berbew | da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31N.exe
Size

176KB
MD5

612d551351d6fae697edce910c5eefd0
SHA1

1d5ecb07795b27f20761b092ca7abf2cccf9fc87
SHA256

da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31
SHA512

b33d974316b835c1ef6010948a09b109f05629333ee96ec864dc832f7cea0371811e2162a4da286b5a3f761c2e21d7f74ab3f19afd563449cd7ef07984ee16c5
SSDEEP

3072:j/et7nkVH/ce1KCTnDarlOGA8d2E2fAYjmjRrz3E3:j/OaH/cGKCTnDRXE2fAEG4

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 37 IoCs

pid	Process
1540	Bgehcmmm.exe
1668	Bjddphlq.exe
3376	Bnpppgdj.exe
3836	Bclhhnca.exe
2416	Bfkedibe.exe
3624	Bnbmefbg.exe
520	Bcoenmao.exe
2560	Cjinkg32.exe
4892	Cabfga32.exe
1800	Cenahpha.exe
4896	Cfpnph32.exe
2364	Cmiflbel.exe
2644	Cdcoim32.exe
2568	Cjmgfgdf.exe
4976	Cnicfe32.exe
1716	Ceckcp32.exe
792	Cfdhkhjj.exe
4328	Cjpckf32.exe
1868	Cajlhqjp.exe
316	Cnnlaehj.exe
856	Calhnpgn.exe
4624	Ddjejl32.exe
1808	Djdmffnn.exe
5008	Dmcibama.exe
1216	Dhhnpjmh.exe
904	Djgjlelk.exe
4416	Dobfld32.exe
4748	Daqbip32.exe
4936	Delnin32.exe
436	Dkifae32.exe
3532	Dodbbdbb.exe
3232	Dmgbnq32.exe
3900	Dhmgki32.exe
4484	Dogogcpo.exe
3256	Deagdn32.exe
3996	Dhocqigp.exe
4816	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31N.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31N.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4432	4816	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1540	4884	da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31N.exe	83
PID 4884 wrote to memory of 1540	4884	da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31N.exe	83
PID 4884 wrote to memory of 1540	4884	da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31N.exe	83
PID 1540 wrote to memory of 1668	1540	Bgehcmmm.exe	84
PID 1540 wrote to memory of 1668	1540	Bgehcmmm.exe	84
PID 1540 wrote to memory of 1668	1540	Bgehcmmm.exe	84
PID 1668 wrote to memory of 3376	1668	Bjddphlq.exe	85
PID 1668 wrote to memory of 3376	1668	Bjddphlq.exe	85
PID 1668 wrote to memory of 3376	1668	Bjddphlq.exe	85
PID 3376 wrote to memory of 3836	3376	Bnpppgdj.exe	86
PID 3376 wrote to memory of 3836	3376	Bnpppgdj.exe	86
PID 3376 wrote to memory of 3836	3376	Bnpppgdj.exe	86
PID 3836 wrote to memory of 2416	3836	Bclhhnca.exe	87
PID 3836 wrote to memory of 2416	3836	Bclhhnca.exe	87
PID 3836 wrote to memory of 2416	3836	Bclhhnca.exe	87
PID 2416 wrote to memory of 3624	2416	Bfkedibe.exe	88
PID 2416 wrote to memory of 3624	2416	Bfkedibe.exe	88
PID 2416 wrote to memory of 3624	2416	Bfkedibe.exe	88
PID 3624 wrote to memory of 520	3624	Bnbmefbg.exe	89
PID 3624 wrote to memory of 520	3624	Bnbmefbg.exe	89
PID 3624 wrote to memory of 520	3624	Bnbmefbg.exe	89
PID 520 wrote to memory of 2560	520	Bcoenmao.exe	90
PID 520 wrote to memory of 2560	520	Bcoenmao.exe	90
PID 520 wrote to memory of 2560	520	Bcoenmao.exe	90
PID 2560 wrote to memory of 4892	2560	Cjinkg32.exe	91
PID 2560 wrote to memory of 4892	2560	Cjinkg32.exe	91
PID 2560 wrote to memory of 4892	2560	Cjinkg32.exe	91
PID 4892 wrote to memory of 1800	4892	Cabfga32.exe	92
PID 4892 wrote to memory of 1800	4892	Cabfga32.exe	92
PID 4892 wrote to memory of 1800	4892	Cabfga32.exe	92
PID 1800 wrote to memory of 4896	1800	Cenahpha.exe	93
PID 1800 wrote to memory of 4896	1800	Cenahpha.exe	93
PID 1800 wrote to memory of 4896	1800	Cenahpha.exe	93
PID 4896 wrote to memory of 2364	4896	Cfpnph32.exe	94
PID 4896 wrote to memory of 2364	4896	Cfpnph32.exe	94
PID 4896 wrote to memory of 2364	4896	Cfpnph32.exe	94
PID 2364 wrote to memory of 2644	2364	Cmiflbel.exe	95
PID 2364 wrote to memory of 2644	2364	Cmiflbel.exe	95
PID 2364 wrote to memory of 2644	2364	Cmiflbel.exe	95
PID 2644 wrote to memory of 2568	2644	Cdcoim32.exe	96
PID 2644 wrote to memory of 2568	2644	Cdcoim32.exe	96
PID 2644 wrote to memory of 2568	2644	Cdcoim32.exe	96
PID 2568 wrote to memory of 4976	2568	Cjmgfgdf.exe	97
PID 2568 wrote to memory of 4976	2568	Cjmgfgdf.exe	97
PID 2568 wrote to memory of 4976	2568	Cjmgfgdf.exe	97
PID 4976 wrote to memory of 1716	4976	Cnicfe32.exe	98
PID 4976 wrote to memory of 1716	4976	Cnicfe32.exe	98
PID 4976 wrote to memory of 1716	4976	Cnicfe32.exe	98
PID 1716 wrote to memory of 792	1716	Ceckcp32.exe	99
PID 1716 wrote to memory of 792	1716	Ceckcp32.exe	99
PID 1716 wrote to memory of 792	1716	Ceckcp32.exe	99
PID 792 wrote to memory of 4328	792	Cfdhkhjj.exe	100
PID 792 wrote to memory of 4328	792	Cfdhkhjj.exe	100
PID 792 wrote to memory of 4328	792	Cfdhkhjj.exe	100
PID 4328 wrote to memory of 1868	4328	Cjpckf32.exe	101
PID 4328 wrote to memory of 1868	4328	Cjpckf32.exe	101
PID 4328 wrote to memory of 1868	4328	Cjpckf32.exe	101
PID 1868 wrote to memory of 316	1868	Cajlhqjp.exe	102
PID 1868 wrote to memory of 316	1868	Cajlhqjp.exe	102
PID 1868 wrote to memory of 316	1868	Cajlhqjp.exe	102
PID 316 wrote to memory of 856	316	Cnnlaehj.exe	103
PID 316 wrote to memory of 856	316	Cnnlaehj.exe	103
PID 316 wrote to memory of 856	316	Cnnlaehj.exe	103
PID 856 wrote to memory of 4624	856	Calhnpgn.exe	104

C:\Users\Admin\AppData\Local\Temp\da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31N.exe
"C:\Users\Admin\AppData\Local\Temp\da19a46b9a098754c100e2f8caeb6d06681d841b017636e5bcd176678307cd31N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SysWOW64\Bgehcmmm.exe
  C:\Windows\system32\Bgehcmmm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\Bjddphlq.exe
    C:\Windows\system32\Bjddphlq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\Bnpppgdj.exe
      C:\Windows\system32\Bnpppgdj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3376
    - - C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
      - C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 400
        39⤵
        Program crash
        
        PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4816 -ip 4816
1⤵
PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
176KB

MD5
8f3c814118bf1cb667b27d04d831faa7

SHA1
9fc2f1caed0910f1bf68b7cffb604a232099e78a

SHA256
63137295c59035ebcbe61051597f2fc2b639c0046ef178f49c727fe388d12e2b

SHA512
3fcdfdbcde71f70f38cfd1414e761a8637d110ed8b384b7e4b0de6a6db40e3070b92b749d186233264f141419a3ebb789f7bab1a2ef58eeefbb83cc4f0ccf12c

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
176KB

MD5
b09e1a6f662d873ff22c1982ea783a9e

SHA1
aad38fd3813691de038e8d15dab090495ccb3591

SHA256
b9e8e6fdc9fd92061162bad98f8b08c941adef90552002a5b6d26072ace2052b

SHA512
8748a1768ef9a8e8f625f5ea006955bb269f9859ee8e398fa9c02839983b623df9457f52ff9122f271c1cdd4c0f0c07ff89d339452355be1f4362ea4fd05fe79

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
176KB

MD5
374f6ffde60dcef0cfada1899b9421b9

SHA1
467ee8e8fee307a7db52f0e2ef28155baf35d655

SHA256
f8afc07169735487360a00ad64f10af5d45b2e7984db8c97dfc15ac5137e6155

SHA512
bce1601b2bdede846c0d98398400cb13115c3b6aa4eeda1bd89da41da05e94e448c8934478b6e4d19c6181e7fef82c2d828cef24f6b29f4a769e421f3343409f

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
176KB

MD5
a60a08eed3fe80bf5fdeb5c6e1fc4c02

SHA1
af9b688b228733dbb448e68704126f642a98ba7c

SHA256
b513604231ca5331d283c40f7b62122ab55732ef2107d98088cda4533310da1f

SHA512
9aec05f5aa479a3ae8b66e7f0945aa2db6f3f513cfde0202afaccb80fbbeed8b4c58ab324f18d4ca8a56843f731bb8370aa5268c692265dd0e95a51061dd2bd2

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
176KB

MD5
026de182514eabaf684365f2e074d3f9

SHA1
fba2428019156131e5e268e86fc72a2403770016

SHA256
b8a2d00faeecb3130cc61a80755744171c80f60c52a98a6e328b967555e96098

SHA512
6232dff20d471760dbafe96f85a9c2a780b3386f70e5716ebd2063fae8cc325cad2ac398cda0855062c48f3c2b1b7d5282f4c21294caf5ca07346edf01866526

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
176KB

MD5
5b2e222ac9ee92c417cf108d57471dbf

SHA1
d1e0c96d7fce24d092bb5cad4bffabd5375472c0

SHA256
2ed8a0a503b1d7fbf82fa24422d26126512705164e422f3f4cdbe98a8e6591d9

SHA512
da642f041c8b2602a90e7bf85554d903f3de3bd7d8eb896574f29a37cd64ec7d95226fa3c9f34d3e402ca7ae5ed28013a190267a943026ad143b603e62d98820

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
176KB

MD5
13de8a26d7c136218b24d3f51ce4b7a9

SHA1
aa6d534bb130d2b7a83ff004eb62fff1513db44a

SHA256
d4ccb5ef9ddff67d8cbb1c809099d9d4e0ad2c5ec1ff40e18c7e3918b78afc88

SHA512
f626a1c380e9c8343a8d6d2b1a7153b2f5b139ffd534e35f65b924620a472233738ad1fe59f7f30241d6cc9ea9a248203e3260af112acf1ebeb8e106b7a416c7

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
176KB

MD5
ff560847cf64f30af6c5b474269b0a55

SHA1
6429e4cacdef79d7fe2cfd1bdbdfcb05aee84fc0

SHA256
88717783b670a79112da7c929465a2b5ae016f2b0d167a7646bb63b1d367267c

SHA512
d61a368b20288b47f92e7487a36152f2c3ee3d601df01996eb461fc35b2c64387b83a14697fe1a5426cecf55f50395c033a29e5a5bed223e9e0e311548402942

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
176KB

MD5
8969fe7b14565c18dc0d0dcd243a6a0c

SHA1
4110290227f111a171579d9bc260838d22c80229

SHA256
27eb2dc3d0fba89326a3ed7009e43f208946d2d137beecd2b20cfa4a349071ba

SHA512
d3faecf54d74c8311b325fa5182c5ce8a63a7ce0db9021f5acedf19c45e7af50a1502720200e119c181c08edfa4a134e039539b9ef4dfcab78951f6703c7e31d

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
176KB

MD5
b5bc0f85c6561f2ea765e385aa486db0

SHA1
c5782388a48e6beb782ee808119d4f95c7cc2da5

SHA256
76abdf7264e70fa9a868c216407c10f288102d0ca061c2fbc95dee01721a3363

SHA512
0f3dc01ed8568ea001aafd4fee7f2ef0b66c5b6ce10dfa299b56a6500a22b6bc2ff244fca7b9e3b6c1e0f24c394244a82a599b6f92674674bd009c3ff54d235e

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
176KB

MD5
9bee3788376b6525d75ec91b97e374ec

SHA1
08d63cea8b47cea1b046c864ceaf17a2eab4ac3b

SHA256
63c1e83aad83b0b5bf3a91329925375a396a5a1295eaeeeec317124a31d08bff

SHA512
6c1b1c35c28fbc9d0c84ef8d31bf7e77285d68fc92c48fefcdce479145e5f5e6ac5c10660bb87cfae8cd3833595eac7ed5245f83b89a487954ef95d2e932c1cf

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
176KB

MD5
756b88fbe205f2a1c4d931df31a762d2

SHA1
627d0b2d1e3081a8e5501bc4c25ee4f7457c6ab7

SHA256
cbedb7f3e1c12c2a9b1e5ae4a587782b2042056ca42753cc3f1f7ced63965c7f

SHA512
e8ba7dc86fc0ffcdcfff26e41281381c018df8fb63c42661dbd4a3383bb546237bbc144aeedb5e5505c5c9dd091668ddb2106df8ec74a67120a30ae5d814b124

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
176KB

MD5
d7fd0c26c5871df2187b3d53e19eb9b9

SHA1
1558c371e6e469ddf3b46a823320abc6d5b8c2a1

SHA256
d877b202912d666395f75b956250c574a40521e8f3a70f11a5f7c0984d7045ca

SHA512
3725518bc2b9aa6fe33f2a96a7a999807fa10091e73bcf2118b6a636ffc79d77e00ca0043dde9247e8633210847bd967a4ad121028a3f2bdba864e8ef6fbc802

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
176KB

MD5
15e0b168375004aebcfe1da018b98fff

SHA1
dc835105a466608fe8497db4450ae8f007014246

SHA256
6a6d274d32e0ae3e09099131655d14fded788c2e9aaadb2d4d66e4a4d06689df

SHA512
f5739ef8e75ad1f3fb5f553bda40fce3fb7463b53e2ac54a35896f5dfc19f3ea5eb741c06a14b2512959b6dc33febc12e7a986342f817827c7bb3fba07fafc6d

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
176KB

MD5
e7dbf8b018edb8bd3b7a7bac1641cf11

SHA1
e91218e4f89ec9b56ba528a77a4722e7abfce664

SHA256
4cea4addee511f0318d95be357534db1d86f4710b65c90a3099e1e2ddba500d0

SHA512
a43ea481f43c2e7dccc05087c470bc1e2f13a256846e0ba4a9b3aa19e22b5543529fe9fe503fb93eab273fc190ae2e662ae56046232f10cef5c56d7461832ca8

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
176KB

MD5
298bdc886d9a2721658427f4967c2a9a

SHA1
0cf9403ea0504752dc06ec5f36d092b26e81394f

SHA256
faa3006dd01d9cf9c645c6684244b90df5ab6d1a045d129cbfae44b65a9f1bcc

SHA512
c166ebfd0b5c12f7863596b86798f0539f3553d843f0c4df829946f374bb3a425b350a8217fa0fc42a4edc526109c996903b60bd0873eadba13404de7ff08317

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
176KB

MD5
15e54f1ca49f37e8c32531139709af25

SHA1
c908e88c71c5ab64967b52a3a857934f6aa38b35

SHA256
529ea7909edd61a2ab7f8885b3baf6c4f106b86a30fcc4317ffb4b30c71d0fb6

SHA512
031d36d773ad234838d439d6460394cf6a829400f3e8a7a42f49b41f5256b1849d632bc89acf1e23b508c3b6f4cc81514d19288c9d169190706cc6bf61866a9f

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
176KB

MD5
fee3d129dde3e7368bdfa39244f51d00

SHA1
39e48ca0fc1260fcf6dc407a17bc966482992190

SHA256
74855c5006cd4bae80d585fb2775e789589fe360c1454e90f63a8e3253753138

SHA512
ebd992922fef2a0d795f2ed6a423f8fd95cde323c0e5224ba8b1d5a53c2d796500a7c8f60fa846b7471f6a655d575fb26445e9b2964f19de4bda8988bea824e5

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
176KB

MD5
1f84cd6641dc21982996f64d717fe218

SHA1
bf348b58309c3d1fb67a95f210ad8d3a67c12fb5

SHA256
a48de6e58de42c02e14cfc7697e69258763a2a0166bca35a1afeb4a14c233041

SHA512
2aacc56cdc53f05a2d0ceedc3a3923c5c6dcb6bea6edb176bb71d5b2c2bf8571bfd37f7588c3175aab8cb42887bdcf4f964344003a1f8eebf18d0705ea73a093

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
176KB

MD5
0bb943b2da6b61cf6a455d399f8527a8

SHA1
e13224be05bdb1147105a0d4c0c23a9390b32a89

SHA256
807fa56f910dbc0f31b7855cd6fb3a93dc1ea3c3e0d51ba47729fae796245bed

SHA512
8d4240e85336b5100453ae3902924242913ed16bab3c816a2fb452c66346f3f7d03198760e3b430902b3e75eea03691c018cf85e9f73fc7a541029a656a23834

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
176KB

MD5
a553148140901a286f4264d060afd94c

SHA1
8d76b2afddb9ef9859187bc71ff1a70f771cac4e

SHA256
6f302253566abd0186c813b2f04ed85dc71226947724596cb14e7d8358f3e305

SHA512
48a8216c2c173ac0c3c6ef149b5072a88d14d287febfb8a073b670d13d557b5da783b669c8afac6bf59d983743ed03894a660f4cab263a9a74d896e1199bf7e4

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
176KB

MD5
300b4adba0d9e0a6cb1cf6cca93064ff

SHA1
d6f9efb86b4579568dc5bc2b9d02bdd7ab1e1250

SHA256
ce05ba2acd6c949b43f3051a65b1fac4729e3500eaa85af54dd8c4dc896358e7

SHA512
e265a20ab173ef7741f26a9c78cdb80e23d12f9878408acf818141975d81fe301b14587b948cc9650b92455fa4f923a8fbf3538c9f1859c433433d64e073db8e

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
176KB

MD5
fb4953ea25a8ddacd7bcd6074e775b3c

SHA1
bd8b2be6aaeebf824a3f4da5cc946b8231bc916d

SHA256
43a07be2a56157885b4d945041bdac68b80a03219bac6cb4d0845f71a4ccf8b1

SHA512
be3b3c63afd22b72e0efd24b4db05b9dc591729f0445b938c8ca7d98893b736d4012ac6b990936e8f6faa8ed2f9e87a73a27dc95ca02510226021dcbd4957563

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
176KB

MD5
e486a960f409ce65486d4833f98173d2

SHA1
4dbcd33be08f5f86739cb936df575cb2388f97d6

SHA256
8c8fd5e43aa418fb762ac33b817ff3a6b24d74cb576cd84449bd7c91d9dcefd2

SHA512
5103eafda35bf21aafc74d46a84b62cc056015d1bb68e29ead5d3c6ac383a8111869202dd837470dea1378cc3438c54373610bdd176a146ed2ee7fd4f40cda68

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
176KB

MD5
d1dbeac26398f7f80ff2f02aa2f0a118

SHA1
13947b700d1ee70e713a8444f34246d7629035f0

SHA256
53c5c22351e1cbc9195240ef87e21313ee28a6585f3511f6dc53d3a317dc839c

SHA512
5be53bb2de50931988525ed32e6718036a6d0802a322d2ec835d6ba284597dfb529fea1498d18b56ab6ae29a471a8c737e1c95cef36d3d64072dc813a5748146

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
176KB

MD5
960c711365ecb5e564c7f79b5b12c36d

SHA1
8994758030723493227cefd5d4b457c71fbc2a49

SHA256
dbc18a33877a7a158742894ec978c1f0f7e386882b129b135c6bec83c6e23008

SHA512
cb74aaf5a315fbb10b214aec48a8f998f4bfa324063a7d9459fdb84fc35109fcd200404bc0642d0692baabe10bfe9e2f753807786c64bedc92cac3b8b10ffef9

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
176KB

MD5
7411d0ccb270b82ed6a0b0de2263242e

SHA1
4a011ae69d3dde54b4a4143cee67a6a16271f534

SHA256
8bb994b7982eded08945bd8cb3e8336e924de12156c7a1a2166a41e1927f5bd0

SHA512
250ce77f6625b986ce0e4ec1125e492a7af20c941755906f45edf7f3739b69929f1beece9b622c69358da0b927c7ad3c1f11d54a79e3e95730634cd966223126

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
176KB

MD5
3d04986813e5ba8bbde01a81c418ebca

SHA1
13c782f4204da6e2d34229874a6ef8d6eb927ae0

SHA256
378138307b40f3c848ee75af570e7a7828b5bbfb6090ddcaab31bd29ddb4d367

SHA512
00de6415707451afcc7a645438cda2abfc477850077301713a2e4fedf1614b10d82461ed74047bff55737ea15cdaca53be007d6d6d0cc7b5172b7305911459f8

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
176KB

MD5
18b1e3c67cb9ffc19442cf8f3e52f2b2

SHA1
f400cc797a5eeea23c15afc226ce0663530d6853

SHA256
8978fc43a2ce81fe27fea09343f1c1908df3dbf6f6f0861b2b7d1c632fb50272

SHA512
12dc080f0f59d6cc697ea55d6d6b069d85ac02af5c2d8e4d86aa384e17fc74761477e6f2e4b32f1b740a0a8ad29a8775b4db5aa6121e9d8920f91d57db287c3d

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
176KB

MD5
358e2b18b26701ec1766bef2a7ed62e8

SHA1
0b0e645260bffb14556ee225db3fd7c97ca43c75

SHA256
59529c25ff1c9b6fa90c55d845c4c77930920673da506fc2ae7f1bbbc0d6e69d

SHA512
9e9971627e5922990f9956245456bb1c272bde76bc1c7127a8a8a07f5c6c3c96f2b840afed00faa09f362339dedf0b1a924374f6096f1bcbd3038ed857afbba3

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
176KB

MD5
9abe7f30ea3f3eb75591101240858ebe

SHA1
c32e5745ad91e7afbb9e2410f6903d27fcfaef2f

SHA256
633d313e9c6d9f7849ef27c0cb495b56574bd4a5430ada3df8901900413ceb86

SHA512
0ec69040b884aa443c0f872cd2d73c7578c9e295e276ab5a1802aab9c1056da5a2ec8f5f518b306ff28b4864fdeb99b06dcc6eba723dbbb3fd5bca9f945f6d39

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
176KB

MD5
6a576f743c2f4d96f2d1c38cedf7fd66

SHA1
9ec8b1b8ed774b81b749828052f354f546886364

SHA256
5744015676968a79d5cf3376fa6d1e786fbbe6f8556e2ee00e35d88e69442ad7

SHA512
6f0835f54fd965c840fdec8a5e738e083d4c9d7da93d80135a98224f18b89e5a0f2b7d12f95e029de02134a25902cf4cfd49e246aeb6e450bd3d2967bdeaacba

Download Submit
memory/316-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/316-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4884-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads