berbew | fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe
Size

64KB
MD5

c064049ffa960056649c2daeb8017e83
SHA1

59d26b72ed92bae02d9e62a2252b8c06de663d89
SHA256

fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad
SHA512

325abe822750e35d8c8c093a5dee834085391531129138f1d30e8f9be0602427c91bd7027475448a478960f28266e7e2dbdfde93497cd4c8aa477923f7e35086
SSDEEP

1536:PX4fHKyUNRjeLvN3GybqyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyWyybyyyyyyU:P8ysNKF7Pzw9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 39 IoCs

pid	Process
3804	Balpgb32.exe
1376	Bcjlcn32.exe
2572	Bfhhoi32.exe
1856	Bmbplc32.exe
2672	Bclhhnca.exe
3996	Bfkedibe.exe
3064	Bmemac32.exe
1112	Bcoenmao.exe
4036	Cfmajipb.exe
2360	Cndikf32.exe
440	Cenahpha.exe
404	Cdabcm32.exe
212	Cjkjpgfi.exe
2136	Cmiflbel.exe
5020	Cdcoim32.exe
4452	Cjmgfgdf.exe
2876	Cagobalc.exe
1524	Chagok32.exe
4764	Cnkplejl.exe
1940	Cdhhdlid.exe
4092	Cjbpaf32.exe
2224	Cmqmma32.exe
3884	Dhfajjoj.exe
4780	Djdmffnn.exe
5116	Dmcibama.exe
4032	Dejacond.exe
4496	Ddmaok32.exe
4748	Dobfld32.exe
4792	Delnin32.exe
2576	Dhkjej32.exe
2152	Dkifae32.exe
4276	Daconoae.exe
1540	Dhmgki32.exe
2664	Dfpgffpm.exe
1936	Dmjocp32.exe
4004	Deagdn32.exe
5112	Dddhpjof.exe
3112	Dknpmdfc.exe
4788	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3456	4788	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 3804	1684	fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe	83
PID 1684 wrote to memory of 3804	1684	fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe	83
PID 1684 wrote to memory of 3804	1684	fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe	83
PID 3804 wrote to memory of 1376	3804	Balpgb32.exe	84
PID 3804 wrote to memory of 1376	3804	Balpgb32.exe	84
PID 3804 wrote to memory of 1376	3804	Balpgb32.exe	84
PID 1376 wrote to memory of 2572	1376	Bcjlcn32.exe	85
PID 1376 wrote to memory of 2572	1376	Bcjlcn32.exe	85
PID 1376 wrote to memory of 2572	1376	Bcjlcn32.exe	85
PID 2572 wrote to memory of 1856	2572	Bfhhoi32.exe	86
PID 2572 wrote to memory of 1856	2572	Bfhhoi32.exe	86
PID 2572 wrote to memory of 1856	2572	Bfhhoi32.exe	86
PID 1856 wrote to memory of 2672	1856	Bmbplc32.exe	87
PID 1856 wrote to memory of 2672	1856	Bmbplc32.exe	87
PID 1856 wrote to memory of 2672	1856	Bmbplc32.exe	87
PID 2672 wrote to memory of 3996	2672	Bclhhnca.exe	88
PID 2672 wrote to memory of 3996	2672	Bclhhnca.exe	88
PID 2672 wrote to memory of 3996	2672	Bclhhnca.exe	88
PID 3996 wrote to memory of 3064	3996	Bfkedibe.exe	89
PID 3996 wrote to memory of 3064	3996	Bfkedibe.exe	89
PID 3996 wrote to memory of 3064	3996	Bfkedibe.exe	89
PID 3064 wrote to memory of 1112	3064	Bmemac32.exe	90
PID 3064 wrote to memory of 1112	3064	Bmemac32.exe	90
PID 3064 wrote to memory of 1112	3064	Bmemac32.exe	90
PID 1112 wrote to memory of 4036	1112	Bcoenmao.exe	91
PID 1112 wrote to memory of 4036	1112	Bcoenmao.exe	91
PID 1112 wrote to memory of 4036	1112	Bcoenmao.exe	91
PID 4036 wrote to memory of 2360	4036	Cfmajipb.exe	92
PID 4036 wrote to memory of 2360	4036	Cfmajipb.exe	92
PID 4036 wrote to memory of 2360	4036	Cfmajipb.exe	92
PID 2360 wrote to memory of 440	2360	Cndikf32.exe	93
PID 2360 wrote to memory of 440	2360	Cndikf32.exe	93
PID 2360 wrote to memory of 440	2360	Cndikf32.exe	93
PID 440 wrote to memory of 404	440	Cenahpha.exe	94
PID 440 wrote to memory of 404	440	Cenahpha.exe	94
PID 440 wrote to memory of 404	440	Cenahpha.exe	94
PID 404 wrote to memory of 212	404	Cdabcm32.exe	95
PID 404 wrote to memory of 212	404	Cdabcm32.exe	95
PID 404 wrote to memory of 212	404	Cdabcm32.exe	95
PID 212 wrote to memory of 2136	212	Cjkjpgfi.exe	96
PID 212 wrote to memory of 2136	212	Cjkjpgfi.exe	96
PID 212 wrote to memory of 2136	212	Cjkjpgfi.exe	96
PID 2136 wrote to memory of 5020	2136	Cmiflbel.exe	97
PID 2136 wrote to memory of 5020	2136	Cmiflbel.exe	97
PID 2136 wrote to memory of 5020	2136	Cmiflbel.exe	97
PID 5020 wrote to memory of 4452	5020	Cdcoim32.exe	98
PID 5020 wrote to memory of 4452	5020	Cdcoim32.exe	98
PID 5020 wrote to memory of 4452	5020	Cdcoim32.exe	98
PID 4452 wrote to memory of 2876	4452	Cjmgfgdf.exe	99
PID 4452 wrote to memory of 2876	4452	Cjmgfgdf.exe	99
PID 4452 wrote to memory of 2876	4452	Cjmgfgdf.exe	99
PID 2876 wrote to memory of 1524	2876	Cagobalc.exe	100
PID 2876 wrote to memory of 1524	2876	Cagobalc.exe	100
PID 2876 wrote to memory of 1524	2876	Cagobalc.exe	100
PID 1524 wrote to memory of 4764	1524	Chagok32.exe	101
PID 1524 wrote to memory of 4764	1524	Chagok32.exe	101
PID 1524 wrote to memory of 4764	1524	Chagok32.exe	101
PID 4764 wrote to memory of 1940	4764	Cnkplejl.exe	102
PID 4764 wrote to memory of 1940	4764	Cnkplejl.exe	102
PID 4764 wrote to memory of 1940	4764	Cnkplejl.exe	102
PID 1940 wrote to memory of 4092	1940	Cdhhdlid.exe	103
PID 1940 wrote to memory of 4092	1940	Cdhhdlid.exe	103
PID 1940 wrote to memory of 4092	1940	Cdhhdlid.exe	103
PID 4092 wrote to memory of 2224	4092	Cjbpaf32.exe	104

C:\Users\Admin\AppData\Local\Temp\fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe
"C:\Users\Admin\AppData\Local\Temp\fd3aa46741d8d54ac0adf2d21b8a3a942f3be4c4fecb02098fe5437480a1aaad.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\Balpgb32.exe
  C:\Windows\system32\Balpgb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\SysWOW64\Bcjlcn32.exe
    C:\Windows\system32\Bcjlcn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\SysWOW64\Bfhhoi32.exe
      C:\Windows\system32\Bfhhoi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
      - C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 396
        41⤵
        Program crash
        
        PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4788 -ip 4788
1⤵
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Balpgb32.exe

Filesize
64KB

MD5
e1b6f77caf528979a331410f0adf7143

SHA1
6caf9bc9ac07dc26e92c8d1ce7af7e571cfa6a30

SHA256
6efe94a0460819949294240761eadd62ef3d80db938f9c65141f17be1ae6b9da

SHA512
6a1ce8aa22765f61753f908c9102dc5de7a99d11681b2f9baee2e283521b04c61c9a8126f4f7b263d303b01b925c61d286408a86c173fb8d5fb07aa378cd9d09

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
64KB

MD5
8eb53cbfdc92d4c1849e7464f1bc8a22

SHA1
230ecab4542d62ed0d916cbb5528c262718ece47

SHA256
0d52d6c8377471c373b57d956be9f3ea22f7737448403b39752a161e6e4ad27a

SHA512
5dbf70b1999ffd1608a4992ab3ede2aec44ac812ff2fd3d6e38697a2dc61cd6e02787c26c23ed4d879541df6c20290d7e4d9e5ea3dd0dbca7b8c598ae0cd9720

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
64KB

MD5
396cc287fd70d6930cffbdcb2e5aae38

SHA1
a22d7fb5ec0d97584496397e85bcd60b28268d6a

SHA256
0e4ea94f5211fdc4eb4c1c1b2f4e482e5d71cd47f5bca992ac9ae0764faf61e3

SHA512
d46e6b7d6fe894c0fca6a0b190d2b3cebe7bd8ec8c2f15455890a6f3d55736435fea122920d2a9270224e2a631b1a2ccfb76e783c401b9f79e7c2b3812584926

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
64KB

MD5
6b8cc7699eca321485dc58ad202b3d23

SHA1
2e4833487aedbd8067f984a64057918d0f9a9f0e

SHA256
1482c124b09ad66372d2d2dcb84c23de4f968448c015f68f8c758404fa4ae066

SHA512
00a9903840555ed9dea0768fc3727b26e3b72cc6d29509f3d79f541a71c91f42467176c9b12e0dbbe0455525bf2418bfb333d1b7239c9e9c10914e3f108f2c22

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
64KB

MD5
ccace67c4a06ff50f8ce3e7fba9d72af

SHA1
df6e75c9376ddcd9ff229790e0d4dcf42ecc0ae6

SHA256
e45d1b1c089bad361a5d8e37646665b37a04dbf7eb0b9c21d19638bc6a333b29

SHA512
153cf1fb804003ad21b8e9d76beb48165902c46dd20aef8ac3d0a002a4d545696f04b0ee07ecb74606bc32f1fd783ed70394e241f1c0f9e0f03398d78109470e

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
64KB

MD5
c6f969a08147c1330184e267d4c6d013

SHA1
462e070e61bf8d222c0e9815dc069b045a5396ae

SHA256
0887d585f4d98b9d3e1be146631eeced361efbb12fe1dd21db01cc00f87bd8bc

SHA512
0fdc22e2f3e8f902da57fc45a58ecdd3b77fee50f42ba9b77204610b4618a6dcd32a78c07303642f65d72df9de0b76f35eb7a6e7be41a36fc3c74600cf76258c

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
64KB

MD5
b10261877a68b22682dd75612b3c585f

SHA1
c48b3cc258fb290c235912f8972e50acec6ef915

SHA256
3e87757cd776a6ff2958cd6de6a9271f1a07f707f88ea47e1d5d782b205e3cb2

SHA512
713546c012fb58e12fa868dd3a5385582883bf3b2733b3ad11dca3a8655c3f0563984ce7fbd708c5853eab61b5127768f48a2ce885e124bdbbc5cf41a4fe11b0

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
64KB

MD5
5c9db306dd762ef1acc8d680d2d1ff63

SHA1
0c9879e252ff4cb5611fbfe5320222ac120adb44

SHA256
5f40dc3559dd9d834d450c422c95c8ca668bc4847f0320c6cbbb954c85edff34

SHA512
f77d783360da2959d55b92a03e236139a1728220edaf3c366629b4af15c02436cdfad8281af0b16c4531a01cb1455ba60177f1ac19fc26d8e318ffa305de6e96

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
64KB

MD5
be8293c25b8a173af0ed376f6b4f3e53

SHA1
0367abfb7cfbc588b94ee30e12c46a395a17f791

SHA256
d3694e3e7ea714b79e1687de1105610c3509b82dff10ad6139b5bea107069c15

SHA512
47b79b06959d88ef2dd7241b0c1ccbac2cc5c4747f056e94b63a3b8a559fbbfa8402c17fbb5207ab5c42129cdb0de540f983e5cfd86596e433353d94153a325e

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
64KB

MD5
88d56613deed1aa66c6fad29072bcce5

SHA1
d274a3b981fba853005cffe2ef09d13471957700

SHA256
1935f980ab99fe716ee6239aff7089100fe7e44cb8822385e831d2922784ae56

SHA512
d4bad5d46d511e7a23fd636f502313084990f79a5a4eb954dfcbbe892e1a838d0096d2b426f839b687c713e78c535dd0feee13135d6aeb3decca05fea4de5a60

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
64KB

MD5
072903e2250606d1bffda95d428b3b59

SHA1
544846db325c1f5961bb4cc559bb71baad0e1eee

SHA256
b9006d1ec67e54deb291d8fb5a959c449e1fdd833e86c3ebfaef9a252e7c5933

SHA512
14e6436a47d5779ddbacfbdfe91abec84e3cec5bb0c7537d87d87fca667df2b59b13fea40e04a8198c5965f476b9fd4164fce362c368fe3ef53c92d95e1f722b

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
03ebcfee12c447760636a9ee8a95afe3

SHA1
9ceaa2e36c5068219ff95651c134954b40a44a10

SHA256
ce82833e708fd592cc3ec02f5615a2a0f2d94eff410c701d7132b2c3543b3c9e

SHA512
7b9fbd7398267fb4c56366988f194143596fa5ca929f539b01aedf065b4e3f654128fb170e443438c6aa0369129b51de13fb0d284ff3c01633779e1f905f6ba7

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
64KB

MD5
79d0283fb854bf6d98eda63b18f41d4f

SHA1
fb11a175064de3ae1495dd8d974985d09c54971b

SHA256
c2e22afa9dd1a8b21040cdf4f13d35da2c53383e04d221bab18901a36d0ce2cf

SHA512
729062095b51ba404b2e22990d89aa6e8dc60fefda1b5bd347efa0f905646f350ec252e06421d3ec4c1514cc2d3f5418157318ae6f7aa92be589980c9c90c97a

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
64KB

MD5
762c851e29a3efbc5967ad8f76a2dc51

SHA1
c17e9e8a42cecf51a4357714985967d32f074529

SHA256
a96f93f1e1ea181cd447bd7fb7f2dd446d18ada778694490f8041e41ffdcdd80

SHA512
546b374cc01d1083554c5728b7a108c4491fd63e0bc33849ff440c3048b6acb18f3d763a2354970f942ff12a15c040fa94145dbf83bb68abf52232a3910167e5

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
64KB

MD5
25ca26e101f6855579cbd4f4daa8328f

SHA1
524d0ee199ab618809d17f75c8dcfba46a5cadd7

SHA256
4340ac61e49a52e584e0b32ad8860bd5060fe1b03475d6a0559915a291b53f46

SHA512
fadb77fdfe94bf4e1400b1365fb49686abe0d1b6de54de270eb5c6efeb1c2e5d53313506aee6b794bf7cae5a21e67f05119dbbcb3ea32b1583957ed78913efb7

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
64KB

MD5
71fec8e13bb4a2eee4bab4658d19e1be

SHA1
5f0a3cc9ef1965190001ea73e8eeecc16075f134

SHA256
6db2ff82aca984882ee9cdcaf923cf562dff2e09b237df351fbe3cc3b19c39b1

SHA512
ca71718a7b3371e883d7e5adae54092d45a60765623e52c23c322382d7e5141128394ebedab0d356300872e5b4723344b35eb56c86dde82a1d66ce175b4c25c2

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
64KB

MD5
ab9fce4ade01268bd3411ba00ba1eb52

SHA1
04f2f300ccc92590f968484215ba04aa3ac4fa10

SHA256
d034f85e20fa1b6bd41bb7759d783a69e27661d92a864d8d31afda7e9114845d

SHA512
5a70fc13a0d052e9a8ad5916318ae54251843e4bb368037b84f70a6a238c3f53664da58a92bfa36631de688a5de5b8013fb41639926e1d607faa653ed61d7f48

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
64KB

MD5
e6103615a3987d75e5facecc2c18302a

SHA1
dfa52a6b45cad1cd1dc09a16128378a025f637fe

SHA256
2a75b17d18868a5101f855d99148c5aa60bcf7869cb91fe9a23ce9b7d2542b80

SHA512
fc62caf53604967313657e997d20d1a663a38c1f6883e36264c3a69bf2e9a9811431529cfbf9c2e9460f039d7bbc5b67e4a038f9391da55d59c0b51999cabfb6

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
64KB

MD5
9f7cb89004780c2e6289ade863ca92bc

SHA1
bee4fec1b49e10b70fc529adc4308f770a012b0f

SHA256
65421aed14757377d98af439292ca11af4a76ef512592d7e16fb6f984cc4cdf6

SHA512
a61043c19d7924857aab2630422f6e0ca1dea3cd84ff04297f539f963bc861b81a5010a740281375789fe853a0e6d50af6dd494bae210bde842cac464501b4b3

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
64KB

MD5
56ff84e25523213c0cce80e5995d070e

SHA1
772042ac78f135ec2e26a8ac072ec468b03aeb1f

SHA256
a32a0f66415915cb3b17b1a58c110f1ee8d21c828973a95b3731cc07f12f35a6

SHA512
5fbb7cacca7b22900449662071109f244f85a06586fcdc5dc3e6126e44905ab30be8a918802061e3c92a8369fe6d0efb3855f6d494ba1086502cdda560481247

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
64KB

MD5
53fd665f54b81294e8836137043712ba

SHA1
a5fe8d5c1d02ffed0f565b3eb70270b1e3479362

SHA256
c95976e1816098c03c9af820a8dc94c454b459a1960ae0d6cf6cc50b1e6e72c0

SHA512
8eef245b15634f5d03462870f743f9c693acae13b9484f515070769d63bae2c160891fd5de5b7135b7914cd8fd3f1802cef9e68f7f9fe7a11bc3405b157eaae3

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
64KB

MD5
a32891c72988a9f3fb0bc3b59b32fd94

SHA1
1de4a93aa310e844b8bbb9498041ec4a1ea8c4f0

SHA256
5849e9e1fb85ba9e969aa859f9f4c21b8c4f518c9f85211e1828630b4cda1f77

SHA512
a65a8db179057aa7d7a8befd47f889a34a06034256e6fc7c5b0bd7cdcada90c0c31eb23860d71dedb902052507fb0c94f6024ef41162f93113602372e7a45df2

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
64KB

MD5
f705b770d972fa182242a5f97ffcf56a

SHA1
cf5fa11421f869bf84f92f00cfce2459f7048a8d

SHA256
b3e4c17275a93c9a772e2f9864643f180b6d779f294d9d3c8f9343c062a93ca7

SHA512
08aded6433e8cc5369e8b3591a3d8260eed66e01745b828cc2365fe3ea1d3798288020084ec3e35c9d48fbceab790c8eb4de79e2e0683d35dbab046271d5beb4

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
eebb79aad11a570f89ea0b92a16d4b93

SHA1
ec0dffcaabe502da85e6a7465d4b5cbc13e9397a

SHA256
db1355842a359864f3db8f1e9c1127e5ce9311993628ebac59226bad1b85ada2

SHA512
e0060a55e579a44eeed43a82320de08e4a48ed438ea632f020b224daa15f089e2ab76e7e7b06fab49f90a655e0fbb4e4041a3d23bee0712848d86ba86345f107

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
64KB

MD5
16ca147a9a0eb91f822cf46511e4371b

SHA1
50b4be254340f3b629f6e39e7466011193a50c4a

SHA256
e50670691566331e33fcd6eef57954ac8755b97f567b9bdaf275159b372147c2

SHA512
04a8581141475222378bf1ddd21c10bf7faa245cf63026b00a550f57a7808284783c6414c024c55dc72c3afccbe271a48c0c42c72a42ca43f15a665febd6bb43

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
64KB

MD5
bbaae512949d6461c2a0be1034c58f6a

SHA1
1524fee8727d3d0df08e494dcfafe45298a4b98c

SHA256
24228c3365d42449b89f72c8912e276523ca6ca0fb2977ba673d8650b5050a73

SHA512
d7fb92a415fddab7f651312dfe4aa19757d2e8f7ac28c4ddce3d0c99f6a597923dd35bd241e6fa82fe9900546123741ff8ac604d979dd3140d9f6092f8dfea76

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
def247bd15e6146312b5c7aac255aa09

SHA1
80700545d75721fbf6788d345ac29badc355aa19

SHA256
0e0f8fd42526535be69f72f06a253547951ff5e4164dd34b1e7075ec19b62525

SHA512
6b2037d19a3737780e0671a15c443f0eaf0682753f495c5ac8d94b02ed59568f5f82a70f4a6f9d7c9dc50ab6b11eb78ccdf3acb9a41f40c72f77835975780f1c

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
25c2190832a67c0b15e00f4aa5cba689

SHA1
579ab3139a64d111533bb2332e5949312eeb3f2d

SHA256
d77cbf0e5cddb385ad064a83560510c0013b291c0b8f2c69d50772610cdf0979

SHA512
63d18c362d5c7183c36a5854e2f5942ed59256c5bbff12e6050b4589d4cc984779f8d5b02222d3bfae191d94ab93409a2be3a539958aa09cf43d9b2d4098735c

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
64KB

MD5
76ef1fc4b88a5910fa54470484d0d2b4

SHA1
cd2fdeaaea7e6f97566e2ab09ca48f75e03fac4a

SHA256
9af072f6be33f92d3c51b7c07b82fb62cb3698d6fa0400b26601d4c5fafd3e46

SHA512
ce0a2b7e1ec205b87723ac52f5ebe7d262e59de58015581560ce4ec19352dda32d4550171c239214a58bf6183e616c1aab26e8320a02857cd7a7841785815b1e

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
64KB

MD5
5726d375f941a55e657d8112371ba73e

SHA1
028fea9f0fd1a0d91889afab24110e7a312ccbef

SHA256
cf088f3ca3dd4e96ea423617123ef08185c415f71815dae0c60c0dbbab9436f4

SHA512
da016f0aade3a505dfc6b7313332033fd163ae1fbeddb67d9ae17011b94e5b2204d519cc75b131b6ff181167befab4049fa8150d394441628441a8aaae2f1c29

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
64KB

MD5
6c0696d6b356b97f758d45dbbdcb51c7

SHA1
9a066de12c81508d9433e539050b5ced6699ee6d

SHA256
7233a63570f65ad1261214037fb263c0d1ff5e0d1a8421487295634c6df87235

SHA512
bf5d2e63efb47e6ac6c10493e1bddf4b6d3b77150ccdb6b86a765f7e1b1c4fe4e05e447cf527b3ea1d56d09404ad0467e88daaa1efa87389efd00092eeab0632

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
64KB

MD5
fe323ae94666eb448af73dfa2f613c9b

SHA1
a42215dafff37b80209e2e33645de4610859000b

SHA256
c1b9656857bf4433f421bb02cf5b731e16f3ca2b72c78070cc7a871993b86841

SHA512
15e19cbd433cb9ba343fa7e91efc85b353d3b2165e7a99d6a384ef252b1aef1981b82277311193502dce8f5d43061e463f7013238ecdd596e0c717369ca7c47d

Download Submit
memory/212-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/212-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/440-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/440-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1112-361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1112-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1376-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1684-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1684-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-307-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-337-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-349-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3804-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3804-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3884-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3884-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3996-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3996-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-306-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4032-325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4032-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4036-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4036-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4276-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4276-313-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4452-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4452-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4764-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4764-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-301-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-319-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-327-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads