berbew | 1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056b

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056bN.exe
Size

285KB
MD5

f6e28e14b37e4466daa07c5f5d554f10
SHA1

2b359687435347c5b52f13af703acf88444da228
SHA256

1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056b
SHA512

112188181c415ad92e9513d253cea5ca0dc3465baf1948451e28748f5595b1118d90b9ee5e51ccb0146d41b9114ae0a69b23cc79b869be406bd622506066dabe
SSDEEP

6144:oihRLnfCSTYaT15f7o+STYaT15f6ZLXonvPeZaF8vs:oi/LTYapJoTYapiMnOZ9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 42 IoCs

pid	Process
744	Bcoenmao.exe
3324	Cfmajipb.exe
4844	Cndikf32.exe
3864	Chmndlge.exe
2660	Cmiflbel.exe
3924	Chokikeb.exe
4276	Cmlcbbcj.exe
2616	Ceckcp32.exe
3964	Cjpckf32.exe
1936	Cajlhqjp.exe
2332	Cdhhdlid.exe
4860	Cffdpghg.exe
5088	Cnnlaehj.exe
3364	Cmqmma32.exe
1480	Calhnpgn.exe
2416	Cegdnopg.exe
1560	Dhfajjoj.exe
344	Dfiafg32.exe
4108	Dopigd32.exe
1072	Dmcibama.exe
428	Dejacond.exe
880	Ddmaok32.exe
4784	Dhhnpjmh.exe
3752	Djgjlelk.exe
4176	Dobfld32.exe
4484	Daqbip32.exe
3788	Delnin32.exe
212	Ddonekbl.exe
1340	Dfnjafap.exe
2272	Dkifae32.exe
1776	Dodbbdbb.exe
5116	Daconoae.exe
3732	Ddakjkqi.exe
2776	Dfpgffpm.exe
1712	Dkkcge32.exe
1444	Dmjocp32.exe
2068	Daekdooc.exe
1900	Deagdn32.exe
2264	Dddhpjof.exe
2236	Dgbdlf32.exe
5048	Dknpmdfc.exe
4796	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056bN.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056bN.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2184	4796	WerFault.exe	124

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 744	4272	1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056bN.exe	83
PID 4272 wrote to memory of 744	4272	1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056bN.exe	83
PID 4272 wrote to memory of 744	4272	1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056bN.exe	83
PID 744 wrote to memory of 3324	744	Bcoenmao.exe	84
PID 744 wrote to memory of 3324	744	Bcoenmao.exe	84
PID 744 wrote to memory of 3324	744	Bcoenmao.exe	84
PID 3324 wrote to memory of 4844	3324	Cfmajipb.exe	85
PID 3324 wrote to memory of 4844	3324	Cfmajipb.exe	85
PID 3324 wrote to memory of 4844	3324	Cfmajipb.exe	85
PID 4844 wrote to memory of 3864	4844	Cndikf32.exe	86
PID 4844 wrote to memory of 3864	4844	Cndikf32.exe	86
PID 4844 wrote to memory of 3864	4844	Cndikf32.exe	86
PID 3864 wrote to memory of 2660	3864	Chmndlge.exe	87
PID 3864 wrote to memory of 2660	3864	Chmndlge.exe	87
PID 3864 wrote to memory of 2660	3864	Chmndlge.exe	87
PID 2660 wrote to memory of 3924	2660	Cmiflbel.exe	88
PID 2660 wrote to memory of 3924	2660	Cmiflbel.exe	88
PID 2660 wrote to memory of 3924	2660	Cmiflbel.exe	88
PID 3924 wrote to memory of 4276	3924	Chokikeb.exe	89
PID 3924 wrote to memory of 4276	3924	Chokikeb.exe	89
PID 3924 wrote to memory of 4276	3924	Chokikeb.exe	89
PID 4276 wrote to memory of 2616	4276	Cmlcbbcj.exe	90
PID 4276 wrote to memory of 2616	4276	Cmlcbbcj.exe	90
PID 4276 wrote to memory of 2616	4276	Cmlcbbcj.exe	90
PID 2616 wrote to memory of 3964	2616	Ceckcp32.exe	91
PID 2616 wrote to memory of 3964	2616	Ceckcp32.exe	91
PID 2616 wrote to memory of 3964	2616	Ceckcp32.exe	91
PID 3964 wrote to memory of 1936	3964	Cjpckf32.exe	92
PID 3964 wrote to memory of 1936	3964	Cjpckf32.exe	92
PID 3964 wrote to memory of 1936	3964	Cjpckf32.exe	92
PID 1936 wrote to memory of 2332	1936	Cajlhqjp.exe	93
PID 1936 wrote to memory of 2332	1936	Cajlhqjp.exe	93
PID 1936 wrote to memory of 2332	1936	Cajlhqjp.exe	93
PID 2332 wrote to memory of 4860	2332	Cdhhdlid.exe	94
PID 2332 wrote to memory of 4860	2332	Cdhhdlid.exe	94
PID 2332 wrote to memory of 4860	2332	Cdhhdlid.exe	94
PID 4860 wrote to memory of 5088	4860	Cffdpghg.exe	95
PID 4860 wrote to memory of 5088	4860	Cffdpghg.exe	95
PID 4860 wrote to memory of 5088	4860	Cffdpghg.exe	95
PID 5088 wrote to memory of 3364	5088	Cnnlaehj.exe	96
PID 5088 wrote to memory of 3364	5088	Cnnlaehj.exe	96
PID 5088 wrote to memory of 3364	5088	Cnnlaehj.exe	96
PID 3364 wrote to memory of 1480	3364	Cmqmma32.exe	97
PID 3364 wrote to memory of 1480	3364	Cmqmma32.exe	97
PID 3364 wrote to memory of 1480	3364	Cmqmma32.exe	97
PID 1480 wrote to memory of 2416	1480	Calhnpgn.exe	98
PID 1480 wrote to memory of 2416	1480	Calhnpgn.exe	98
PID 1480 wrote to memory of 2416	1480	Calhnpgn.exe	98
PID 2416 wrote to memory of 1560	2416	Cegdnopg.exe	99
PID 2416 wrote to memory of 1560	2416	Cegdnopg.exe	99
PID 2416 wrote to memory of 1560	2416	Cegdnopg.exe	99
PID 1560 wrote to memory of 344	1560	Dhfajjoj.exe	100
PID 1560 wrote to memory of 344	1560	Dhfajjoj.exe	100
PID 1560 wrote to memory of 344	1560	Dhfajjoj.exe	100
PID 344 wrote to memory of 4108	344	Dfiafg32.exe	101
PID 344 wrote to memory of 4108	344	Dfiafg32.exe	101
PID 344 wrote to memory of 4108	344	Dfiafg32.exe	101
PID 4108 wrote to memory of 1072	4108	Dopigd32.exe	102
PID 4108 wrote to memory of 1072	4108	Dopigd32.exe	102
PID 4108 wrote to memory of 1072	4108	Dopigd32.exe	102
PID 1072 wrote to memory of 428	1072	Dmcibama.exe	103
PID 1072 wrote to memory of 428	1072	Dmcibama.exe	103
PID 1072 wrote to memory of 428	1072	Dmcibama.exe	103
PID 428 wrote to memory of 880	428	Dejacond.exe	104

C:\Users\Admin\AppData\Local\Temp\1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056bN.exe
"C:\Users\Admin\AppData\Local\Temp\1930dc48fc7ceeb8c5835e5fb14919817796c34a8ac00e8d326e1fda7ffe056bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\SysWOW64\Bcoenmao.exe
  C:\Windows\system32\Bcoenmao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\SysWOW64\Cfmajipb.exe
    C:\Windows\system32\Cfmajipb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Windows\SysWOW64\Cndikf32.exe
      C:\Windows\system32\Cndikf32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3864
      - C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 396
        44⤵
        Program crash
        
        PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4796 -ip 4796
1⤵
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
285KB

MD5
1cc4cc79e9e7fa17d24fc38261715cf9

SHA1
ca5323461c1ed153ff0b15bb7cce144d8c4d58b7

SHA256
6a2078a1a87f33133e9affdad0461d675b16f52add3ac8c1a295e2a61c92fdd8

SHA512
c16796a5c242a83b5fe76490c006bc92db072aa268f765033b2b821ccd08901112aab1d0dc42e77aa9d06dde65fc0bfd9a58353460a1981ddc136228b3a2a64e

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
285KB

MD5
e64e3a7c786e6624a747647f6d27b12c

SHA1
2d858e21dcc65c5c0f17840b68e56d81639f0915

SHA256
ccaf524c4a297f2e3abe5074643ce346af0523ce2cef673811128ffd08feb385

SHA512
c662422da241836108945d167edc08688234c75cb3cf78db4a55a5253db28da0c8dcc49325cdef7b2103473b8d024af80d1b4d2f677f9b5935420fceec307c32

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
285KB

MD5
edc03b7a5a936aa6b7884b4e62be4ff1

SHA1
91088a80b94f26de389d0b01527dc144ea3bd248

SHA256
b526b26559f5fad8090974dcc2e881620b02eafe839d114ea2a2b9ebf119c8ce

SHA512
bd28f1ad5fb674f32e42bff6f541618ca78464488ddad767e2742be13fc5cac5fabb96af83e094d7cc873f2b1e72d2ee2ad802815a64f86406e64a16e3d103f3

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
285KB

MD5
9d7d87ba36c224b7754ec7f1c4b8b93a

SHA1
2c1434b87ab49b70dc2e234ab480893bfe82aee6

SHA256
d80397074e0c65d4c030bcef80d11955331dfe6a86b41dfbb667a2f66c54aa5a

SHA512
53fbe859f6a7feaba5c4c33fdebe6a916ecafb00c981f4a2c3d54a9e21f4f3b5346cdd19aac8ae0cbe7529060dfa123794e487ee304de6eae90ad9634522ee9b

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
285KB

MD5
d791c9c6a5df0a9e3019daef8152b619

SHA1
04390cf12a39e98a40dd4b673cd7e16def372df5

SHA256
1da6cd937ef49aefb04b651a8439b34a9dbc8cd03f42b71146eeefe3507341b6

SHA512
e1bbd0a492586f0a79a126055acebae155e70946e3ff6d71d8aec261bfd60059e16c32df87959e2554eaeccc4ae19948a718c627163543de653c3d34fa4e4269

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
285KB

MD5
b1ca2b7957bac0ec0b2bcf38f4fce552

SHA1
712a475cdef088408f3732e060c67aa83b8e3fc1

SHA256
fc8b62805dba57fcce1d8ba402230e686a1420690c4c9b9e9f9483e693c4c396

SHA512
1a265b478e72bb1a95560feb17e4a5ff515e1148e1138d2cb10c90eed88eb9d9ea596a00c15fa07de43b13cd3ee6c2ee7707fc3a9b6d18f6642dc3c32a5e30ab

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
285KB

MD5
abc94386d8ff1aa97292cc722e9a5ae5

SHA1
e442b22f3925142b836bbbd2db8c5d7d298cab8a

SHA256
c4fc728a319c5ef1c954b59004697bb195d728cded211417f34f27f2a2f280c1

SHA512
1685f87853c5320e28137c0af7fd23823d73dd7946361680a1e23528d19599dcf028da874f861a02fecdc729e4f55bc3ef95bf072233779c3e1c45b619cac633

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
285KB

MD5
aa57a550cb9fa84f664921841329eefc

SHA1
2bba5a61aed95038f87c9bcb2100a2b66eb3ab8f

SHA256
6c46e542aa05c00c5e3259eddc9b8bb1500f7dd9638c0daf42e1226224a6b997

SHA512
a793aa2ad7300b820b866634dc85da60fcfa5abd03d87becd3389761b4a88443920b417fbf3621f3b3bb39a2ec467d2ab8625fb28ac99a89a6dd79ccddeca057

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
285KB

MD5
50aef29590e42f9317b1f484f106ad23

SHA1
37831f66e8f32049cb865919581bdc25de570fd9

SHA256
53536abd6a0b6994846f77ea885d8d8e80c5014bb6ad7303ce5a55b5fb47cdb6

SHA512
7f21809b7ade38e7f36bf217a6b02145cfd35decd6da87fec414de92eb76455f7510cb49b0f174521c9ee826296626b3294f5095b7a7f0a4cdaa197cf37748d2

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
285KB

MD5
47fc85e7322415b171653a8929e65289

SHA1
a848c236fbb2b6e6a15e7b589b66be51ae01e71f

SHA256
6fcd519c99ce839921054835213820e17799dc1400bcca295304c42022eb4eb4

SHA512
8bcbcb4fe26d948522167442ce92e90b2725af8898eb80cd7dad3d33f6d8a7bf2a42600da0a70c72c31bd2f51a767cdae1c0fde3f8bacb36a9b97d119f2b6f6a

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
285KB

MD5
1a57e7b2ee63ccc19f73ce627d436d61

SHA1
3de6fb98f0392f0a1a69b5c8cf4d70f376d39ddf

SHA256
1dce6275e8c7447da443da41f814cca863ffe5cfa2ee40077148253b124e5b53

SHA512
1b4a901a28f409e736c71d6c5f0dddfb9bd32ad8b6f7fbca6ae9863a0efa80f3a94bc2c9a4c62f0aa6d66de470d23506079032921fa747871851fdd873545af8

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
285KB

MD5
4685134296dc314b627f82ad01764a16

SHA1
746cdf3a7b5c8380a7432dfddf9c9de33d715006

SHA256
89f38729d90307bb7f4d9e45433b93f47ab195fc032e20365818faeac1c0e100

SHA512
5b3d9e92941e134340bfe1af0ab0e8c305a76118ef7b9e189f6c05f46c448bbfc181eae9ba0832dee3f669e45b4a3f2829749b5da29a0c521b935f59cfdf2d62

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
285KB

MD5
038f5a01e01be3d5a3b300935e138a18

SHA1
ac22629a38a7d40c3c852c1546cda786e3aeb48b

SHA256
cc2977f47022e617600c98c94d5e29685f406ed1ad95b2ed3af949d4cce0a5cc

SHA512
ba9c5561af63c79cd3c82bb93e3e61cde8c76aecc65dca8be2d1a23b97efc19b823c6f230cd5debce436af89e63b48dc8b58ae4844e0a3be140852494773146d

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
285KB

MD5
2755f92363d44d09ea94f326fe87ac0a

SHA1
c504a1bf7c5eb5b708ca072f97c69df9902247c6

SHA256
7c0340912bb52c0c3a961670d83ca62c3b535c487fc59a32633e7bef4e1d45be

SHA512
78741d42334790907b97cd3160361c9462c2f0854134620c8c76c4c52fbce4db1de687b252f0415e23d078aee68be5a1dac9ad4e6fdbb906930fb594abf06ad1

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
285KB

MD5
4b576969369fde08f225b814c8c4d73c

SHA1
2e5f1f18ffc1a5a8f7f5c90847f72c64ebbd82aa

SHA256
de5ebb2a8c4c17b4aab40603c90b0564ab9de2a273c4ec25a8246750bcc27bb0

SHA512
6068f1aa95d16f98b33da613e6e73562380d4f9a39f0c7f5fa6dd3fce9f7c140627104c50f542527330d462731145d5f0e0624c5b982b14d33537cd88d2f5b26

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
285KB

MD5
e1b77899a7e72049bc8c2b54d96d003e

SHA1
a404a5590d0d17dcd4fa588000ef4d10c336ab5b

SHA256
8d1fe77adc50802d7865924a2090e1b462581e457883833d167c59baf19159cb

SHA512
96413b84dcd39ea32157054943277cb9ef47bc00927e65a44323003200810577a6f305c92eda1f678db651b3e3287e2f18795b063b9cfc2b0d348b9331874542

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
285KB

MD5
7b35626167b97de41c5cfb70d25a4aeb

SHA1
e355706c54369ab4eecd81497aeb2f871461d84f

SHA256
154b69885be03b7dce595ab6c352381fea562c126954014a1f439c96982037c4

SHA512
63c63a28b2439e252e0693ecf591646dcc138f17ecfcecd401348587eb7561ca8bec59a462919e66178cf848e97f3fb1ab292c024e632691449830d4fc8ad901

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
285KB

MD5
65b525cb1390cbf79b087f20951133fe

SHA1
e8ad237208971dde532d9b680c5ea87d0d9d9127

SHA256
76f27f9091477c2be434fc8e241f01fc7c918ed0f5812af50f54c5c1974542ab

SHA512
525f9e10473acc327b380da65210bc62ddf42f1dd30c3ba88104a71a0dbfca80ee7a186a33dd39adb96a8cc7a12d47feb00a93dfd442b99d3a72fa35b734721a

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
285KB

MD5
3c9347e3445950e3639ffcca8417f8de

SHA1
431364a11363ceafe793db7282ee353fd6e2cb2c

SHA256
e21cda57505c7a94b812da5e0279736363d411c1accd43382121a1393fe11408

SHA512
69dd5cb5792ceb3a251a80b1584b034fd8e49959e40ca60714480aa48bee64c85d2fd2cb686f3ff156d30bfa67f02f8208248dc6a57b579baf68725362641bbe

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
285KB

MD5
3e125332cbfa17a604207031bf9a3aef

SHA1
d469c96aab69473e23089220515e327cf4df1d92

SHA256
6c495f452bbc04635c985a7e327b66286e77e9ffa3753dc7d169825ab10424d5

SHA512
3a6ea5e64c608e29a9ca7724b8575e05ca1d5ca89fcc8ecd16ab184eec49aa52f82dd2135b6f3f141a40d8b5237ff0e025186076d542a0517325e5e646b06f76

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
285KB

MD5
08e0370e73a37d2c0b6648e04939b097

SHA1
311b61f16576c1d67e2452ace28ba226bf47ed5a

SHA256
f55ed79e52a6e60bf70063b3357223acf18705c4af887bd8a533bb40c2ab1f97

SHA512
5116bfcb8f3f452a1737a955ef05c72add8921ad01b98771acd06736ae039d8420f747eb32b4cd61837afb29a993ebaea3b949685cf0f3b566ed507566fa84f6

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
285KB

MD5
06fb34d55efcb2ff754f26307dd21cbd

SHA1
a02b815769859a363d2961b43ae05ad46620f308

SHA256
b13ecdca2b33677e3fceba1ebd99b20bc9347a52137b023e7e0740f2bd15151c

SHA512
8cc9d31364ca8d5e97ff73811f9e79e0eacabdecdd0ed1086c0a53271676c00a453afdbb77c4448c0b12d7fc3eb961c10cc4d11a72ae4adc5921702a2a0f82c2

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
285KB

MD5
89984b1725961bfb3392d33d92770739

SHA1
fad965dd70304013b0194f92eca77fe6f5322772

SHA256
6333c16a7ac338674be6cc14a510715641116e6074db05058bb298760d38017b

SHA512
c80667075d4ee9f4caa3c0772993bbcde191e5459e500daabf3ae753216c1be0c2cca3b1cac9d13fbaf11666b843bcde7180fc213f0f5355915e08c2203b1d59

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
285KB

MD5
4ac18c6961b4ec16732e5c39c53b7325

SHA1
19cf666a41f70e9cbb6e487831da35928350e1d8

SHA256
c1be21df18d1728c85dac868b44411b6239e44cb1a242a7f803c9819a8380668

SHA512
f0c5ef99db6a40158c53ea86efe0adc2adab3d4f0f7b04a927b8b49c199ef132af44cedca8926320a7881b71f269da7a726bad20143150a6ba9255b2b06c2c64

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
285KB

MD5
ca5b9e51441d7c02b1b1d42721fb786d

SHA1
653ab35d9dc5c2064e36c1b80f1c5596a6ac182a

SHA256
e51ac1da84b939addfac603019db74f57890acc1ebea998a9be1daa037580157

SHA512
3512e3afcb3e160b4ad45fd680608e7ee13c8a0088b8249963113f246756da08c455f2a0ac169181392d1f2837dbe4c1bfc57a9d368bd76c3f3c478b8b09d16e

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
285KB

MD5
8e265af450e1ba5998e87a7872d2f768

SHA1
787f171ac417fbc8d6199ee702bdcd910d748cab

SHA256
a0d64067364fe3606793cb677aa7a248b2a48fd29064288981badcf3276e05f8

SHA512
8b502881350ec955f29d372b6f0147ee54de5cdcff6a721c3ca1be4933ac5b07451a062fc2fcdb797eedaa8135237169ee2730c943f68c896c07c63ae066c3db

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
285KB

MD5
7828ec743b52f20e65a4abdfba7a45f0

SHA1
5dd80bd4c8b0a3f1af1e98084ce8cb85e8cb35dd

SHA256
2fa4c8477b1276c79705faff150ea9f832e03617e124f7010bdeddcb66fcb991

SHA512
0dea9aed72613b688548e46bbea30b154e3d6c8c68020d13b1a867b59dd97670877e205c2c91d63133606eea82a743642d68defc224ee39defa2451a3afb805e

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
285KB

MD5
3faa46e5d9e8e09ea5bbfd7c34e44c99

SHA1
c1b562574e93d8c811671728b7c3f5f886ca7445

SHA256
1c675d136b0ff3a7bf28d70f11997b14526813e22c8b141c8d7ac7f28b388637

SHA512
a0d42736f39001055e748c98a1aca571545535f2c130cebda54b1b0f6a3f8322040aea8a749db69bb0bf567350712fe0769c3e415e9bc1bf7063503a38b76cc3

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
285KB

MD5
a4120bf53baa0a3213e69568cf987702

SHA1
7cf5f0ff822b46dd91c2f3e0c36fc380707cd6e5

SHA256
96f7d54b5acc9aab5032c167b641f3705beffc6e9239e95ddadaa31446752e73

SHA512
aede81c83d675102ad8289e05f32ec6104fc1e62ff6de415b52c03cce8909173493f879b6705e873d08f31f755e988d9912f26ca308177ffeb07a5811cfbad13

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
285KB

MD5
bc502a59b2c2c44e0337bd97d96c328f

SHA1
97f19c1631cf57da4ab0310daed64b66e8c7b3b2

SHA256
52b66447b9440d560ae5885818229f1faa34ce1040f064c151a1b45ca9926a72

SHA512
9ea54395829618183b7820b9fd36c66e73f36452e0f11ea3b1271178385c6f4211a6b5cf6d4d25fbb296e3ecb2b2612ab81b7449d319b19b41599e15cddd268f

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
285KB

MD5
24951430b7643764b9ef344c0b0f305e

SHA1
1e67d71ef9b5618c640d8d24e12148bcfcd3f303

SHA256
dfa184b3ffe0b61f26e3eecb9bb48e27b3ca8b0bdf711e85532346bb37bdccae

SHA512
d4b9347ff845250bc463f375b5b3750bbcec6d52b311057949631b14f52c1de92002ff8c6bdbcc017ddd3b0d0280d437bc2e587da1b90835fe2d69ef6cc67bb8

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
285KB

MD5
d541aab72e056f1b686c83093074fb54

SHA1
24107a5afd8c029193c27b5a6b11ed8fc9f0d2e6

SHA256
efd25884c9358adbd45295e237dc93b3afd96e4d68dd0cdff10de99de49c7f11

SHA512
c60403376a8b8ce911b4ffad571d17a875f200fd7e41e6f4faa863bc662feb1395657acdb5171749f1a93bb4c2f6fa2d2725295cb7118b4b3288273f0a75e5e6

Download Submit
memory/212-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/344-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4276-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads