berbew | d70e325aed4172dbe4b81cd64f521e26d114456f4ad329f99b630d822a6df1d8

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2024, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d70e325aed4172dbe4b81cd64f521e26d114456f4ad329f99b630d822a6df1d8N.exe
Size

64KB
MD5

4a3dfc54e677f6196115c9d034b00a60
SHA1

2945cac94842a2411393287813fb2937c5167833
SHA256

d70e325aed4172dbe4b81cd64f521e26d114456f4ad329f99b630d822a6df1d8
SHA512

526fa5b801c2700f9618f9ff8c77fce2fecb815b0c92d40ee32a3434624614ed760821da9de7d18d9a11f0873498921a81d4a6f05e1f064b28aff83364296ad6
SSDEEP

768:DHDuk02uBdg71JqcU0QyaTvR01WvAkj6hZECpEYvrSQvyntYc0pt2p/1H5PXdnhE:2FBcqcU0ETp0ilqxpE4eHYc0L2LDZc

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d70e325aed4172dbe4b81cd64f521e26d114456f4ad329f99b630d822a6df1d8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d70e325aed4172dbe4b81cd64f521e26d114456f4ad329f99b630d822a6df1d8N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 35 IoCs

pid	Process
1352	Bclhhnca.exe
3068	Bjfaeh32.exe
4172	Bapiabak.exe
3544	Chjaol32.exe
3476	Cjinkg32.exe
644	Cabfga32.exe
1124	Cdabcm32.exe
2856	Cfpnph32.exe
4264	Cnffqf32.exe
3720	Caebma32.exe
3852	Chokikeb.exe
2980	Cjmgfgdf.exe
3968	Cnicfe32.exe
2212	Cdfkolkf.exe
2608	Cfdhkhjj.exe
2568	Cmnpgb32.exe
3712	Ceehho32.exe
1344	Cffdpghg.exe
3788	Cmqmma32.exe
1492	Ddjejl32.exe
4744	Dhfajjoj.exe
4520	Dopigd32.exe
1576	Danecp32.exe
544	Dhhnpjmh.exe
5100	Djgjlelk.exe
1968	Daqbip32.exe
5020	Ddonekbl.exe
4772	Dfnjafap.exe
1544	Dkifae32.exe
2628	Dmgbnq32.exe
3452	Deokon32.exe
3268	Dfpgffpm.exe
1000	Deagdn32.exe
1532	Dgbdlf32.exe
4032	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	d70e325aed4172dbe4b81cd64f521e26d114456f4ad329f99b630d822a6df1d8N.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	d70e325aed4172dbe4b81cd64f521e26d114456f4ad329f99b630d822a6df1d8N.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
232	4032	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d70e325aed4172dbe4b81cd64f521e26d114456f4ad329f99b630d822a6df1d8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d70e325aed4172dbe4b81cd64f521e26d114456f4ad329f99b630d822a6df1d8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	d70e325aed4172dbe4b81cd64f521e26d114456f4ad329f99b630d822a6df1d8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 1352	3116	d70e325aed4172dbe4b81cd64f521e26d114456f4ad329f99b630d822a6df1d8N.exe	83
PID 3116 wrote to memory of 1352	3116	d70e325aed4172dbe4b81cd64f521e26d114456f4ad329f99b630d822a6df1d8N.exe	83
PID 3116 wrote to memory of 1352	3116	d70e325aed4172dbe4b81cd64f521e26d114456f4ad329f99b630d822a6df1d8N.exe	83
PID 1352 wrote to memory of 3068	1352	Bclhhnca.exe	84
PID 1352 wrote to memory of 3068	1352	Bclhhnca.exe	84
PID 1352 wrote to memory of 3068	1352	Bclhhnca.exe	84
PID 3068 wrote to memory of 4172	3068	Bjfaeh32.exe	85
PID 3068 wrote to memory of 4172	3068	Bjfaeh32.exe	85
PID 3068 wrote to memory of 4172	3068	Bjfaeh32.exe	85
PID 4172 wrote to memory of 3544	4172	Bapiabak.exe	86
PID 4172 wrote to memory of 3544	4172	Bapiabak.exe	86
PID 4172 wrote to memory of 3544	4172	Bapiabak.exe	86
PID 3544 wrote to memory of 3476	3544	Chjaol32.exe	87
PID 3544 wrote to memory of 3476	3544	Chjaol32.exe	87
PID 3544 wrote to memory of 3476	3544	Chjaol32.exe	87
PID 3476 wrote to memory of 644	3476	Cjinkg32.exe	88
PID 3476 wrote to memory of 644	3476	Cjinkg32.exe	88
PID 3476 wrote to memory of 644	3476	Cjinkg32.exe	88
PID 644 wrote to memory of 1124	644	Cabfga32.exe	89
PID 644 wrote to memory of 1124	644	Cabfga32.exe	89
PID 644 wrote to memory of 1124	644	Cabfga32.exe	89
PID 1124 wrote to memory of 2856	1124	Cdabcm32.exe	90
PID 1124 wrote to memory of 2856	1124	Cdabcm32.exe	90
PID 1124 wrote to memory of 2856	1124	Cdabcm32.exe	90
PID 2856 wrote to memory of 4264	2856	Cfpnph32.exe	91
PID 2856 wrote to memory of 4264	2856	Cfpnph32.exe	91
PID 2856 wrote to memory of 4264	2856	Cfpnph32.exe	91
PID 4264 wrote to memory of 3720	4264	Cnffqf32.exe	92
PID 4264 wrote to memory of 3720	4264	Cnffqf32.exe	92
PID 4264 wrote to memory of 3720	4264	Cnffqf32.exe	92
PID 3720 wrote to memory of 3852	3720	Caebma32.exe	93
PID 3720 wrote to memory of 3852	3720	Caebma32.exe	93
PID 3720 wrote to memory of 3852	3720	Caebma32.exe	93
PID 3852 wrote to memory of 2980	3852	Chokikeb.exe	94
PID 3852 wrote to memory of 2980	3852	Chokikeb.exe	94
PID 3852 wrote to memory of 2980	3852	Chokikeb.exe	94
PID 2980 wrote to memory of 3968	2980	Cjmgfgdf.exe	95
PID 2980 wrote to memory of 3968	2980	Cjmgfgdf.exe	95
PID 2980 wrote to memory of 3968	2980	Cjmgfgdf.exe	95
PID 3968 wrote to memory of 2212	3968	Cnicfe32.exe	96
PID 3968 wrote to memory of 2212	3968	Cnicfe32.exe	96
PID 3968 wrote to memory of 2212	3968	Cnicfe32.exe	96
PID 2212 wrote to memory of 2608	2212	Cdfkolkf.exe	97
PID 2212 wrote to memory of 2608	2212	Cdfkolkf.exe	97
PID 2212 wrote to memory of 2608	2212	Cdfkolkf.exe	97
PID 2608 wrote to memory of 2568	2608	Cfdhkhjj.exe	98
PID 2608 wrote to memory of 2568	2608	Cfdhkhjj.exe	98
PID 2608 wrote to memory of 2568	2608	Cfdhkhjj.exe	98
PID 2568 wrote to memory of 3712	2568	Cmnpgb32.exe	99
PID 2568 wrote to memory of 3712	2568	Cmnpgb32.exe	99
PID 2568 wrote to memory of 3712	2568	Cmnpgb32.exe	99
PID 3712 wrote to memory of 1344	3712	Ceehho32.exe	100
PID 3712 wrote to memory of 1344	3712	Ceehho32.exe	100
PID 3712 wrote to memory of 1344	3712	Ceehho32.exe	100
PID 1344 wrote to memory of 3788	1344	Cffdpghg.exe	101
PID 1344 wrote to memory of 3788	1344	Cffdpghg.exe	101
PID 1344 wrote to memory of 3788	1344	Cffdpghg.exe	101
PID 3788 wrote to memory of 1492	3788	Cmqmma32.exe	102
PID 3788 wrote to memory of 1492	3788	Cmqmma32.exe	102
PID 3788 wrote to memory of 1492	3788	Cmqmma32.exe	102
PID 1492 wrote to memory of 4744	1492	Ddjejl32.exe	103
PID 1492 wrote to memory of 4744	1492	Ddjejl32.exe	103
PID 1492 wrote to memory of 4744	1492	Ddjejl32.exe	103
PID 4744 wrote to memory of 4520	4744	Dhfajjoj.exe	104

C:\Users\Admin\AppData\Local\Temp\d70e325aed4172dbe4b81cd64f521e26d114456f4ad329f99b630d822a6df1d8N.exe
"C:\Users\Admin\AppData\Local\Temp\d70e325aed4172dbe4b81cd64f521e26d114456f4ad329f99b630d822a6df1d8N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\SysWOW64\Bclhhnca.exe
  C:\Windows\system32\Bclhhnca.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\Bjfaeh32.exe
    C:\Windows\system32\Bjfaeh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\Bapiabak.exe
      C:\Windows\system32\Bapiabak.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
      - C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 396
        37⤵
        Program crash
        
        PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4032 -ip 4032
1⤵
PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
64KB

MD5
41614a8d6057818d3f12ff52bea1d212

SHA1
69894fb3f9d4f7d14caf0bae3b4764ada16e70be

SHA256
605cc9a7af17e211e93dfac55e4050a567158cb7a74698cbc0e2d9a1ace7515a

SHA512
38d34178b560fb022250a74e5f94cc920b27422cdc6f352b66e4718da036e21b4724e96dd2c1c74fb92e52f26549b48aae2a59dafa6dfec33be43706c2cfc450

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
64KB

MD5
66fd33155fe26efa151aa598e30c4220

SHA1
1c9e473a7a3057bbefa90dd59c77cbd63e6dca4f

SHA256
47d6128763ab32da24c06125943c03f09d4c4954a088abb12216ee015eb2f2c4

SHA512
68437b16c3fb0471328b8cd4adba760e8727ac94ef6c1dd519d8a1328e893cfc4b920e767783a9b511c750c727bbc57aa4b52a7191776ec2779328ae4e8611d2

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
64KB

MD5
7dca70bbb1b8639d1ef94278463245d9

SHA1
4842685defd088f4dc9fa2dce3cb158b7f7fd88e

SHA256
481c8782bccc5cff7eb5d8d6dbf10e0e3c1a9d7c87daeee8158e95572422aa97

SHA512
6aa50f213b9bb4155746fcea1e0eb87a12e88d18f03ad42b411c7df0eaa2cdccbbf9e77df700a88df2b93d7daa290fd9984953b8ea5b4f092c66021da3d46c6a

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
64KB

MD5
150a850239aa1b533c8351daea2a7d0b

SHA1
4033a8dc93608556cd82d7e114f52e636f863ab5

SHA256
832d5f016254c6933ef87b3045567fd4764799a1450e2097861621285f6a2d45

SHA512
9e4847d0bf6eab7d7143bd29cba758fb0e41b4e32cb0d6f87f01cdcff8923c8f1dd881b32329f70d0c757858e08e690f507eb2b4366e2faa409b83ad775868f7

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
64KB

MD5
08dbec3507c79051d15f8ebc50e7581b

SHA1
9c0bf9fcd642e0f1e162b90273719c5cb88d3427

SHA256
38a96040f783bda686bfd2765515c45bc42aa98f1644e6080d008cb34d387f48

SHA512
f7aa093f047fdbc05b2c057526e2070aa7d7d2a973e2307d6625512f66a2732e4e9874a53ce55fc16ccc7837748c52de33b0ddb568993f014147fad6474fc130

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
64KB

MD5
b1704abf68fb6fcc499b9c88bfb2b124

SHA1
d890ea65890a455297fcac9b6a72e967478d8f62

SHA256
ea48bcd1b6af358ea9c02b8dc5763ff8d6b66c127dda2e32ab046cc153406240

SHA512
c53e2c39217bdd9d41aff3e65e13be4005b5560696535c979924ec886d6deba32ba54b43618cb33af339172301da587685d11f8aafc0974e1c929405b5ed6474

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
64KB

MD5
7f905e09f7f5b69e49d9d20e45e95755

SHA1
9593b6b7950fd3ef7ccc7a3947202e5a8b8ea871

SHA256
c5f9405c59eaf519814af7f43dbe29742e7066bab5d71871bde587fb7a70a3d3

SHA512
8d956fa801e373b73754fdba9a0bf1cba60553b7978aca28029d2326ac057583f4e217dbede0207c061e093dbe9f31c96feba73e1c5a62810b919ef662c2be77

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
64KB

MD5
183882d2e21ef0dc9e54d53cee3147ce

SHA1
57f98c93db7f86c63617914a680594ec4235a265

SHA256
18d28bf5d0dcc6ea35872fe224e6b3dea8718ae01d7eaa72165d48ca0e3bf8c1

SHA512
bc4b454b68f6670b78403ab7633f28d24759b4ae71d0f7b0befe0852b09d289abe7f884b8fa0ce2de1ee7f4af9ae88e50c33b727b095219c6cf166441abfb5e4

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
64KB

MD5
bc3569ccab6f10c023bfcf69fe647103

SHA1
078a3df48082fe7ff664532ea34feddc95e3ec3f

SHA256
b2dd91f926dfd62843980d7609b77400b0cb9ebab0d044fc126f26f8cfd51d86

SHA512
ece49a79478cf272c9b1d3e7774da4beb739fd2719ff003bdf001de465f9e31e51ab434275e4981c58c60bbe75a1d2847a1182cbeb33be0360dfa4fc0cc3c4f4

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
64KB

MD5
278bdababb159ab0bcd9ad3fa32f2b9c

SHA1
a0018df875991f71acfd9e1933a0b7382cb78c23

SHA256
016600c2c24ae47fc7ee7d9936b36b8e9aaf823e2671172336ac70485cae6a7d

SHA512
158fb6770d699662c0dfecb6e84665835f373532b790ebe59d2af9220ffa3eebed7244ec43111fdc56b1fd714f53ef1c329e732aa68a31d624b63020a7c6d909

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
64KB

MD5
1f40cd0e7607863cd762647d77d44754

SHA1
b6fb1ea83ac18dccaf7657bdd678c2bf1605e4dc

SHA256
a975c6a9a71f7a902f5b77cd1ca0a352f66b0163d89b18335cc21efc18892070

SHA512
f48f88836918f6a91e7d512813f51634e4bcf85b8b548887407a884d6276fdc8117ef87b34055291b4a87b5ad133faf35f8d1b3d62a5e91a1a952b7347a8062d

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
64KB

MD5
cb4c52495bd01a91d277e9c9ab3cd322

SHA1
eeee7c696e542fb72af25a821aa5dc8687b55413

SHA256
733fca3964bf61086ca6fc3f0f0584929246103af8ef10ce8f88132343788972

SHA512
f89aa6364f2e531446f226d9e1ee53e8f554e6aeaba19d29c9f1980e1b3fbd34632860b74a1e53b0503924a3efef547ebfb38f7639c6d9f3895349478ffcb3d2

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
64KB

MD5
2dd0963ab7d3a7cccb5219f27092688f

SHA1
956ed86f67c8e4c36483213d9f81a6606a0fd4b7

SHA256
5910a5cee5ecb321a4fa6ae8063a6fcada5818e9a22939658eff82a9d74a8b38

SHA512
877b5cf0eb3bdfc569908b24b0c2bdf87cfdc43b6be633c69150b75e1af164d079fd7bf10755cb8480ea8016ff726cf572f1cf344c30d08aeb70f8ec4c76e7b5

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
64KB

MD5
df9ada8493a3f258a326768513e8bb82

SHA1
6ef7d01c42916497e40f5e769b715aa26b7077f8

SHA256
3dfea98e395186227fd59c8fdf24cffb4b505d9d7103e2600d5e34ec0b74ca14

SHA512
6e2b8d85da4b2a5c40f6f4a4d0907f57a5242873a976261277968aa8ec7fd840332b0c5b2d4559aa1ab70b1114068c61950e9ddfbef6d22680f5221458519db0

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
64KB

MD5
b9d959c46c2e765b19c148b3f0aed789

SHA1
d316253acc5d50dbccf90df0edae4245016fc1c9

SHA256
7eb1b6755e9946baccf82a6be62f2e4ced81a7ea1c7152bc6d32f12bd70e105b

SHA512
404a2cbdf5efa9b74177d34cb9782a5db2ecfb0fd376bac567433d6caccc77f59fe9d86cea3dc498c2db39e247fda0796f627b195bcab1c31091a988aea942a4

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
64KB

MD5
b0dc402310d908bf7bffb0090ba253a2

SHA1
fddb390bc98fdb8d9a03291b186c6e52309a97cb

SHA256
7782c3712ae19d2e4e602b858a0edb22ffc59b127a65dfcb76d42423a7941462

SHA512
24318c72f84670c3ec683c7c8b8c82984c5133fb33132b6a9306422d7cff60ab7c832be6ede977f7cae6a1062f97509c22e3d00e9a60ec7d7558c5f979c37e75

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
64KB

MD5
acef5e7d4290b91e32a9e513d2f30a9a

SHA1
96338828781f2d545d44d28ddd9a63507d5ae1ca

SHA256
3424bb53909b10ba0b8035feb7a1341a14478233d276f52fbc26cb5235193f61

SHA512
9daeabe03a640e35588f778ca8ffcbe8af5a3c1429cd65f41c11cfae511be5b9cd01b39337d9938814c16cdbccc0867206336ee6dd4e46e2ffd801389ed71434

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
64KB

MD5
d2b9f75be48a2a85613a13236a9e74b4

SHA1
f44ef813dac37c004f7d82ce5a8078300c0805cd

SHA256
60bf97221469185e54c7d0a6ce64f99dff1988fdc5f59f1d4d49abdf7dceceed

SHA512
09dc4425eb2ef1ff42bd32bcd54132e23e64542f4f5c2c1eedbbfc1f39c3fb0ea8778b312dfa935f037f9f6f0538abe37307c4e64221a4c57ceb31bb943c0fa6

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
64KB

MD5
3f713322c983f779e4e9ce97e6dca8f8

SHA1
6baebac38a253ee182626a56743c2fb2ab4cc7b1

SHA256
1d7b8b7365e3e4bed85ed8cce864fe6b2fb19d45558f4199b6d6f52ddbf405fa

SHA512
0d1cb14d2e0b1925dc3953c8ae61671ed604f632ea1bf16b109a1aad3cb9ed3169b4772c66284f97a24d8bd792e16d96b230246f954905b8c27d80876b83200e

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
64KB

MD5
9bac4767e900c64d4819f4e05e66f4ad

SHA1
807af4ea90237810195bdc2b7755e0719c47488a

SHA256
892ff694631145012dc005e7a19c0f03052f37498bcf9a860868826128afc40a

SHA512
1a7aa3308ecdfeb8ee717dbc2d7ee689ee8ed5e31e6411007008f0005735a58fd962412ea79136fcc442cc0bfe45c139170fe58e7ea170180a763f4ff527677e

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
64KB

MD5
25d6ede1cb3b9cd8cbbfa18070733864

SHA1
e241c01ca8e37d49f442f7a62e0ae19ffce4fcc1

SHA256
8c9060003b85773f6b36f3bb973223d5f3a3570874c36843c4a0db37fcc0479a

SHA512
ff89207e50f6e7df7bc0105155e8cdd2a4f9ac2f456e16990e2237bd4d9898a4a1f0b3464297502db1323b7a49f4472ca53600a54a8261b0274abe3d328cd0cb

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
64KB

MD5
a8b11f069a7ba4fe1bd690a90c4ed3de

SHA1
8bdd9a55a44d49e853cf0c8b3ab0f86a59a38786

SHA256
e7c60b454f588b9bf5246266611a9d2acd09520e83a34bbeacd4066031d99c0a

SHA512
85a592ed00ebc55e6d883bc6dd5ac5678fe30ac0e2b1d755a8d0e3a4dea95259990e2d833222862b4e26ac7a7b7d535d847524919b0ac6224845c1ec43376544

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
64KB

MD5
53ccfed076b180423c83559d45846c00

SHA1
36b10534fec573cfb54aa7e8edcd8de92f460200

SHA256
c804da09e2b72603f756ed587f3c7d1a1db51647dd59168bf9c675858ad4983d

SHA512
0687dd512e0299655a465edb7059408e38ce60038808cbd177577165a4f9e4cdc9f1155406d1719ba797150d7aabdada157f3e63051fcee5a8f1e3c09844f902

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
64KB

MD5
225ffd4c87ea80b9e244ea7e016ba630

SHA1
e96eb460254e46ef172860ba5c83648623cd4cec

SHA256
6929f419bf68ac8cef9e6889c4302bf5698083887ab07c5fc5ff0506d1779e0a

SHA512
727a245cd75a0a9d61fb43faaf57a6a1210caef79e1c58b22e17b0cc317913bebd3aad853c283492cca4d3bb1440655244d083971c05bf3f4ec06297b6d11f6f

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
64KB

MD5
be5929f53f51b2f9ac8f7c5820899a46

SHA1
f94767a5f9ff0d467339202c4a94f2d0ffe1ece7

SHA256
7898fa34ceed7c44f01aa5b98ea48b694fc733b94e1084dff9ded5a4f83f510f

SHA512
b75d8f32d2570a09f591467e962487b24a802404f427332a0abea024ac4fe4c49ffb0c768ece8c7040ebbf9f83ddf0c4c6447f612a3b95327fb6da4517ec733a

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
64KB

MD5
c9bc9b220f068561b25b2ce8792d3288

SHA1
20cf33c1ed3fed32b6d012c7f74d131b51f75b9e

SHA256
31961518b0c8288f4e053a1c54cb092f5aa2406de8f2c6c9ea27fab019ffccce

SHA512
6f75f38f59d78162def1ed689bf4d8ad846c082c73bf51bcf9881297f56bf5c79883780e085f9faff723e35b56379cd00fb2c8fc27f5b8175d3977d092abb5e2

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
64KB

MD5
d86ac542d05b465dfa2c32d813cc4b72

SHA1
86aed8bbd060e1332103b2fe1e893a795f842343

SHA256
a3b67021f017a1c823815b811bf340c4eabf56dd2bb9d5b37ac97eae64dbfa85

SHA512
53844111a63a7b966957b12d52c5f881eeb3a2a15c19a3e4292ed5f0f1e7e6a9819da18b66cc175b29611b8f52db029683846b1ba99b7070b535b57dec54dd10

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
f728408c2b88c34b47f18e2178096094

SHA1
2f9ff5dea93b8154f24871d2360fc0292c0131ce

SHA256
860e7715a09b3ce14c01cf431412da5f313d41b12485077deb82bf0349cff8a1

SHA512
ca5db4bf716b4d70b79667488739bd0192e55a15bec6b12367a9b3aa4cd007babe2fd3971dc0e387609a5bb342241579aaf283655fe47f7f0df32c75fa37e25d

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
64KB

MD5
210e3569dd622e602b7c56e43035a481

SHA1
10054113bde7f945dd39932a3ceba48ff4140fbb

SHA256
30ddf403d7db6de8fb19842cdc8dc7e92b28b596ae4c01f5e4393b76f3f86288

SHA512
9a7d86ed942963ba5a051d1ff40bba2553ad53c1181ac2c007fb7e491621a60fecddd1aaca59582a95d6bc7374e46e24b62c7c9ca17a4811d8f17a8c69bfd2c5

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
64KB

MD5
c2617a772517887ef73a3aa019563e17

SHA1
f8c042b0d94a32c0f0dc810923e26a2153490900

SHA256
a4d7c1db4739412b2955ccd5e9793f2068fbcbf4fb44db7bdbbb68417d97915b

SHA512
dea615c73641d22602035241035454f0922a569dcf4abed98ecb9c01ace72c11a97e7e418ddc198dbb99c78084271b9458ce0b7b620ace41f760108c638e631c

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
64KB

MD5
0b1b3b2982a0833a3f2de57a48d0a6ec

SHA1
c76d71ce0b9500bd86f38c994738f8eaebb0e0dd

SHA256
c4b4a000d0118eaab1bb4111d893c0492bd82b1524eb80b36953c5b927e8e770

SHA512
ae615aed106ca302da21450704d076623ed001343fbbd8fa362978cb97b93bf58f5d719f7ab9f08fbaba78fcd531a7ab05818e1c30ccd112c0dbc9f8ef050bbe

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
60b6013e553a9050cacdef44c422881a

SHA1
5f56379235f977dd0a5983332cf15a6ef17c4dc6

SHA256
ef9e2bbdb15768f8fea87f5c03009721a6ee77b08ab57225b552cf79eb8ef918

SHA512
ce3dc21734bf9c8ced88b9b0c33cf1b11c2a00e561d7b5886bf462875a2dc3350ab95cf10d6fb6dd0dcca54b41db25cfabb5c261182c863e7cafb44dc33ff522

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
4b160a23c62e7bcb71bb8e5375d8fbe6

SHA1
640bd0d79a3d449080acfb542f549904d5786f16

SHA256
96f55b02b4a65192ea238847db0ea973a1066f2c41d219ab5bf601a8b934e9e0

SHA512
dfb2f1d66a07152596fcefd50d85d645301539a2056255ff8d527599fa7360826adb3cc1413032d152724cf6fa842a1816ea4f8651fd87559ab7be592c4f9732

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
64KB

MD5
c5f0f937b209249a61b476845549a7b2

SHA1
1bcc9507a2e6ecaf3015c71265f00fbc2eef2dcf

SHA256
d55f84e681e422a968cbc8abc4f6e209baeed0fa6202425d8a88d182acd1e150

SHA512
58d8dec1b1b34dd21b7f18674d47147c95e700b9aa8248843f08a43c66f1299c280665200f55da9511f0bab744fe8d35ee05c071b9363e9d299bf3347699c280

Download Submit
memory/544-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3116-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads