berbew | 03ee3287094f63b369553547c797730f26dd868ed47c030ff7e16ba79bf3f5e2

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03ee3287094f63b369553547c797730f26dd868ed47c030ff7e16ba79bf3f5e2N.exe
Size

479KB
MD5

b4b9c14bef712cde52be1a194c1dc8d0
SHA1

fd13afe13e287b7a10af919239012f637a38d119
SHA256

03ee3287094f63b369553547c797730f26dd868ed47c030ff7e16ba79bf3f5e2
SHA512

1439da6ca11c2a6c7df13ce5b8420e5068b56dd6bb6498b3f7de129bae01556980632291f80c39ddc573656f306a5c2b7ba3e8bcefb1f1a00abf2e5d471cb3fa
SSDEEP

6144:+bhOIRJ6EQnT2leTLgNPx33fpu2leTLg:URJ6EQ6Q2drQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	03ee3287094f63b369553547c797730f26dd868ed47c030ff7e16ba79bf3f5e2N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	03ee3287094f63b369553547c797730f26dd868ed47c030ff7e16ba79bf3f5e2N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 37 IoCs

pid	Process
2208	Aepefb32.exe
3600	Bebblb32.exe
3480	Bganhm32.exe
4200	Bmpcfdmg.exe
3672	Beglgani.exe
1872	Bcjlcn32.exe
1580	Bjfaeh32.exe
4672	Cfmajipb.exe
4916	Cmgjgcgo.exe
4588	Cmiflbel.exe
3884	Cnicfe32.exe
2900	Chagok32.exe
4952	Cfdhkhjj.exe
2544	Cajlhqjp.exe
4128	Ceehho32.exe
4140	Cmqmma32.exe
4752	Dfiafg32.exe
4000	Djdmffnn.exe
4872	Dejacond.exe
2032	Ddmaok32.exe
848	Dfknkg32.exe
4848	Djgjlelk.exe
2340	Dmefhako.exe
952	Daqbip32.exe
3644	Ddonekbl.exe
968	Dhkjej32.exe
936	Dkifae32.exe
4420	Dmgbnq32.exe
392	Deokon32.exe
3540	Ddakjkqi.exe
1932	Dfpgffpm.exe
3912	Dogogcpo.exe
5112	Daekdooc.exe
2880	Dddhpjof.exe
4480	Dhocqigp.exe
1356	Dknpmdfc.exe
2268	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	03ee3287094f63b369553547c797730f26dd868ed47c030ff7e16ba79bf3f5e2N.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	03ee3287094f63b369553547c797730f26dd868ed47c030ff7e16ba79bf3f5e2N.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3988	2268	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03ee3287094f63b369553547c797730f26dd868ed47c030ff7e16ba79bf3f5e2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	03ee3287094f63b369553547c797730f26dd868ed47c030ff7e16ba79bf3f5e2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 2208	3496	03ee3287094f63b369553547c797730f26dd868ed47c030ff7e16ba79bf3f5e2N.exe	82
PID 3496 wrote to memory of 2208	3496	03ee3287094f63b369553547c797730f26dd868ed47c030ff7e16ba79bf3f5e2N.exe	82
PID 3496 wrote to memory of 2208	3496	03ee3287094f63b369553547c797730f26dd868ed47c030ff7e16ba79bf3f5e2N.exe	82
PID 2208 wrote to memory of 3600	2208	Aepefb32.exe	83
PID 2208 wrote to memory of 3600	2208	Aepefb32.exe	83
PID 2208 wrote to memory of 3600	2208	Aepefb32.exe	83
PID 3600 wrote to memory of 3480	3600	Bebblb32.exe	84
PID 3600 wrote to memory of 3480	3600	Bebblb32.exe	84
PID 3600 wrote to memory of 3480	3600	Bebblb32.exe	84
PID 3480 wrote to memory of 4200	3480	Bganhm32.exe	85
PID 3480 wrote to memory of 4200	3480	Bganhm32.exe	85
PID 3480 wrote to memory of 4200	3480	Bganhm32.exe	85
PID 4200 wrote to memory of 3672	4200	Bmpcfdmg.exe	86
PID 4200 wrote to memory of 3672	4200	Bmpcfdmg.exe	86
PID 4200 wrote to memory of 3672	4200	Bmpcfdmg.exe	86
PID 3672 wrote to memory of 1872	3672	Beglgani.exe	87
PID 3672 wrote to memory of 1872	3672	Beglgani.exe	87
PID 3672 wrote to memory of 1872	3672	Beglgani.exe	87
PID 1872 wrote to memory of 1580	1872	Bcjlcn32.exe	88
PID 1872 wrote to memory of 1580	1872	Bcjlcn32.exe	88
PID 1872 wrote to memory of 1580	1872	Bcjlcn32.exe	88
PID 1580 wrote to memory of 4672	1580	Bjfaeh32.exe	89
PID 1580 wrote to memory of 4672	1580	Bjfaeh32.exe	89
PID 1580 wrote to memory of 4672	1580	Bjfaeh32.exe	89
PID 4672 wrote to memory of 4916	4672	Cfmajipb.exe	90
PID 4672 wrote to memory of 4916	4672	Cfmajipb.exe	90
PID 4672 wrote to memory of 4916	4672	Cfmajipb.exe	90
PID 4916 wrote to memory of 4588	4916	Cmgjgcgo.exe	91
PID 4916 wrote to memory of 4588	4916	Cmgjgcgo.exe	91
PID 4916 wrote to memory of 4588	4916	Cmgjgcgo.exe	91
PID 4588 wrote to memory of 3884	4588	Cmiflbel.exe	92
PID 4588 wrote to memory of 3884	4588	Cmiflbel.exe	92
PID 4588 wrote to memory of 3884	4588	Cmiflbel.exe	92
PID 3884 wrote to memory of 2900	3884	Cnicfe32.exe	93
PID 3884 wrote to memory of 2900	3884	Cnicfe32.exe	93
PID 3884 wrote to memory of 2900	3884	Cnicfe32.exe	93
PID 2900 wrote to memory of 4952	2900	Chagok32.exe	94
PID 2900 wrote to memory of 4952	2900	Chagok32.exe	94
PID 2900 wrote to memory of 4952	2900	Chagok32.exe	94
PID 4952 wrote to memory of 2544	4952	Cfdhkhjj.exe	95
PID 4952 wrote to memory of 2544	4952	Cfdhkhjj.exe	95
PID 4952 wrote to memory of 2544	4952	Cfdhkhjj.exe	95
PID 2544 wrote to memory of 4128	2544	Cajlhqjp.exe	96
PID 2544 wrote to memory of 4128	2544	Cajlhqjp.exe	96
PID 2544 wrote to memory of 4128	2544	Cajlhqjp.exe	96
PID 4128 wrote to memory of 4140	4128	Ceehho32.exe	97
PID 4128 wrote to memory of 4140	4128	Ceehho32.exe	97
PID 4128 wrote to memory of 4140	4128	Ceehho32.exe	97
PID 4140 wrote to memory of 4752	4140	Cmqmma32.exe	98
PID 4140 wrote to memory of 4752	4140	Cmqmma32.exe	98
PID 4140 wrote to memory of 4752	4140	Cmqmma32.exe	98
PID 4752 wrote to memory of 4000	4752	Dfiafg32.exe	99
PID 4752 wrote to memory of 4000	4752	Dfiafg32.exe	99
PID 4752 wrote to memory of 4000	4752	Dfiafg32.exe	99
PID 4000 wrote to memory of 4872	4000	Djdmffnn.exe	100
PID 4000 wrote to memory of 4872	4000	Djdmffnn.exe	100
PID 4000 wrote to memory of 4872	4000	Djdmffnn.exe	100
PID 4872 wrote to memory of 2032	4872	Dejacond.exe	101
PID 4872 wrote to memory of 2032	4872	Dejacond.exe	101
PID 4872 wrote to memory of 2032	4872	Dejacond.exe	101
PID 2032 wrote to memory of 848	2032	Ddmaok32.exe	102
PID 2032 wrote to memory of 848	2032	Ddmaok32.exe	102
PID 2032 wrote to memory of 848	2032	Ddmaok32.exe	102
PID 848 wrote to memory of 4848	848	Dfknkg32.exe	103

C:\Users\Admin\AppData\Local\Temp\03ee3287094f63b369553547c797730f26dd868ed47c030ff7e16ba79bf3f5e2N.exe
"C:\Users\Admin\AppData\Local\Temp\03ee3287094f63b369553547c797730f26dd868ed47c030ff7e16ba79bf3f5e2N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\Aepefb32.exe
  C:\Windows\system32\Aepefb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\Bebblb32.exe
    C:\Windows\system32\Bebblb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\SysWOW64\Bganhm32.exe
      C:\Windows\system32\Bganhm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3480
    - - C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
      - C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 396
        39⤵
        Program crash
        
        PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2268 -ip 2268
1⤵
PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
479KB

MD5
9c84d93024bf319124563c5ab566611d

SHA1
b47fcdff3347d29c5647c15bd5c7938f27d50b3c

SHA256
a3f2975e4836df00a5a26f28cba394f2acca3393b50bd6174d82958008574563

SHA512
240d4a3d6f853d5d6ea9b27f7402d290feb924c29c2b89e9bea079b1080308f15d02529acbb1554dfd6ba8233c66cb5c71ed52d50fb4f8db28c87924ed4bb101

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
479KB

MD5
d1578ef8a45a126f561f15b93629baa4

SHA1
7a781082d8e70efe22e1194b146dc749cf047d14

SHA256
8a522b54ee837a3e1a83a8932ad3ef8bf212224120f5c7415af4274e57651270

SHA512
b12c72204aceb836f70b6417b06b8f95f96e3a0c5d8dbe88a0900b747400e4157a7ebafbf7fb168c22142327be261f64d43d3006c88486612ff7952ce76a60c5

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
479KB

MD5
5e036bced848a1c5a29094e1ee1b507c

SHA1
db49f0e8eba195202100cd6d85d7e22bb9b3c02e

SHA256
3f4aa666989dcc756bd0c77a4d4550c8f8879de25197ed0acc07798c42bbbaa6

SHA512
8df198f068bf011c554b86f027d16820d168ea09786a146ae61fb41d46e76cef5c49ed3702706c13f61c0853ca1e0764a2500ecefe531106158be8f1f194c320

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
479KB

MD5
d0d8d5cf710a9c18bc325eec495f87f6

SHA1
23bb0e8cf55d2f580f5eb3b15cf4e622a4723919

SHA256
8816a58fff5e6fb86169bb2d68e2080c0efb6ce1a6c09aca6925085960373b65

SHA512
bfe95e0e209b05e81429dfa8227a765b308334fe959a8ea0a41ef56edb5f72e2750cf108714d10dc5e3efbd0cc933420e2556ab1704c1a76da7f1b9e9b5dab1b

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
479KB

MD5
d792b5a76a49614e8ccf81a93bb47f14

SHA1
01603533624b29f04e2f191f83a71966e3878f71

SHA256
6fa24f11d104eb02d1a57d78e2981f62d2a9c89866e164197c56b7b974306299

SHA512
b672b6fc43908fe7252c57b6cf773e408a4101cabfb73b134f7a8384a0f54d9b2e872de56d43ab40f2db5d881832adba4125424fa09ba05a56c867245c8f9327

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
479KB

MD5
ad3f026c376899df8deee515b8058efd

SHA1
d1a522f28e97bd9a9a88cd001d5aa7d90648f237

SHA256
cf49e89f799f7c72c828a2c4cd1254429ccfdb18dd16f29d7f836b24878fe2e2

SHA512
f66703196980526386e92b9e58ba5181fde73ccbc2ca13d275da85cea056413958547c9fad96c37106bed494330bbba05a560e34ee6c6f4fc3573f68c7e5e695

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
479KB

MD5
a5bde806c948b50b51622aae7338cc1c

SHA1
3b9c9ccd14427af786ca4685a0e53f313008bc6f

SHA256
103d7ce88b8158f780af2f6473b2cef97c903a32887bad14f6ed54c8fd2af59a

SHA512
171ebd38de782aee98dab393b1eeb4a4f548619981ea82ccfe027d79fbec8aeb8067d62a8270cdabd7ffd9a9bb08c8c644d1fac13aaa86f12395e0e38a5a05d3

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
479KB

MD5
b8661aa26c9066883f863166d2592964

SHA1
f2979985afb98b8717dae461efae06ffb5c62d75

SHA256
5f3133a359304d7cc818b2f47c2be4971ffbd5e47e23cddad6b7d331b80fb6cb

SHA512
9ec8f2d7313ddc8739120d3bfc0f00f6a7aa910f4613ee594965c26b887db217fc519362c24b0ac3df12ccf86d8bb04779139a6d558fa87150b1b0e4f01a3e35

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
479KB

MD5
80c6510edb53006f3a387bfe088e1085

SHA1
b122bbb298143c115b9a990c144e8ed4a64906a9

SHA256
4a88e78b039023cb8c1967587b81c06524fe92ca2f573b6570f52e3ae6bf79a7

SHA512
0574cd73d817ea9d360568217dfdeb4f09074545430c29a52ab743b9a32682a078ee1d17d8c3f9f80fbdb3d6dc41aa98005e1d2aee668caab07a800616cbe527

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
479KB

MD5
a2976440299149ced4c0df0d21f75f0c

SHA1
8858d01a713be75c2ddc1882ea67e56594db79ae

SHA256
e54870e066898ebf82855605595d8b057347968308f476dc4cadb4b02e2a7cd4

SHA512
77785e6c7e5933ff8337d563fb283ab487425d928860868be62c5921f6fe1bd1b3aeff2a399ad2e76f2878fbe0ed6e741a4ce3bda2f3d40d95f01cba7c1aed5d

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
479KB

MD5
5741e7b4f14896edeb872220bf455c0e

SHA1
32108749ddd9ea65dd99c027ac5892d2d094d7cc

SHA256
6cc69893ba1b520c049348af9664100f6bcbde187b5b684c479aceb6353b8a44

SHA512
ca88991fc992afb4ebedbe7c05a5411e2cca30ab08b1e72b98a6d24c0d6fccfa52a3d05f331aec3d1d6c0ba47c67f31c68d575ae14ea39bb870d482a4a5d340b

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
479KB

MD5
0995c8475c47771b4177b80c5eb6d48d

SHA1
42bfe33841b2015b7ef8cb35b3a6a2fe042146d8

SHA256
1c4de4282ca1a0b23f88576e434ced7208d9028e8658d288ad5db1661e60fae3

SHA512
a82ddcfe08ef6cfaea17fa618596f746dd51f3c675d118229157cc9d33110abcd490fe64215593f3c561a7187395591be529f7bac9e4adf44528c36ec41c392d

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
479KB

MD5
843302b31bc76a1c38bc143818aea1bd

SHA1
c48640db1ef0eb0952fd02555b38a188ac3d15c2

SHA256
52296499647f5d2e5b3e5a3f9b64d512ef2bcf7aff6a9c3952b1296170bccc42

SHA512
d7cb6bb10b4a568f9a876e604065f229c73782500fbe986b5e8606e7b49ce75ef26603abd7b0d1fc2681c7233cf73827542b73d20f764d3475cf92c1f696f60a

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
479KB

MD5
d81d84d3beabf0318baeb660bfc04a47

SHA1
6178284a3820b51d04905cdff6d402bcd4430fca

SHA256
96845ca95357d326c70d234cdd63587e30207bccb69754523f6b312df061011d

SHA512
e88b194ef77b3f3e635e9733be37d6156ce0a44dbd7f168b3182347768c19c8754bbc0bdfbf362b58114820be2d71a785aabe1f1c780cc5af3921147b459af5c

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
479KB

MD5
83066fa12d13f0208ac250c704fd49d3

SHA1
bacfc7aba6d00d1453ff6c06a86e320f6a4640c2

SHA256
325f97c92d20c3da449919d39e0ad2202d017641cec4f7b71066c49da6e45de8

SHA512
b801403d0caf88b5ee739444bbc00761587a8e58aa8673dd262f478df23101b4124e5c67aefd525de0347ce63f9f9aede1a9f2a8aefef4413fb826ff791fded0

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
479KB

MD5
8dacc28bafb012913bdb9a004a335ee6

SHA1
3146b262a4ec9eb49057d8b3543c69b2260921a2

SHA256
be9a6ccf25d34d04ef1e3305c9f367dfaca588856bf303bc318439e8d340b032

SHA512
9d7dffdaacb1217890fa1dcf4a55c2955199456a4193036a9989a1a56b03184eb07fafa198c5f1ce265b0770fd846cb590c64a116460752a7d6437b3bb2b8481

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
479KB

MD5
1b72218d7e878d0074a7a975a275fb81

SHA1
48bc1f6f2d82b2e8ec64779fa598643dcce4f290

SHA256
c407a4bcd71c9ff1daa0339d5e9b192eefe0b3feee6998c4c50b599f4a25c34b

SHA512
7552eb54e05b74ab1d577997709fcf0cd045b68d1bd91cce2863bc13f3ca8173d641009e22e6707fb4029016eefa8d7f7797da30905769d16d5716085b4c1e7e

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
479KB

MD5
dc146853294bb52b6075d28f75bcc0eb

SHA1
7394f9a4b67a5f2445382e1091218ae2dd97c6c5

SHA256
69f3206a970d3e0bc12bc078e06fcd1a51f177e491c03f5364bc164e1ecd2aab

SHA512
da224075d7d4f2a0567f9722b4641861f5d42b24c9eac1945cb2532b9a009f00b0e16451890a5da952c419e8d1cfa46802db2aa59a8331cc19768614dd952852

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
479KB

MD5
15a902dc72e8d709e092c7bf9e1482cf

SHA1
0a8f2a412ef2da56e8749dbb3c78f1933beebf4b

SHA256
fdb2fe7cf7d31722fbeece8bc23d5aab322fd6e8c95f6151f06a92005cddf94d

SHA512
edb935b7980d31fcd43757fca8f0086dc0bb0d53c7ae31d1670f8398c8ffc0971f02f954a3e13f2a279d8b1df7737eaffed50a1f1790fecbdfb040c640febab8

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
479KB

MD5
7960215c0637e5f2638c49f2fbaeeaf3

SHA1
e837a51c7fd9f74c232abf4e6210a3d97a93f97e

SHA256
52c658b5544781ebfd3584dfad0cb399ee9b846cde653250dbcb8876897bf1ec

SHA512
adea0c40d1d47ce7870ffec4e5e9d44d873a528a8dbfbf3fb975ebe942a596746367701013484b52d0caaf6d89a40d4d870f74c948187250c9322f9aab4ba145

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
479KB

MD5
867a5e41d444bceead630bfb1fc2317d

SHA1
6acc60b4187ece0a3a468300733ffbe3f00002c7

SHA256
a5ac45d34c333201d963985012de9f492be920258b0d63da82f6829fc01f4131

SHA512
72fdeed301f9f06d96446608a2a8a9626f178185deb38818a67164f85a05a534c124e575480e337a017d410bfe6b667bb4245d46bee04f29f55057376f430a4b

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
479KB

MD5
d2c3aeac8f3a9babe4207b17843d2e33

SHA1
593112ee66dce4b0c70b117bceddac11e7865478

SHA256
5bdd32f733088ada4c30c913885ee8b6a69f50880188910f6572e83173dfe22d

SHA512
cbca3c005584cc2f5e12142ec602476b55dc5a648f336d07e8eb41e865be6b0809ed14683079f215acf26d6de8737975caacdaceb5f728810289e8d4386b65c3

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
479KB

MD5
e04143895937a1b2657e5b0bbd406440

SHA1
97ebf44303db703a343c0a2ace51a1de44bd0bb1

SHA256
f506698a2eefa12d8918007bd9d0e33a03fce382fdddfa200b761c9bab3050ca

SHA512
8b2e5e5a4cd24661cc77d4b8400bd5ca3fc87e7fb0bbe0df8cffbbc31575fe0bbb96060579c5e9e3eb8696f724986d05e5f018d4117bcd8b6b11d6b3dea1d92a

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
479KB

MD5
6e466318ea072dd3208436f1c0dfbcda

SHA1
40f99e6d2e60c2475c694005e67e5035ae11ff23

SHA256
3571fddbf71a8cc8462b7838f546ffc187df80e299a882c57839010aa5def7b2

SHA512
5620ef9973adbe91861e3adfcc87d882eb96da0d95457b79ea50a262809a84c40133d85fb25f3529f55850ee0a9c64186b2934987506ad30deec14902e688460

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
479KB

MD5
ab71f3b6f52d191618501673b47c501b

SHA1
514f4bbe7b1285d55a572cb1e2a10ca41d4f4869

SHA256
750c72536874baf2191758eda56c8cc7c28d53b7ce7cbad11421214e2c5744fc

SHA512
123ea298248843a3a042932e97d2e4ed93fa175a46f41997d767f52db5bbf29dc810844218b2671b89ee21369477af9a47a24da1db739dd39d746159d975e305

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
479KB

MD5
4f9ff448fb96b9502f57eee15d7a29df

SHA1
8a726cffd369a0d30b3e7dde7a92e41cf1526c00

SHA256
b21646f0a82490fb2ac0f5fda530362bca69e218a2bbdc15a1e842095e51a08f

SHA512
95975e342f382c0819b3d388d43d74684c28baeb2e27893e6e651097fda6c579de34842809f399809d69ea1f41f64d8c0706b5528271227cc83c369e37da13d1

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
479KB

MD5
7aced139303739e6d22fde2ee22e7ca7

SHA1
f4d5688411f6e7858d9b40b182cf7cb0ae0a5043

SHA256
3f176a6111dc01c801ea51b97fddfb81a2450b85c7ccbcc79ac57a69c7df2b77

SHA512
95a7ca5e2d37774db7b5c0bdd4f366cd6a42db2848a6cf15c1e697d30ec7539413a0522add90490964acd1bfcfdc30ce3b9012660306f1b96be7a1520f1ec120

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
479KB

MD5
cfdb79a86de009657a4a6defa48b8890

SHA1
7ec7cb8ab7490a79161dfab8ac233fce3e446fd7

SHA256
a0cd44434a5473640fb05cbd6966d8d8ccb6f33520f710cb8f2e5d6e5afdd51e

SHA512
77135c71cc76ece9a355d437ae6ee1c1415184890e04520cb46e54e5f4aabe778a7615557000f673c905e1cdfcb750275bc5453455937acd886753c436365ac8

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
479KB

MD5
3948ffc9fdcccc1b3db43f2a0b3d1823

SHA1
b3e4bf7cec811ed7b254e2d1c2f3caa8047568bb

SHA256
2a7a960c5a2e243f3f40c94879698e27e3273d51e432dc97e4e0d4952f436ded

SHA512
a9ec2775b4d608d847218b9566ca2300c24ab90c824bb7071d5233e7804834340afaf142c4bde0c1f812fab830261a22c0f2daf2b6ab57dcd9176964b1751974

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
479KB

MD5
519ce9e71ab8ff1b6f331472c9d4b7fa

SHA1
32eb4aa46438869fec4ad643dbb6d28cfbffb251

SHA256
9d4a35c699440053574b5b656c637c69d1b10eac25f76d071adc8d05c713933b

SHA512
5dd4c117e964ea4558856045c1e18063bd43da04a142b527abf7f9ff6ea845680e8fb52ffe3fe30b5fd12071ba28170ff99aed21b1294f74cf6735d10cd5f154

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
479KB

MD5
a6bdc38e0961ce390c703a85b0fd2a49

SHA1
ba691d7cc1e1345c53017503054e70ee4cd7aad0

SHA256
08409b9e4f991eb7150ccfe6cbfc0c2b61519499a73e8970e2aa506a1c8e9fc6

SHA512
84b4a289ebdf0c893dc15b0076faf48544e020c0146c6c11b15a4d4de3015170880e88713735641c0e03bdbf45aa0f33e3d16046c41537a49287f31afe47a292

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
479KB

MD5
b1b9887abe0f074ed98b7ae6cc5647ad

SHA1
96269c2e65b9a7e39d9b2afb88026c5fed3ce96b

SHA256
223af9ea44f65bdb1e54a25d056d551c186a31882938baef9f9a098ff9527057

SHA512
463cba3e69ea8824ff44cf0bb461478845ddcadc196582854880583701553e37a49a8d859327bb9dfd80df22a5fa0ef702777a4ac2f065395e8af7af26d4e273

Download Submit
memory/392-238-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/392-305-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/848-321-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/848-173-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/936-309-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/936-222-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/952-198-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/952-315-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/968-214-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/968-311-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1356-291-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1356-286-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1580-349-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1580-56-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1872-351-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1872-49-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1932-301-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1932-253-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2032-166-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2032-323-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2208-8-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2208-361-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2268-287-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2268-289-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2340-317-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2340-190-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2544-118-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2544-335-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2880-295-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2880-274-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2900-339-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2900-101-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3480-357-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3480-25-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3496-363-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3496-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3496-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3540-246-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3540-303-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3600-23-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3600-359-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3644-313-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3644-206-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3672-353-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3672-41-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3884-88-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3884-341-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3912-299-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3912-262-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4000-149-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4000-327-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4128-125-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4128-333-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4140-129-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4140-331-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4200-33-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4200-355-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4420-307-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4420-229-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4480-280-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4480-293-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4588-80-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4588-343-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4672-347-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4672-65-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4752-141-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4752-329-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4848-319-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4848-182-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4872-158-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4872-325-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4916-345-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4916-73-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4952-105-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4952-337-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5112-272-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5112-297-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads