berbew | fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe

Analysis

max time kernel
94s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe.exe
Size

55KB
MD5

51135bd4c4f5cd925acb127023492f4a
SHA1

2ef36a46b55d39c55c4d867a2930f2210b092162
SHA256

fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe
SHA512

eef2016d29b13690e7f5133d1450485e63e7209dc49743612b07fd09bef1edfef3072f48020e1f98b27b4bde6e26d0148afc75bb9ab5694b7e536f991ca6da9d
SSDEEP

1536:pGwgP2U9xyn/m0OJMLbNSoNSd0A3shxD6u:pGwbUSn/lLbNXNW0A8hhZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 32 IoCs

pid	Process
3872	Bapiabak.exe
916	Bcoenmao.exe
3896	Chjaol32.exe
4544	Cjinkg32.exe
3112	Cmgjgcgo.exe
3500	Cdabcm32.exe
1476	Cfpnph32.exe
5096	Cmiflbel.exe
516	Ceqnmpfo.exe
4512	Chokikeb.exe
2652	Cfbkeh32.exe
3116	Cmlcbbcj.exe
1624	Ceckcp32.exe
4144	Chagok32.exe
232	Cjpckf32.exe
4676	Cajlhqjp.exe
5012	Cdhhdlid.exe
4340	Cmqmma32.exe
4712	Ddjejl32.exe
1204	Djdmffnn.exe
3544	Ddmaok32.exe
3864	Dfknkg32.exe
4780	Daqbip32.exe
5088	Dhkjej32.exe
2480	Dkifae32.exe
2688	Daconoae.exe
5036	Dhmgki32.exe
1584	Dkkcge32.exe
1140	Daekdooc.exe
1104	Dddhpjof.exe
1620	Dknpmdfc.exe
4432	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3212	4432	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3872	4308	fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe.exe	83
PID 4308 wrote to memory of 3872	4308	fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe.exe	83
PID 4308 wrote to memory of 3872	4308	fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe.exe	83
PID 3872 wrote to memory of 916	3872	Bapiabak.exe	84
PID 3872 wrote to memory of 916	3872	Bapiabak.exe	84
PID 3872 wrote to memory of 916	3872	Bapiabak.exe	84
PID 916 wrote to memory of 3896	916	Bcoenmao.exe	85
PID 916 wrote to memory of 3896	916	Bcoenmao.exe	85
PID 916 wrote to memory of 3896	916	Bcoenmao.exe	85
PID 3896 wrote to memory of 4544	3896	Chjaol32.exe	86
PID 3896 wrote to memory of 4544	3896	Chjaol32.exe	86
PID 3896 wrote to memory of 4544	3896	Chjaol32.exe	86
PID 4544 wrote to memory of 3112	4544	Cjinkg32.exe	87
PID 4544 wrote to memory of 3112	4544	Cjinkg32.exe	87
PID 4544 wrote to memory of 3112	4544	Cjinkg32.exe	87
PID 3112 wrote to memory of 3500	3112	Cmgjgcgo.exe	88
PID 3112 wrote to memory of 3500	3112	Cmgjgcgo.exe	88
PID 3112 wrote to memory of 3500	3112	Cmgjgcgo.exe	88
PID 3500 wrote to memory of 1476	3500	Cdabcm32.exe	89
PID 3500 wrote to memory of 1476	3500	Cdabcm32.exe	89
PID 3500 wrote to memory of 1476	3500	Cdabcm32.exe	89
PID 1476 wrote to memory of 5096	1476	Cfpnph32.exe	90
PID 1476 wrote to memory of 5096	1476	Cfpnph32.exe	90
PID 1476 wrote to memory of 5096	1476	Cfpnph32.exe	90
PID 5096 wrote to memory of 516	5096	Cmiflbel.exe	91
PID 5096 wrote to memory of 516	5096	Cmiflbel.exe	91
PID 5096 wrote to memory of 516	5096	Cmiflbel.exe	91
PID 516 wrote to memory of 4512	516	Ceqnmpfo.exe	92
PID 516 wrote to memory of 4512	516	Ceqnmpfo.exe	92
PID 516 wrote to memory of 4512	516	Ceqnmpfo.exe	92
PID 4512 wrote to memory of 2652	4512	Chokikeb.exe	93
PID 4512 wrote to memory of 2652	4512	Chokikeb.exe	93
PID 4512 wrote to memory of 2652	4512	Chokikeb.exe	93
PID 2652 wrote to memory of 3116	2652	Cfbkeh32.exe	94
PID 2652 wrote to memory of 3116	2652	Cfbkeh32.exe	94
PID 2652 wrote to memory of 3116	2652	Cfbkeh32.exe	94
PID 3116 wrote to memory of 1624	3116	Cmlcbbcj.exe	95
PID 3116 wrote to memory of 1624	3116	Cmlcbbcj.exe	95
PID 3116 wrote to memory of 1624	3116	Cmlcbbcj.exe	95
PID 1624 wrote to memory of 4144	1624	Ceckcp32.exe	96
PID 1624 wrote to memory of 4144	1624	Ceckcp32.exe	96
PID 1624 wrote to memory of 4144	1624	Ceckcp32.exe	96
PID 4144 wrote to memory of 232	4144	Chagok32.exe	97
PID 4144 wrote to memory of 232	4144	Chagok32.exe	97
PID 4144 wrote to memory of 232	4144	Chagok32.exe	97
PID 232 wrote to memory of 4676	232	Cjpckf32.exe	98
PID 232 wrote to memory of 4676	232	Cjpckf32.exe	98
PID 232 wrote to memory of 4676	232	Cjpckf32.exe	98
PID 4676 wrote to memory of 5012	4676	Cajlhqjp.exe	99
PID 4676 wrote to memory of 5012	4676	Cajlhqjp.exe	99
PID 4676 wrote to memory of 5012	4676	Cajlhqjp.exe	99
PID 5012 wrote to memory of 4340	5012	Cdhhdlid.exe	100
PID 5012 wrote to memory of 4340	5012	Cdhhdlid.exe	100
PID 5012 wrote to memory of 4340	5012	Cdhhdlid.exe	100
PID 4340 wrote to memory of 4712	4340	Cmqmma32.exe	101
PID 4340 wrote to memory of 4712	4340	Cmqmma32.exe	101
PID 4340 wrote to memory of 4712	4340	Cmqmma32.exe	101
PID 4712 wrote to memory of 1204	4712	Ddjejl32.exe	102
PID 4712 wrote to memory of 1204	4712	Ddjejl32.exe	102
PID 4712 wrote to memory of 1204	4712	Ddjejl32.exe	102
PID 1204 wrote to memory of 3544	1204	Djdmffnn.exe	103
PID 1204 wrote to memory of 3544	1204	Djdmffnn.exe	103
PID 1204 wrote to memory of 3544	1204	Djdmffnn.exe	103
PID 3544 wrote to memory of 3864	3544	Ddmaok32.exe	104

C:\Users\Admin\AppData\Local\Temp\fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe.exe
"C:\Users\Admin\AppData\Local\Temp\fae9e51f4b9be3a8e40b2d4494c4094acf1b19ead69354ee530fe837f7b02ffe.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\Bapiabak.exe
  C:\Windows\system32\Bapiabak.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\Bcoenmao.exe
    C:\Windows\system32\Bcoenmao.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\SysWOW64\Chjaol32.exe
      C:\Windows\system32\Chjaol32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
      - C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 396
        34⤵
        Program crash
        
        PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4432 -ip 4432
1⤵
PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
55KB

MD5
de008cf62faf75eb7b6a07601840c80d

SHA1
0db10c552f030f57b8527a94bf61d1b8e6020a08

SHA256
e65ceff47fb44689598c63e3e15886be1d356382db0bc193546e64b1881c48fa

SHA512
1701883db204d7f72664db61a615a26a57cc19daec809cf0ceaa71374e383bbd403a10c654a3c849e84e833395fdb773fd5a59b9b34a201d903fbac39348d7a9

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
55KB

MD5
89cb85df919314e108b55cdb2f61df44

SHA1
01d4c3df6cef2fe855ad37f3c22efa5909e273ba

SHA256
334926732eeca3062d851e539c4b83c87e7b81b3e5c7f41c2a9a22caa7040e38

SHA512
08b254bfd3e86fb19e7b9176b60918050b15a542e36ce4f4f11903373cb76dbbee8df66df1fa631ffce5d873fbf99975c124125f5a5f32b9b95a55a54e9068c7

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
55KB

MD5
9bbc636eda575904c556473657474965

SHA1
f64c6741ca692123ae91c553595215a74cbf1dc5

SHA256
22b5192dbaf568b6ed216fd889505f65ecfab29227d3a8b8f82347adf1aee0cf

SHA512
63c7ab217898594f9a3b40e0d5ee76452d62181d8d59fb185123d6c8f6f8ff9694b8eda4e76eaa71b36ab436455a9386763e766e22a2b187d9663bb6e5bd993f

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
55KB

MD5
f7fc2e2ead62103902107f260c2dfc02

SHA1
dcfd56911f0d22841e3ffc9665d8f67033c56a23

SHA256
ecdbad4697aaa5e394cce2e1b9dec93d39aaca48f32cf05cd3d9df1642bb2dc6

SHA512
d3ef00b99ffad008ce3e4d8c2092b1eaa08c2944b1b20e65b4022d6cc204954a23a631439d191c0e5558294acfa1b320d8a95597e4994f3c04b6db8e3cbcdf16

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
55KB

MD5
28bd665544288ff19efe77669310f04c

SHA1
60d42b9b5056aca5567a7234ef81292b6a1f9254

SHA256
6014188ad32b2cfe5aacf3a099fb7d63ef2194db767ff61c203b9008802f3f72

SHA512
ad7c9ccd5c0365523e095b5b34bffbf484fd82c831e99ad5e555085e0f6bc481d5e9dcac4bf0ebae8de8d8705dfd5e1ca1f3ecd3196e9682ade9da2bd111d215

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
55KB

MD5
6a8b011e8295c0e132e06cdce618bf18

SHA1
3c4a903fc117aff2aa16825bb0bde2167304697e

SHA256
9a12fab4e49d8c3c7d78899ffff8467b95020873ba77e18183decdaaa035b4c3

SHA512
039ea8efb094d2e5c21efeef93d49aa543e250d9faf67a3654739b55d423b24a052c463df02babb3a36fb2664fbb91f8fb9e9c7359adc0eb4cba4020b75e3bcb

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
55KB

MD5
736131cc737f3b2344bbe7140541bcd3

SHA1
c8fc64645226c7d9f53e726c87e910510c4abe6b

SHA256
474dbc437bdae91adba1da050e7724b2107f019884a0afea3bbd61a7d27df9ea

SHA512
1d8ee6148cde7d6247dfed625de012502b5ae8d8487997ceb6e20bf534e1a8b7ca2daf40666e3482d4e74f89b4a0aede139aaabc2a5b62c733d7fdf73673bc2a

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
55KB

MD5
60540b254379d72e0427d4a2e0b01d64

SHA1
aa978f8b3173886e219c2debafdc1aa7868149b0

SHA256
92ede61d9188095dd664e94e730a10a4f0f3332490b95d98dd97ae055b934daa

SHA512
c66ddff2241f19026523566f4cfe99f86fb9ecdafff7698d5e3f2ed1408f96996ac15310294ee0824cd3ba05d1e826aa73f2c37ec3b632f68b007604905ff1db

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
55KB

MD5
d361c04a37170a2e4a52a0ff1d744149

SHA1
def1a0f8b00a624b766c9e0d65d6e5f358fbf79b

SHA256
174c482df3259f793b416cff852fd3b50e7253ffe15bacfde233ab069adb1853

SHA512
d67fefe64aac79be97459222b12890ec76a4cdeacda5c9076dbade8c3250542504d81faef894b4ffd7f366195603cee0c931c2c122692cb79396b9c5217601c8

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
55KB

MD5
aa2d1853b9210898b52ac9536c4b9434

SHA1
4ebff5f62b6ad766ee21e59e2a7eddbf090223d5

SHA256
8d4266edd9de5e7b046d90857477cc660b62b0beadeb1084a3a0ea5a3eb4e67e

SHA512
d9e922cd46aa23914d4ade74ac1304b186c89cfc975b1104711823e2937ced4039feecebd0c747bf82eac0f14f3a1c0c5e575c70f57ca5fe90eaa9f2df0b882a

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
55KB

MD5
20015780b9e9cd137a613a7357aeb0c1

SHA1
f27cd9b03844c33316df8a5eb1f664dd4e9fcb80

SHA256
e2b9322978bcb9b3eeb3762752b50df2e018d554e5f6a1a4212d0a64b8effc96

SHA512
962d3e84e40561bee3bfb641fc3a4a1a090cb6a78352e3ef3016dd8c18633b5f18b7003fe73246133a55d0f0236eedb66954d1362df229679edf758e336b969b

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
55KB

MD5
aed91f2558099559c944462049b1bcf4

SHA1
76b7aa1733fd74feda5357d425b6f8d15d2f9361

SHA256
00528c0a239bf4dc9ab1ebccb11eb01107d63c20c46576142cb8cc134a7fd46b

SHA512
49b0a72b34146b76cc3ac93beffcb5085b478a246ab0894bcfc906d273309c61978b0b29c62046aaeacb42eca3d1f148a1755690cc88553dbd3e9a2c75d39648

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
55KB

MD5
1d28c2723299acf7e012b8fb5c19e87e

SHA1
18090a5aec23a532fabfb7619bded51e4cdfb746

SHA256
839b726585243a18b35c75ba9f8f184e75adbb649930c83249548f721129b7ec

SHA512
453740e0e22ade7242f3fe6b56b61e9aca842c3cdabafaa83bbcf9e9c7641e02403051831f1469131f53e22ee2b1ae731b1f6d6aa144605b937fae8ab6d6d924

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
55KB

MD5
f477cbedeea31206db092420a070a4bc

SHA1
d24493f8a9ab109db9f3f30c652319f797598e22

SHA256
27bea173f0a7ac186cfdc373c063c716148ae3d85e8d30619eeb98cb88f5e170

SHA512
171a3cc7ff6dbeeb05b72403deb95e2bc694a481277bde566847f9bb606364c822bab8768099b9f630356596a777d0a1d07c8cf5203fdeab1fec585a613da0ca

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
55KB

MD5
49faf4acbb9d8a53fb775bc09750c34b

SHA1
f836113f4bd328e2f81df3419ed95fc21fa287ba

SHA256
f6983aaaf7febb4e34a33cabbbbb2b09d2c88935de03c8d55b7512894b175d12

SHA512
817b09f0b109d7603f814d70c1ae604d1d864493a991189bb4a7c6e5cf66fbc45ca81fb775eb58880a7fb2e5ba0a4b29ee899976b04186c7ae3c9d50fefd4279

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
55KB

MD5
6aef7ed106a4d4ed018082ce27503b5e

SHA1
364dd7b7cc78a8d93c1682cd0d4e996f41c80caf

SHA256
3a1faac6cf6f0d2bff5c11a5315978a0ad82eb6f82c890e9bf7455f870320d47

SHA512
a59d1c315c7fec8307382f5c9188c0bc7cb367861a5c4e69c5e7fbf24ea0ade97eff616e1d3a11bd433be770d0b7c57ba986b8c862a63789df87df1b838c4ccb

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
55KB

MD5
e905dac72ab95fd0470d69765dd2012e

SHA1
e95a7418e39344e057efbef26ccc580e7ecc96ef

SHA256
810486501d9acc0326467781c5d128eff7596d1b613183485b3077828f92b76c

SHA512
a1d5fe6e22e0b7458ad170364f202e81ff07f0a064e81cb6fade6d01a163b62bea3d6ec10171b986654c0596bf8176c74a24b44bc3c14db9252e3e98bf82a834

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
55KB

MD5
7b761bda8f862d4b22f3dc869f396dd0

SHA1
341d1cc0c179a215a2bef2e97ad4011a4254d8e3

SHA256
11be10d9d76738909620c6ea679db34fe33ebf08feda8054b3ba4fb66aed5826

SHA512
3ef1e10fa47307b252c64a749b212542a9bb248985231283667df20c0fed3108e13b31181af084986b9d1f7c4cda6ceee62e139f99c0821e6ab316de4240f4be

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
55KB

MD5
20958338601eb61563e87701af4da8c0

SHA1
bc85512f98ad3cb67f46434d1d71f3b997f195e7

SHA256
fbfc3e64f21e2892e34922664a26f1aaffd37a440931911f06cd4a06c45ca1c4

SHA512
1d1ecece328b72451b5636ba88bf21fdbec5204b6c8ab270f67611cadf74bf90d4a12c2b952a76b59c02385df3444d84f1a11dfa1d798b33b28865b756641270

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
55KB

MD5
b5c734f782fb6a84a451f3fa959b1ef4

SHA1
40a5577ef668901eef49bd795d44a1d2c9efd4fd

SHA256
82b333882382edb747d3db89ff46d81538a973a1488e6ebd41f8587d0204fbab

SHA512
30847f742a0edb06cff46654853f9b8cd332bfb0362ee2842e98dff9684e9698d0784eff8931ef65cc1de0f8d2e4168fbc127472720af63343a743ee53b775a1

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
55KB

MD5
3a607a00eefe474731b21b4ff9268cc8

SHA1
64f332e9e04f022ffafeb27312fa44e74b717962

SHA256
1b513380728544fb12911c989f476d658cafe422018463f7f4c7eeb840c2fe8e

SHA512
6b8e36fe0677f2c2cd6f6d277797e6c4cf8d8d4565f94fbf71ff08e164e17225a47647d42903068faa32788a9b2c6690a43d376cf2605c28d8dd056ded4b29c4

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
55KB

MD5
fbe61808b4fc045a4590e33c10e3eaab

SHA1
6b309eadfa23259ab1930c3c16ef9aae516b85fd

SHA256
9094a22f6c59261bcb83f6f21ac785625c534a6de818a28e91c5e6deae46df18

SHA512
ebe6dbf3e002e42453cd83fc32a2cf3d52bf008617002e16e1f931545a4856336799f00d4257bd509e92092a6973f1a863b2a71633fb6a184115e0250942ed01

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
55KB

MD5
629fe27c56d2fdb2b8412268e65699d8

SHA1
bff1858e7fdffe21ea8a2df531e8bfbdc8868747

SHA256
23213c1da6df16054e81152a9f8e3795382e200486093abca1900d792ec63539

SHA512
ffdfe4aee4702dff2ce454f788fec4d1804b8b701a948c15674138e92965b36a06ad63d4fb7990dd7f08d6457d44c907a5f10a3727021d217abf001fad300568

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
55KB

MD5
8c2f38ade3ee1d96b39ac047b983cdde

SHA1
30db8bbfbc12f87634ffbd074c0452d23a0edef7

SHA256
4b8c0425bb75e140a10c1ea840538ec4929ab90f3ec0fcd830c7c9e532d25fa3

SHA512
68a173e8d8df39a893a58c2eae997be7b73ca451bbb665772e138902fbfb17c825f9666303f38c20b7a1a270b1d8ca8fff5ff9febb5e80d27706f40d134ab266

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
55KB

MD5
2e6e287b8d0738f1be5c7b289773875b

SHA1
fa84d317d21d9d9bc406478da28e71a605882b1f

SHA256
eacbeb6b7296a16242680e5783d14a08f9c2e1ec8bf0bf3a1d06220554d35e33

SHA512
9bfc04e2282569688f3bab89899290ca206cadc66a832992be19237a2e8352d19926d48cac41a513f5e954ef35f229d9771029a27fec53a0dcb76c5ff75c8d11

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
55KB

MD5
6653c117790f09d44da7315080aa8b84

SHA1
05eea383f89fb7cfb443c55fe8c742e84978c0f9

SHA256
e3f2a433864eeba513994fad4690b8eccc3dcc1f0d8d2f1762357a4d50e1a6cb

SHA512
47f9334433f1a39142c48d6fc402373454c1c2683ae3e75858357524fb6552d0ae9284ead4effc654dc9e46e65806feb114bf9fd1c6f99b39b7498ceaebe4b39

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
55KB

MD5
ee91786135090d58358290620267851e

SHA1
6869fcfc51ed439cefb1250f90deed9f30ed6b52

SHA256
672359453867aceb52041770ee8b8f75c8d7060549d07014af7dde2abe1300bf

SHA512
edf2ff46c212909b31ce124687488e0654cdfc5174447b1d933ba4a625334adfad520257462bbf9ec7042950a2dcf3349b0fbe99993431ea14d2b46e5b7ae5c6

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
55KB

MD5
5edd3a087109bcfa96777a3de157f3df

SHA1
27c7c16f93fe2b1111c5757659a9bf50e24fad6f

SHA256
f7507eb9a33afef42405acad53e5c5476022b28bfb4b67d782638c6a91e3a512

SHA512
3ba3625eaf4b4608f558a80c72bc2ff633bc7e39f6b9ad36644c7f2f7a835526d06b715119f2ed7bbb22623b6e03c6f85051bf340aa98c27d067973915375be9

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
55KB

MD5
fa7a5f59c0cb1d138467838a5889f26a

SHA1
209f022f04ae19f1f4bad648c3f69bb2b21d5ec0

SHA256
144109dc984325b02d36674f686e408a0faa0e2d556466a49362022278590c6a

SHA512
d84eca50cdf646a31a9be462e77ea9000a6ada4539a8455d2a574e3ae01967180490d8d75a0b5fe49bc9d8fbc2289b722be22b7a6b96190f9b089279d05a8cd8

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
55KB

MD5
a15fbbb12c5c3e08e76479091f9bf153

SHA1
4233d02ed827c52ad7b11968bdf4d8399ef083f0

SHA256
2d372b0c850b47ebbbeaf4aaf8eb25d38f4ef89d688ce13cd5941cb2696f76d4

SHA512
80ce840b05f828c6e7c4ab2ffc11a178c856974a3949ed8d90f9be6bee9dde7b71f551b5774e84eee4cfbcf56e9889669c92a2adc5b881adbe06c1ed499f4831

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
55KB

MD5
c29546da497670e14e1f0cd7192e05d8

SHA1
18cfc73dd3bdad0760ef541e6d788fc441fe84bd

SHA256
ffaac5863b1cd9e5a1f59d556ed0fbc0353a995860b1cc065e4c08285b255e15

SHA512
18c1652b7d0df7cf1f998827f1a297e8a325d7ab6658834ae2494354ec40210af813acef5d1119b609566b8901601751b811c7516ee4f117e9dcf5550f334035

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
55KB

MD5
630b20ca8a9628003e64645d992acb71

SHA1
f64a790e47a4746e453c6d922c4226c5fb6f525f

SHA256
b95b560b9c27c1e2a6ea9d85a946c2a38071c000afeb600d206410349eece6f5

SHA512
370001d3e035fa7dc375bff73a3667a4e21955bb6c5b5396b367cdf067ef78b52e984343dd2531c1265cd7fa4e1f877291eb22a83c9fb8c62de5898860ec3bdf

Download Submit
memory/232-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/232-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/516-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/516-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/916-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/916-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1104-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1104-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1140-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1140-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-307-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-295-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2688-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2688-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3500-309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3500-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3544-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3544-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3864-277-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3864-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-319-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3896-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3896-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4144-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4144-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4308-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4308-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4432-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4432-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4512-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4512-301-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-313-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4712-283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4712-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads