6360c6b92bdf

SHA512
e70d5816f7442720662f26ff7de2e2a9cb026ece8ffdbbbfb94670713f6ca979429c203de8d1217f850dbde22af856c9d91654c674023d6a8fe84418333b2d2f

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
273KB

MD5
095f26076ea20b28f89074aa43f2b211

SHA1
7197b7122238475ee0c243f1a67d62904489720d

SHA256
4c7c38e4f2f6a05b4a0ce23a1222d5ede2e1a3b2d1236b7151584ea40b61025e

SHA512
b2566ccb70d79efe5f3daec2d0af479b8930ae6681be6d046a56bffe5b977057695949ef63bba0a64d0cba9aa8b8e97e6be8aa67e71e29ca4c2469e9b7659b85

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
273KB

MD5
2f69c654006acac36721e2960708c20f

SHA1
56e534ec817e60bac637f1736d3e9d0b79ce1f1e

SHA256
652129e3b26375ab7875c6bae903d783503d24b3286c211a2a00765e2926c985

SHA512
d00acf2aa5d99cd1e4111d3a30eff0c4f38dd9fcf19839775f48a022058b0d2f8a874d4084c7debd3e471a1c8d5ea91d050e5ae1420484f6968540bc58292757

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
273KB

MD5
da3fbc48ed4e0eeeddaec7d1275ec5f1

SHA1
8b410047b71ce1204bf67e4099b0251f702706ca

SHA256
867bc85376ba1035a441d5aa9bed95a2b2284652ec32693f7567c9092eb74501

SHA512
387e8a714321c549665849cadc709d1ede3234f4f94ddb347bafc3ebf8060f234ea55c7ec21e7d2e934c4c8a0337cd25e7cb6cdb08acdf3709179eae934615d8

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
273KB

MD5
40daec69ff04a4532776a39ebd9df027

SHA1
dab7f41db4057beb081e3e68af61fa7b8f51661f

SHA256
3a739f5fcff3d2e139c3f33a0ff4e3ce24561b61a2f6670950509fea23947e51

SHA512
7b0276ea6e98bce1871a11fe6d534bc01d0b0183f194af3145ae61fc86c77473872d2fead88aea0856698349871935dcb5433d89c56ef2e2c033928492fe4736

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
273KB

MD5
9a98a31e0aa78e0c517027333d5a24bd

SHA1
0a140f380f345b7c7b8a38d9fc6824b3745031de

SHA256
0ee2ddca10c6af8b1677f8c7f9beb2d206d7792411665c37b7786a4861e96bbb

SHA512
2f863df027d5be30dc9f9a2046bbe975eee7528f8107307107a7400f94fdd4b373c1564a51e8a5f18ae53591a64c5025b6819f40376bf8e6034308791ef59bb8

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
273KB

MD5
ac4a7bef57277fe1d8d17bd16abcfbac

SHA1
366b6241288371ae2e518b42801858db7875e6dc

SHA256
479df5e5e66fece24f02d38a48a112d872d656c1f4f243d621a81ade28ac197c

SHA512
66f66e7cd7925941119644e28cecce6bc12c9a9b74a4ca7fe7a0c126e4779802b64e56913efc3db0dd9dfab123ecdaead2455a2c15bf4937298cb8386d565f96

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
273KB

MD5
0240d6e322e7cab0fde33c2e74c516dd

SHA1
34569d55027ae5499dde636f33f899426b02fe15

SHA256
142138ae261e4b4f814265d2cb4311adc4eec24df51caf58b144119eb97ee6f8

SHA512
79672feb775cf99c0fdf2ff0143844ad547abb6aa4949e44e5bd67b1c8b77877a84a1286922e7c418d7aaa3d5a17fee61ca9fe9f54a75589e3a3fc908aabe4b7

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
273KB

MD5
8f56c37b0267668bc80ece2d529c6cc0

SHA1
1b5a7add4233b3cea457db6e54d45d5e3d620862

SHA256
2b53f706759e1e90a0c0d67f9b20de5f54c22ac79b9dbee6f663cffeb552b5bf

SHA512
c6124be519c358f45f9b88a9385c92862e1e31d5944734d860e48471110c15006675bd66396dd0b5dd362e27eacafb98cfee81456dcce2ef9cf5a9fc57f4804f

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
273KB

MD5
cce6a1b661d85aab0565e18b1239d9ec

SHA1
2f3c17d6c282db8527e9514407262732ed581cd3

SHA256
9270ee31c858bdba5d450ed0c100a59f0449bdf3dae1f88b0bd1828e7b348304

SHA512
29c036beb249ae4598e265a604c49b7f50bc2c59a99ec72775d21a0a6ac5ec92d060ca64875940d6688e9a016d21e96928d38cc5964e5ec6faa65bc67adc35ac

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
273KB

MD5
47b3570d1bb7046f4981abad5a1bd116

SHA1
661d4ef14c1b26fa6bb66f6e9f2bef40a867f9dd

SHA256
471a268af470ca4524c8a3e9dc11ed9ce85ad2fe765b99ddd4dd92d81186a3ec

SHA512
8f8c12bd50693544127b6924d2eb9fb93839f831560c6ef7aaf7e081194fda342f05eb2be8ffc47e16d18ed1ac0c177d694ac2a665a21f942bca420de4992862

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
273KB

MD5
496b6f21159730515fcb89b932d83652

SHA1
11aeb3a87c4e28cd1cbb601be15103e639bd9afc

SHA256
d280e5640c456e6b896e4f28edc30fd16701ba462981b00ebd8dfe27b611165b

SHA512
f6bc780e5a04fde3a7584040fa33f76f76b4e33cda4c7735778c6674c6d4e45be6c5dcab4402d69df0aa1e9ab50e13f82125f0a4eaee73b2152538a7bdecc43a

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
273KB

MD5
13f9b04424b57a0573f961102feead8a

SHA1
2b94bfc0e1360671fbc666b6507e25840ff71a3b

SHA256
70653c0a5ed9cbdc4dc6844eae58120438b6f7d60efbc321c9fe0a65a75a423a

SHA512
43180c606ca62d1ce37cac5108a082b6f3ade1726e8af113e71dee33d16179a53a246f64f303358b637fb1318ce14bf668232373093e410cb746a8f7fc72e8d9

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
273KB

MD5
a582c70bd28e93dd8137733f1f36a229

SHA1
100c27530ce90b44e18012fa4cddccd62c1f3b7d

SHA256
dd6b608aa558e938a442cf5cd2aa3313e88ae9fdc5f91469325daebdd292963a

SHA512
c8421f1e16e3bbccce17ed659d112e9421a3984eff2ee67717967ea370ced610cb869130aee61318e205eb91a93ce943c0ea8cc6e6023409857779b8e3b7649f

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
273KB

MD5
c36135728e4ae37270121b9f970f8f21

SHA1
5e488cda492509f5604ed4feb9c21dbd3be2e9d7

SHA256
5e51400eddf1aa141e574e50659ce9c6a187035c68d63f6c6ad14f29720d10e7

SHA512
3bef61e5bbad498737e911d0d4498e1340800968afd153a0b0d58b3f56ab3ef7d996db687ea7e2889d06c746cacfc816824417e1c601d2e2bbad484637052de4

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
273KB

MD5
892844586e27e751c3cdd022993b1fca

SHA1
4a91f4856b1d14a1025ab3871c026fc3baac67c5

SHA256
6205f9fc57855ca26f430b896b683e32ce55edef5710c66653d97530d0f8ab63

SHA512
13b5c36fd4332812891b6ee245300a00f15c84df63319604523482bc54014af6444d68c955baa5ece2750ef3f6678feed63a32708166e7d77751540bdb89f5da

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
273KB

MD5
9076e4e957240bc33c796de44788d3b3

SHA1
77c07bdf19764ee570b6c915cf017aaa6a6d2c7c

SHA256
65c618ced0d9b2fefb8a1390a134c2421377a16bcc42fa2f8e1947a76e7bb5c9

SHA512
96458020b4a37ff09908a6093fdbb57b34f29b31dba372f2b05f27928a379cccd0b82d6a31d3e4df525085c2b3c91da444f1d0d40f565c3f4ce39d71eb7a9060

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
273KB

MD5
450a01344d86e1a8869ad2513cc05535

SHA1
415d1ba126b99639a271dfff70d7b81ae7d1c2d6

SHA256
775cfcdec36f1f67c5207cb3751b843bdb1617fa6f3064667ebbb67e9a814b50

SHA512
671fc7bcb2dd666f9cca141750f8e57fb9404cd5f694e6824bd9ba69bf8fe27dac162cc53160ae06fd0f389f376bfcf8445d8e2153bd65d6d4776a70af564f03

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
273KB

MD5
46bd72c06e96d795da27975e1319dbda

SHA1
633794ac3c4f69f200b8498c107a36afd8ff5d13

SHA256
740e106722f99da4f4bf79a62f114fc7c6e3b4f4e622a0eec1571fdb23b6191c

SHA512
47ba47e2f854f48fb374f36db3d1a68a5fb560ed68bfc8d0b2e13809f2eaf986be1f197e4e9bf1560b678eb774473f1adee830481b564793d218954f08468ab1

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
273KB

MD5
0ae26063466a73e464bad6229fe970f4

SHA1
94e808ca4b7682a72c7ffb70e10bedb0820c6c59

SHA256
9d5d47dcc2252f0f1017bc1f6578fc77b9f9285455fd8ce281705f22927f6477

SHA512
299723241e1b4ca788571000006aa0d80aedfc224713d7b07248808aa6400fc9da0bed1eb7c3238cfad10fd440658407ae1166c95749d06b2197647a3193ebaa

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
273KB

MD5
1a78bc0f6b8cce25ebcf2e7fb45f6b89

SHA1
4a71790d02ba9a53f7ba579871de7f3a76e7a663

SHA256
036a0b0390ecb6f8829e9f3e74d5febdba53f6c326f2ddaf8397141f5751fc2d

SHA512
a5164aa7e7d5de4a269c49d93a5474f43f385764af7e74e5b13d915c89066d0bc2a77b329542caca38ec13f1fa29b9b4df17b5eb9268fee1772ba869852f83b3

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
273KB

MD5
fafc9a1581ec7aad143056fa7d0e1a8d

SHA1
c2985d426bec152bcf1919f5482ca2aaafcb2611

SHA256
0e35de7157bfedac01639b09e0b469c249e218ce87cf3a5d15c8d782a6912818

SHA512
235ce3f6cf5182b5764aea32347efa6191fdc26dcf69e8b929b4eb535469fa35f25de03e2cc690d7fdfeb6cf7abafd46d501b6ec97a1b6868052ca7408c6ce2c

Download Submit
memory/116-241-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/116-271-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/448-72-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/448-314-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/764-285-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/764-189-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/864-323-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/864-33-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/932-56-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/932-318-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1028-64-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1028-316-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1396-293-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1396-157-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1416-308-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1416-97-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1504-217-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1504-277-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1592-312-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1592-80-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1728-276-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1728-225-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2080-306-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2080-110-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2124-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2124-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2124-331-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2208-300-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2208-121-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2228-113-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2228-304-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2312-322-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2312-40-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2584-89-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2584-310-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2712-48-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2712-320-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2916-291-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2916-161-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3132-136-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3132-296-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3344-266-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3344-263-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3536-176-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3536-287-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3556-249-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3556-270-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3632-128-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3632-299-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3820-273-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3820-232-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3872-282-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3872-200-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3984-279-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3984-209-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4156-327-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4156-17-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4420-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4420-326-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4488-195-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4488-283-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4668-257-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4668-267-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4672-328-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4672-8-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4672-330-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4848-149-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4848-302-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5004-168-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5004-289-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads