berbew | 524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe
Size

163KB
MD5

4dd77dc3b5e4bf0322f766d8bfb10391
SHA1

0943dc8ecd3593891574fa2423dbf6184c253536
SHA256

524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6
SHA512

fbb2ee36685158fde1fcf8ff0a3b37d2e41b2880d4ac89e68c5172145235261c7634ea79e32554c41fc13f996941e7ed3fad9897e8a7c26fe91da1f8f8d113e3
SSDEEP

1536:PPjKS3bSyYMr/hvMgP3uqQNtElProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVUw:njKQB5DeTEltOrWKDBr+yJbw

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckccgane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekelld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdajkkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eojnkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmehnan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogefd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djhphncm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbkknojp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpkbdiqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqdajkkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcadac32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enakbp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efaibbij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eibbcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdjhndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqijej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpkbdiqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fidoim32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmehnan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cppkph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpbheh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djklnnaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edkcojga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjdfmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnobnmpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dolnad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edkcojga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fidoim32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cppkph32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogefd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpbheh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Endhhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dolnad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnobnmpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckccgane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbkknojp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqijej32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 33 IoCs

pid	Process
2136	Cnmehnan.exe
2728	Cpkbdiqb.exe
2656	Cjdfmo32.exe
2480	Cnobnmpl.exe
2468	Ckccgane.exe
2936	Cppkph32.exe
576	Dgjclbdi.exe
1400	Djhphncm.exe
2892	Dpbheh32.exe
1656	Dcadac32.exe
1232	Djklnnaj.exe
1856	Dogefd32.exe
2756	Dfamcogo.exe
2332	Dlkepi32.exe
2352	Dcenlceh.exe
2420	Dfdjhndl.exe
1664	Dolnad32.exe
1140	Dbkknojp.exe
2220	Enakbp32.exe
2164	Edkcojga.exe
700	Ekelld32.exe
2404	Endhhp32.exe
932	Ecqqpgli.exe
860	Egllae32.exe
1528	Eqdajkkb.exe
2672	Efaibbij.exe
2092	Eqgnokip.exe
2836	Eojnkg32.exe
2572	Eibbcm32.exe
2500	Eqijej32.exe
3016	Ebjglbml.exe
2016	Fidoim32.exe
2800	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
2132	524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe
2132	524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe
2136	Cnmehnan.exe
2136	Cnmehnan.exe
2728	Cpkbdiqb.exe
2728	Cpkbdiqb.exe
2656	Cjdfmo32.exe
2656	Cjdfmo32.exe
2480	Cnobnmpl.exe
2480	Cnobnmpl.exe
2468	Ckccgane.exe
2468	Ckccgane.exe
2936	Cppkph32.exe
2936	Cppkph32.exe
576	Dgjclbdi.exe
576	Dgjclbdi.exe
1400	Djhphncm.exe
1400	Djhphncm.exe
2892	Dpbheh32.exe
2892	Dpbheh32.exe
1656	Dcadac32.exe
1656	Dcadac32.exe
1232	Djklnnaj.exe
1232	Djklnnaj.exe
1856	Dogefd32.exe
1856	Dogefd32.exe
2756	Dfamcogo.exe
2756	Dfamcogo.exe
2332	Dlkepi32.exe
2332	Dlkepi32.exe
2352	Dcenlceh.exe
2352	Dcenlceh.exe
2420	Dfdjhndl.exe
2420	Dfdjhndl.exe
1664	Dolnad32.exe
1664	Dolnad32.exe
1140	Dbkknojp.exe
1140	Dbkknojp.exe
2220	Enakbp32.exe
2220	Enakbp32.exe
2164	Edkcojga.exe
2164	Edkcojga.exe
700	Ekelld32.exe
700	Ekelld32.exe
2404	Endhhp32.exe
2404	Endhhp32.exe
932	Ecqqpgli.exe
932	Ecqqpgli.exe
860	Egllae32.exe
860	Egllae32.exe
1528	Eqdajkkb.exe
1528	Eqdajkkb.exe
2672	Efaibbij.exe
2672	Efaibbij.exe
2092	Eqgnokip.exe
2092	Eqgnokip.exe
2836	Eojnkg32.exe
2836	Eojnkg32.exe
2572	Eibbcm32.exe
2572	Eibbcm32.exe
2500	Eqijej32.exe
2500	Eqijej32.exe
3016	Ebjglbml.exe
3016	Ebjglbml.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dgjclbdi.exe	Cppkph32.exe
File created	C:\Windows\SysWOW64\Dcadac32.exe	Dpbheh32.exe
File created	C:\Windows\SysWOW64\Jchafg32.dll	Djklnnaj.exe
File opened for modification	C:\Windows\SysWOW64\Endhhp32.exe	Ekelld32.exe
File opened for modification	C:\Windows\SysWOW64\Eqijej32.exe	Eibbcm32.exe
File created	C:\Windows\SysWOW64\Mghohc32.dll	Cpkbdiqb.exe
File created	C:\Windows\SysWOW64\Gogcek32.dll	Enakbp32.exe
File opened for modification	C:\Windows\SysWOW64\Ecqqpgli.exe	Endhhp32.exe
File created	C:\Windows\SysWOW64\Egllae32.exe	Ecqqpgli.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File opened for modification	C:\Windows\SysWOW64\Djklnnaj.exe	Dcadac32.exe
File created	C:\Windows\SysWOW64\Jdjfho32.dll	Dcenlceh.exe
File created	C:\Windows\SysWOW64\Dbkknojp.exe	Dolnad32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Fidoim32.exe
File created	C:\Windows\SysWOW64\Gdidec32.dll	Cnmehnan.exe
File created	C:\Windows\SysWOW64\Qbgpffch.dll	Cppkph32.exe
File created	C:\Windows\SysWOW64\Dpbheh32.exe	Djhphncm.exe
File created	C:\Windows\SysWOW64\Djklnnaj.exe	Dcadac32.exe
File created	C:\Windows\SysWOW64\Dolnad32.exe	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Ecqqpgli.exe	Endhhp32.exe
File opened for modification	C:\Windows\SysWOW64\Eibbcm32.exe	Eojnkg32.exe
File opened for modification	C:\Windows\SysWOW64\Fidoim32.exe	Ebjglbml.exe
File created	C:\Windows\SysWOW64\Khknah32.dll	Ebjglbml.exe
File created	C:\Windows\SysWOW64\Cpkbdiqb.exe	Cnmehnan.exe
File opened for modification	C:\Windows\SysWOW64\Cnobnmpl.exe	Cjdfmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ckccgane.exe	Cnobnmpl.exe
File opened for modification	C:\Windows\SysWOW64\Dcadac32.exe	Dpbheh32.exe
File created	C:\Windows\SysWOW64\Dcenlceh.exe	Dlkepi32.exe
File opened for modification	C:\Windows\SysWOW64\Dcenlceh.exe	Dlkepi32.exe
File opened for modification	C:\Windows\SysWOW64\Enakbp32.exe	Dbkknojp.exe
File opened for modification	C:\Windows\SysWOW64\Edkcojga.exe	Enakbp32.exe
File created	C:\Windows\SysWOW64\Eibbcm32.exe	Eojnkg32.exe
File created	C:\Windows\SysWOW64\Fidoim32.exe	Ebjglbml.exe
File opened for modification	C:\Windows\SysWOW64\Efaibbij.exe	Eqdajkkb.exe
File created	C:\Windows\SysWOW64\Eqgnokip.exe	Efaibbij.exe
File opened for modification	C:\Windows\SysWOW64\Cnmehnan.exe	524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe
File opened for modification	C:\Windows\SysWOW64\Cpkbdiqb.exe	Cnmehnan.exe
File created	C:\Windows\SysWOW64\Lnfhlh32.dll	Cjdfmo32.exe
File created	C:\Windows\SysWOW64\Dfdjhndl.exe	Dcenlceh.exe
File opened for modification	C:\Windows\SysWOW64\Dfdjhndl.exe	Dcenlceh.exe
File created	C:\Windows\SysWOW64\Ekelld32.exe	Edkcojga.exe
File created	C:\Windows\SysWOW64\Olfeho32.dll	Edkcojga.exe
File created	C:\Windows\SysWOW64\Eqdajkkb.exe	Egllae32.exe
File created	C:\Windows\SysWOW64\Jaqddb32.dll	Efaibbij.exe
File created	C:\Windows\SysWOW64\Cnmehnan.exe	524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe
File created	C:\Windows\SysWOW64\Jfiilbkl.dll	Dolnad32.exe
File opened for modification	C:\Windows\SysWOW64\Eqdajkkb.exe	Egllae32.exe
File created	C:\Windows\SysWOW64\Cjdfmo32.exe	Cpkbdiqb.exe
File opened for modification	C:\Windows\SysWOW64\Cppkph32.exe	Ckccgane.exe
File opened for modification	C:\Windows\SysWOW64\Dolnad32.exe	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Galmmc32.dll	Dfdjhndl.exe
File opened for modification	C:\Windows\SysWOW64\Eqgnokip.exe	Efaibbij.exe
File created	C:\Windows\SysWOW64\Eqijej32.exe	Eibbcm32.exe
File created	C:\Windows\SysWOW64\Cppkph32.exe	Ckccgane.exe
File created	C:\Windows\SysWOW64\Djhphncm.exe	Dgjclbdi.exe
File created	C:\Windows\SysWOW64\Bjidgghp.dll	Dlkepi32.exe
File opened for modification	C:\Windows\SysWOW64\Egllae32.exe	Ecqqpgli.exe
File created	C:\Windows\SysWOW64\Lkmkpl32.dll	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Klmkof32.dll	Eibbcm32.exe
File created	C:\Windows\SysWOW64\Dmkmmi32.dll	Eqijej32.exe
File opened for modification	C:\Windows\SysWOW64\Cjdfmo32.exe	Cpkbdiqb.exe
File opened for modification	C:\Windows\SysWOW64\Dpbheh32.exe	Djhphncm.exe
File created	C:\Windows\SysWOW64\Dlkaflan.dll	Dcadac32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
884	2800	WerFault.exe	60

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djhphncm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enakbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eibbcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjdfmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlkepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Endhhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egllae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqijej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cppkph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpbheh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfamcogo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcenlceh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fidoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgjclbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efaibbij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqgnokip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdjhndl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkknojp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekelld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckccgane.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcadac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edkcojga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnobnmpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djklnnaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dolnad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eojnkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebjglbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmehnan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpkbdiqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecqqpgli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqdajkkb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkdik32.dll"	Ckccgane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjfho32.dll"	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbabf32.dll"	Ecqqpgli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnia32.dll"	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmkof32.dll"	Eibbcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnobnmpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmehnan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghohc32.dll"	Cpkbdiqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbgpffch.dll"	Cppkph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djhphncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blopagpd.dll"	Dogefd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmehnan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll"	Dlkepi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll"	Dfdjhndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkaflan.dll"	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhlh32.dll"	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaegglem.dll"	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofjhkoj.dll"	Dpbheh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlkepi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edkcojga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpkbdiqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edkcojga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbadbn32.dll"	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqijej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpkbdiqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cppkph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djklnnaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfamcogo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmkpl32.dll"	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdidec32.dll"	Cnmehnan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckccgane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joliff32.dll"	Djhphncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfaqa32.dll"	Dfamcogo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opiehf32.dll"	524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cppkph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogcek32.dll"	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekelld32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2136	2132	524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe	28
PID 2132 wrote to memory of 2136	2132	524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe	28
PID 2132 wrote to memory of 2136	2132	524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe	28
PID 2132 wrote to memory of 2136	2132	524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe	28
PID 2136 wrote to memory of 2728	2136	Cnmehnan.exe	29
PID 2136 wrote to memory of 2728	2136	Cnmehnan.exe	29
PID 2136 wrote to memory of 2728	2136	Cnmehnan.exe	29
PID 2136 wrote to memory of 2728	2136	Cnmehnan.exe	29
PID 2728 wrote to memory of 2656	2728	Cpkbdiqb.exe	30
PID 2728 wrote to memory of 2656	2728	Cpkbdiqb.exe	30
PID 2728 wrote to memory of 2656	2728	Cpkbdiqb.exe	30
PID 2728 wrote to memory of 2656	2728	Cpkbdiqb.exe	30
PID 2656 wrote to memory of 2480	2656	Cjdfmo32.exe	31
PID 2656 wrote to memory of 2480	2656	Cjdfmo32.exe	31
PID 2656 wrote to memory of 2480	2656	Cjdfmo32.exe	31
PID 2656 wrote to memory of 2480	2656	Cjdfmo32.exe	31
PID 2480 wrote to memory of 2468	2480	Cnobnmpl.exe	32
PID 2480 wrote to memory of 2468	2480	Cnobnmpl.exe	32
PID 2480 wrote to memory of 2468	2480	Cnobnmpl.exe	32
PID 2480 wrote to memory of 2468	2480	Cnobnmpl.exe	32
PID 2468 wrote to memory of 2936	2468	Ckccgane.exe	33
PID 2468 wrote to memory of 2936	2468	Ckccgane.exe	33
PID 2468 wrote to memory of 2936	2468	Ckccgane.exe	33
PID 2468 wrote to memory of 2936	2468	Ckccgane.exe	33
PID 2936 wrote to memory of 576	2936	Cppkph32.exe	34
PID 2936 wrote to memory of 576	2936	Cppkph32.exe	34
PID 2936 wrote to memory of 576	2936	Cppkph32.exe	34
PID 2936 wrote to memory of 576	2936	Cppkph32.exe	34
PID 576 wrote to memory of 1400	576	Dgjclbdi.exe	35
PID 576 wrote to memory of 1400	576	Dgjclbdi.exe	35
PID 576 wrote to memory of 1400	576	Dgjclbdi.exe	35
PID 576 wrote to memory of 1400	576	Dgjclbdi.exe	35
PID 1400 wrote to memory of 2892	1400	Djhphncm.exe	36
PID 1400 wrote to memory of 2892	1400	Djhphncm.exe	36
PID 1400 wrote to memory of 2892	1400	Djhphncm.exe	36
PID 1400 wrote to memory of 2892	1400	Djhphncm.exe	36
PID 2892 wrote to memory of 1656	2892	Dpbheh32.exe	37
PID 2892 wrote to memory of 1656	2892	Dpbheh32.exe	37
PID 2892 wrote to memory of 1656	2892	Dpbheh32.exe	37
PID 2892 wrote to memory of 1656	2892	Dpbheh32.exe	37
PID 1656 wrote to memory of 1232	1656	Dcadac32.exe	38
PID 1656 wrote to memory of 1232	1656	Dcadac32.exe	38
PID 1656 wrote to memory of 1232	1656	Dcadac32.exe	38
PID 1656 wrote to memory of 1232	1656	Dcadac32.exe	38
PID 1232 wrote to memory of 1856	1232	Djklnnaj.exe	39
PID 1232 wrote to memory of 1856	1232	Djklnnaj.exe	39
PID 1232 wrote to memory of 1856	1232	Djklnnaj.exe	39
PID 1232 wrote to memory of 1856	1232	Djklnnaj.exe	39
PID 1856 wrote to memory of 2756	1856	Dogefd32.exe	40
PID 1856 wrote to memory of 2756	1856	Dogefd32.exe	40
PID 1856 wrote to memory of 2756	1856	Dogefd32.exe	40
PID 1856 wrote to memory of 2756	1856	Dogefd32.exe	40
PID 2756 wrote to memory of 2332	2756	Dfamcogo.exe	41
PID 2756 wrote to memory of 2332	2756	Dfamcogo.exe	41
PID 2756 wrote to memory of 2332	2756	Dfamcogo.exe	41
PID 2756 wrote to memory of 2332	2756	Dfamcogo.exe	41
PID 2332 wrote to memory of 2352	2332	Dlkepi32.exe	42
PID 2332 wrote to memory of 2352	2332	Dlkepi32.exe	42
PID 2332 wrote to memory of 2352	2332	Dlkepi32.exe	42
PID 2332 wrote to memory of 2352	2332	Dlkepi32.exe	42
PID 2352 wrote to memory of 2420	2352	Dcenlceh.exe	43
PID 2352 wrote to memory of 2420	2352	Dcenlceh.exe	43
PID 2352 wrote to memory of 2420	2352	Dcenlceh.exe	43
PID 2352 wrote to memory of 2420	2352	Dcenlceh.exe	43

C:\Users\Admin\AppData\Local\Temp\524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe
"C:\Users\Admin\AppData\Local\Temp\524dc34934936b6d9e5ae24f45cb36821d9f225e74043fd6308ac4f831316ec6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\Cnmehnan.exe
  C:\Windows\system32\Cnmehnan.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\Cpkbdiqb.exe
    C:\Windows\system32\Cpkbdiqb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\Cjdfmo32.exe
      C:\Windows\system32\Cjdfmo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\Cnobnmpl.exe
        
        C:\Windows\system32\Cnobnmpl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\SysWOW64\Ckccgane.exe
        
        C:\Windows\system32\Ckccgane.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Cppkph32.exe
        
        C:\Windows\system32\Cppkph32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Dgjclbdi.exe
        
        C:\Windows\system32\Dgjclbdi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\SysWOW64\Djhphncm.exe
        
        C:\Windows\system32\Djhphncm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Dpbheh32.exe
        
        C:\Windows\system32\Dpbheh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Dcadac32.exe
        
        C:\Windows\system32\Dcadac32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Djklnnaj.exe
        
        C:\Windows\system32\Djklnnaj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Dogefd32.exe
        
        C:\Windows\system32\Dogefd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Dfamcogo.exe
        
        C:\Windows\system32\Dfamcogo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Dlkepi32.exe
        
        C:\Windows\system32\Dlkepi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Dcenlceh.exe
        
        C:\Windows\system32\Dcenlceh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Dfdjhndl.exe
        
        C:\Windows\system32\Dfdjhndl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Dolnad32.exe
        
        C:\Windows\system32\Dolnad32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Dbkknojp.exe
        
        C:\Windows\system32\Dbkknojp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Enakbp32.exe
        
        C:\Windows\system32\Enakbp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Edkcojga.exe
        
        C:\Windows\system32\Edkcojga.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Ekelld32.exe
        
        C:\Windows\system32\Ekelld32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Endhhp32.exe
        
        C:\Windows\system32\Endhhp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Ecqqpgli.exe
        
        C:\Windows\system32\Ecqqpgli.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Egllae32.exe
        
        C:\Windows\system32\Egllae32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Eqdajkkb.exe
        
        C:\Windows\system32\Eqdajkkb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Efaibbij.exe
        
        C:\Windows\system32\Efaibbij.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Eqgnokip.exe
        
        C:\Windows\system32\Eqgnokip.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Eojnkg32.exe
        
        C:\Windows\system32\Eojnkg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Eibbcm32.exe
        
        C:\Windows\system32\Eibbcm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Eqijej32.exe
        
        C:\Windows\system32\Eqijej32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Ebjglbml.exe
        
        C:\Windows\system32\Ebjglbml.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Fidoim32.exe
        
        C:\Windows\system32\Fidoim32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 140
        35⤵
        Program crash
        
        PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cnmehnan.exe

Filesize
163KB

MD5
723de53f2434bd235688fcbde53dabf9

SHA1
1a6f49cf7a7461ea9fd08151a1c06b407f8f9c62

SHA256
2950ccf69643ffb5f05601fbebcade10299c5c209a4bf39876edea3832e3da57

SHA512
26ab1a91fb9f8a8801f937de4c3445a21326cf9671d8ccb4d373e9b47be77c809f92a9e9e4260c55ada7d9825ea01e6cd3c7d230337cfcae67e709d12c500527

Download Submit
C:\Windows\SysWOW64\Cppkph32.exe

Filesize
163KB

MD5
77d1f1253705a8aa102d027414b31339

SHA1
68e8cb5527c7cd297a7210681443bdfbb224cb53

SHA256
b22f5245516d7539f100d959f905a5ad0911aedcb3b32dc3bd7ce6a9fedd8886

SHA512
b540d076f77e3d1326ddd079c7e533d9684bf757efefb471612e5b2adcb869abac82640bc2c4cd80b8c8880497a3e1cc7813cf572699c6d3e828b5c7bedef6e8

Download Submit
C:\Windows\SysWOW64\Dbkknojp.exe

Filesize
163KB

MD5
1517d683fc7be35d1c868551dae293a3

SHA1
577aa5f58f6f641ba576bf8252231b715cb2c06c

SHA256
ee5e3b65f732a7c77ded2884990c39a9ef09bfee66b651c6ead3842ed787b380

SHA512
4e8578df0fc1a6d8b32f888ac1d3549ac1385e0c6eaff98c3dd021a344b01730c4534aecef5a54e00731c5d92811ff893fd9775e5660c2a49ea570046a83cd58

Download Submit
C:\Windows\SysWOW64\Dcadac32.exe

Filesize
163KB

MD5
2c4fa906b9de51528049788e10f8d317

SHA1
6ba33339839a22483c978379840e0dfa6e8838c9

SHA256
f0829b9bdc1b1760456bc0441378e3902dcd3fb96dd863f8d47b0d5fb9751abd

SHA512
5e8f3c5bc1fc29fdf6fa57df4ce6c282e4f85f07aa56acda9b22b561f6cd5d7f0b73d861646b973cb44f804fa5d6bfc122778fb2d19505feb6bdb9fd3ecb2559

Download Submit
C:\Windows\SysWOW64\Dcenlceh.exe

Filesize
163KB

MD5
05fcae66b3481d629c3d780767d4f33e

SHA1
b37bc0cc9cc4fb5f2afe357ac9a55d05cdab8b5e

SHA256
7ad9bbd531b8df3f86c7c4dcda5b1e0fe05d96bc6f834a08c3cc1798e8959c00

SHA512
b5c82dac3d7164a614c927117d1bf068f0c2e7f0cdd882d993e9a67d9f799e0124d80fcb2922eb43f39444c169260dda70fdcec5d36de9cbae2af7a5b1dbbb30

Download Submit
C:\Windows\SysWOW64\Dfdjhndl.exe

Filesize
163KB

MD5
b0cdba60a7859de986218d63b4d259ef

SHA1
2cb9e1994e97b9cdd47d1ec785320f1b56e9da30

SHA256
859150880fc5f3d06c9e299fd483c117f05a75fd354cd2beab13a7d8caed81fa

SHA512
01a41c2d36ff59fec9a75158e4720d371aa1d12e06a1874b0dd6af7f564ed8c67e3d2477101580c80e5ebf4a872a26c930e95a5c0f574381d5d1a5c18cfe1fe7

Download Submit
C:\Windows\SysWOW64\Djhphncm.exe

Filesize
163KB

MD5
36ea4a58b1792e56a4e4eb03c7d311e7

SHA1
59882f17cfec6465d73a3c361afba29381008ad8

SHA256
2da0a97799e76eff3c032ba3ff5e5859c0ce581b94dbe61e10cd8ed75caa873a

SHA512
c1cccde01da0e35ad65546faa490347067b058cb0b9284151ed0d9146904fb79479bf965517b599cb75b92e64e366d9c483055b26719a1996eddd82090723b28

Download Submit
C:\Windows\SysWOW64\Dolnad32.exe

Filesize
163KB

MD5
004dae87eec561fc76a2df1072eb3c66

SHA1
2dbed1eaea71cb3b7f118d556dc9e3b0b31c7704

SHA256
7fe6e136d522984dca1a948f79e55b926663eee820014a538c479b53caa9d81e

SHA512
3dec12c7df1508baf63a881c4f21dfbdf3af2f60fcc940bfdb68ad36c3b78c833fe54d5f214ff04c22ff4eb934359faba3b4b8665fa50be952712760806c98ba

Download Submit
C:\Windows\SysWOW64\Dpbheh32.exe

Filesize
163KB

MD5
44070b352ea90374bacb542b9b826fc8

SHA1
f373cd44ce20dc6bd1fb2048764c58aa4c1075c3

SHA256
221785853f570ca7378c5121b96a1ec8c0bda8d5d190380635c60e8cae283562

SHA512
20c5dfa44b49bccd0334b4bc205b64b1a9139bde33f036a48aaf0d34658962ec4753e6a7af18e538343311922c7dc2e6a1375bc2f66f38569265e92adaf7e286

Download Submit
C:\Windows\SysWOW64\Ebjglbml.exe

Filesize
163KB

MD5
ba6770f3fa9ddc10dd8bb7c46670fc52

SHA1
72ef53075a06835208f70f5774408961acdca3b8

SHA256
b26da7582781a94dc17ed8e3a00db96f99007bf82bc11dffaf2e13bd0a8ad692

SHA512
10bebaffc2d0f24fc673fd4daa0ab354d87635a1ebc741bacd23157d170020f5ee8d353062c32036e6f0b0374da0aaceeb32ccb621e0bb9ad0bda5c391440b39

Download Submit
C:\Windows\SysWOW64\Ecqqpgli.exe

Filesize
163KB

MD5
bf3bf1cafed6a537311a708283bb5771

SHA1
2c38268eeafd442c9b1c4cda3745b841ca9b60fa

SHA256
dd3490d31ebfa9c3ca26bdb044480e2c4162f42dcad3292fd3e7ea03868779f0

SHA512
794fd9f11282264080405bbf79c47a2605d6b3ab81f4da26052e0ae1e326d6bc21dfaec024572af7255399d8e847a687e19418eb9460bcaf127e85e7aa47c821

Download Submit
C:\Windows\SysWOW64\Edkcojga.exe

Filesize
163KB

MD5
ff288c34bc0325c895148dd4c09685cb

SHA1
4bfc2fb82963cb42974fe60e1e54d53ebcaf3e32

SHA256
fcd6899fd14f4e8d95007cd55f56dc9538bad7a9e03458ab55c00239d2a87327

SHA512
09f5e9252143710d5227b1e8e64df4cf995c8411d69a9e60b237c49af2c2614ab88374feba2c1db1bb8fdcf9c07539fb92b112f6b1eb806c098fe68060fe4ea1

Download Submit
C:\Windows\SysWOW64\Efaibbij.exe

Filesize
163KB

MD5
e28abd67d6b1c2d33bce54469019823d

SHA1
407f1bee0aa050c0cddf39dddb3e6e2dddf5aaa8

SHA256
7f0212c01e487cce0b37015846758933f48f5032adeb162b888c7bbb723095b9

SHA512
97eaec9b96aa89d3f1ee09953d7bceb859e4e498c3f0ccafcdbbcda56ebe9d701f26f75d4cbd9dce0d5720d40aa739fb178ca586cafed7f6eb84af5f0945b650

Download Submit
C:\Windows\SysWOW64\Egllae32.exe

Filesize
163KB

MD5
6a7b94df654d021f8e5a24729d4152c5

SHA1
21f57618990d23fea5b0f517f637e15e0bc8e2d0

SHA256
fdc1661c117b78f0e3d0e3097251c6af6769e409a8212bde4e2a1faf34dd69a9

SHA512
4eccb6cbbe414059c1135ad8d037b1b67f94346bcf1835ed477a458fd50593dcaf6a99095b849f1f9d2927001036512508c31f23c0aabd0e87b68ff36ad18364

Download Submit
C:\Windows\SysWOW64\Eibbcm32.exe

Filesize
163KB

MD5
4abf1d2eb9e3df74f6ae6848540771f4

SHA1
80dd0fe3c84dfa04974818a356a4694f69f0897a

SHA256
a7f3d9a90445f5c9914f164e699d114e1a18649c73068596981085e08142e22d

SHA512
0bbe59daac5d83346a819224623d8f43a56820b75da957f5988880bb26725294efcb0a729ce5d7cc2d2e2de6302f5c2301e36d169cd2684518a57e5260e3383a

Download Submit
C:\Windows\SysWOW64\Ekelld32.exe

Filesize
163KB

MD5
3d35819c5e14a5dd5c12f1f38be1f215

SHA1
73d0552b181cba9474902e178245a522611aee64

SHA256
3f8a226ecc8baf6ac4958e231563e8b11f3172a82e64e6d60e308fd1a42ef2c3

SHA512
f58a25a95ef98e447eabf75c043e0715c784c3c8997f11139582601fbe33c6f3a46a6249bec5c07e450b44ebfeed61601fe3633c883a15ddb86326247e58a26f

Download Submit
C:\Windows\SysWOW64\Enakbp32.exe

Filesize
163KB

MD5
5ee354a817579154fd9fa5b26e01c8f6

SHA1
2261a81b530cef779c5e76c94a7652a2e39fe3f1

SHA256
43e95027750d00c89670c42a46fb90cc10c0c49a48d034885c3a50188a15038c

SHA512
e41ba36fb52a567e10a6557ee6937405e177f3829808645d37021bd90775d14e5a2f26429dc2155bb74ee0bdd24f18f0c3a27e8578c2fdc95c27dbf42791eb00

Download Submit
C:\Windows\SysWOW64\Endhhp32.exe

Filesize
163KB

MD5
c36aaa068183b83fe14315f441bbe4bc

SHA1
062de66fafbd58472320211fd8a57da816118849

SHA256
cd11f6b387a78b450c0ab4e95bfd89c941f2592787f50c1f8c8d6a544c69d4a0

SHA512
032f868f4c6dcf6285c067964e8efe3c793ca37d7763e2429cf14e93024ef1d03aa7ed45cf21ba62b2f8ebeb92fb7cfb0bccdfea9460007a63bcf9f3e3898202

Download Submit
C:\Windows\SysWOW64\Eojnkg32.exe

Filesize
163KB

MD5
c659c4962e7b959c49eafdfd08084c23

SHA1
db0e93f321661d5535d3fe7ace769fbfcc695939

SHA256
f53a21ee591f76e12e63fe18b7605af78f7eb34c3145f802992568466f1e6579

SHA512
07ee57db409cad486f546201ccb8f3e92b0b943b233815a6a7493220ceb100816fc3e66d15d3e24088d970665c71f6b490e5ea7d0b2c63bb78aef7e05fda9dca

Download Submit
C:\Windows\SysWOW64\Eqdajkkb.exe

Filesize
163KB

MD5
044ab4970a19b20e4658a8c04c830740

SHA1
c10b276591d9f78fc4cbf3c6651716acf026dd21

SHA256
da7a21770dfb646198f9e28fc5653d87fbb0a27c2bf791252312b5d1c9478695

SHA512
5a79b4778ac8a54c03c5467aac54b8b41db81e788ccad28fed1565282e8a18ddb98b1aef3ce4d7f82c4e9127f6ff81423cc234e5bb27625dd546ded1c8c204c6

Download Submit
C:\Windows\SysWOW64\Eqgnokip.exe

Filesize
163KB

MD5
af522fb860457465fd8601febc12d1f6

SHA1
882e7d3cc654003c308249218921f80b0c83a6b2

SHA256
f9b5ad7c9bf42cab5f0e56bb29fe31ac2e4006c1ee0d3c7d08323a899ca3cacf

SHA512
a6f8193275e47e3808fc6ae0d57f538213c873ab9aed8541613f0c7cf19f1ec4d5aaa2c8122ccb7a1a602e7fb2f8a04cf4ecd154dda13d743d5c80aeaeb97915

Download Submit
C:\Windows\SysWOW64\Eqijej32.exe

Filesize
163KB

MD5
618e4f96008e7557ea43864db40ad081

SHA1
a156d89ed9a98abff8287ba717b7c1214b1b08f8

SHA256
d7b714b31c8e91e3155ab207f11223910a342663ed8c364821233cb2ac1f5976

SHA512
729857e1cee6e24755d7dc8e63205018edb8ce57e38ab98c74030dfa2147da8c55f3e00dad1e847a12d1756ecd907db857fe13ee092ff314e92fb490856d73ab

Download Submit
C:\Windows\SysWOW64\Fidoim32.exe

Filesize
163KB

MD5
43d8e22490df5c07a68bc33b5062b849

SHA1
763c372cac5c063adc57a9e21d71d16c8ad25ca8

SHA256
d6424917947b5ebaef7835097d26738bd4889ea300a6d82314cbca4eeec5677b

SHA512
db7633992ffbd9403f6841e573f83f79592b7dd1de93fd871bdf8f5dc438a991264942c6509ad67041f6eaabb20ec721f3af2f514d56765496daf327f4aca5a4

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
163KB

MD5
d365f5d1b0292bcfd5e43bbdc587ba96

SHA1
afb4e523098cf1e882f3b63234a377fe5e683018

SHA256
dde31ceb3dd7a9eed502dc87abde462b19e383211fcbc54e44dc629d5c85f139

SHA512
286574eb03f9a754acd7296d0137a34da718f458b8d9cdbf404f7cf6dc100a755293746045fe7a56c1425a4feaa1513a481dc2cd4f62ba08d68b7f3d67a96f6d

Download Submit
\Windows\SysWOW64\Cjdfmo32.exe

Filesize
163KB

MD5
969f387cc61e2a304ceee0c9cb268835

SHA1
883b9e898788fadca74608e9cf9aad23d98c9101

SHA256
a9567e9f9874607fd47b970ee586171bcbf10e7b0ff4a6d2196e9a5f4dab8944

SHA512
8ae84f3949818320a31d28114b63911c70a1cacf1bbc76274443f0b89f2126d55f84fdf7893742ed684bdd132ea36e02d1793fdaaacb011636e7286fa9bd110c

Download Submit
\Windows\SysWOW64\Ckccgane.exe

Filesize
163KB

MD5
f2ab800e147cde83b66905602d7508dc

SHA1
6928861331b004b0e8b1aff20f34cd642fdf3b45

SHA256
879203aba14acdec616c0f915ac419c46a2d6dd7318519ccb17e28b56b0d0aa1

SHA512
070962dfa77e2da4e31d5b38e7574a2f4602d0ecf40566a6d6ab8598e329bab98079094b266b3167881ba90cbbdba08f0af1c89a9c443f0c8133837e7ede5310

Download Submit
\Windows\SysWOW64\Cnobnmpl.exe

Filesize
163KB

MD5
7339ead3bea88c156ca3090747dd833a

SHA1
8441a6900381cea5cf4a388caeea83a3ace2c90e

SHA256
6629d5c9a965b7eb430fcf869a6001315309840ebee9cc926253b4deaebbbb83

SHA512
67316209bfd0367336f1f11ee262ce69399bb53dad4f2c40504316ad91219579a6b195d5321c0ee19d8320eae519faaa655151c3ce1a08bc7835c123e7add11a

Download Submit
\Windows\SysWOW64\Cpkbdiqb.exe

Filesize
163KB

MD5
f63a257dc560372ca0839f8185f00a22

SHA1
c768156d6d507df54be1eedec41f8fcf2b144046

SHA256
e784f162fb81f9cebac39247abebae776e2feb3ecd018455370e930a0fc74443

SHA512
28e7c84b12f76a004afba4019d8beb82d49ed27be4ed0cba6f7160df6555c4e4a9b1ba8af5edce1d5058e9d599f869bb6de465dac5e9c316a3b0991ed669c97b

Download Submit
\Windows\SysWOW64\Dfamcogo.exe

Filesize
163KB

MD5
19e1191be994122d7c8b8e06ed019478

SHA1
025eab7cf8da367c454dca8a483ab0f02954bef1

SHA256
222d00ccc162c806b18673364090a216ca88d8b79f47beda1e5bc477d9cb1842

SHA512
f60079a4297a1482496e7a9bc83ec633d751838a52049ac479de309ea9f8ec8848cac0b98aea8bdc7b14ea7f455d7e0ae097510d6f55ecb17a9bc09eb63ce071

Download Submit
\Windows\SysWOW64\Dgjclbdi.exe

Filesize
163KB

MD5
1ff14d3ee8abad8eb1419ca24a6b7e1a

SHA1
3dcd222d0b84d06134b6b07193f2148a67b25804

SHA256
501b95332ef45e9f170d75674d0d3d1d5fd2dbfefb84062a17413d16eb689085

SHA512
8928a72e8284f217f6fa53bbaeb3c45507012fc29c76f553ee894883c2ccba6da8cdac0413191538e42081866d60b04b18806e754cbb48d70da34e205ce8c154

Download Submit
\Windows\SysWOW64\Djklnnaj.exe

Filesize
163KB

MD5
c8e263a1dcf5d1eeaa7199220a18e788

SHA1
db908a6556e9db2b0c02f6641e9e28ddef44aa5b

SHA256
51aeb7230f855b64a6b5a7819ae85cd2362f54ebed48b903b116d011486d733f

SHA512
7c74181b1c0f458c9d351f5fe95600c69d9dc5726817a6d54f50df641e7f615d9d25bec67c6eb9567379fa8438a76a1a3f635627b30bfb0bbbb515648b21ef9d

Download Submit
\Windows\SysWOW64\Dlkepi32.exe

Filesize
163KB

MD5
1e0cde3155733e37d102951d18674012

SHA1
d268d3e437474d56c00d9df31ba7f2141d7af63d

SHA256
216a3dad6f6f4e75bf02f6a084fa9fd1f96fae786ac79d7573051f6f0e8edc66

SHA512
f4741f2ef52f3131edc297d254e7b3ee7b239239a9bf00eddb12d49a0fa08fb667434e6ca49166fc38f6a35105b52807f761cbbdf74b1dd0675987157931cdc0

Download Submit
\Windows\SysWOW64\Dogefd32.exe

Filesize
163KB

MD5
3d269bfb14e4e7f1b0431aaf3e6e0607

SHA1
23a5e63823fd25ed6c56e153134cfa3f3259af77

SHA256
44e99847681afcf3249922ed5037175b8929198285f472d637cd721bd4d852eb

SHA512
7ed7edba1892e98442bf2bc62ba5696952496bcb32950a235e74209890f6d897c7bbea2ae2cefbc97ecb6b54c95a5a28f70341108546fd95948eec5147d189f6

Download Submit
memory/576-446-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/576-444-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/700-270-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/700-427-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/700-280-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/700-279-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/860-417-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/860-303-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/860-310-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/860-309-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/932-413-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/932-297-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/932-302-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/932-298-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1140-237-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1140-422-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1140-247-0x0000000000300000-0x0000000000353000-memory.dmp

Filesize
332KB

Download
memory/1140-243-0x0000000000300000-0x0000000000353000-memory.dmp

Filesize
332KB

Download
memory/1232-438-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1232-436-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1400-457-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1400-118-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/1400-106-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1528-324-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/1528-320-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/1528-318-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1528-416-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1656-439-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1656-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1656-143-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/1656-132-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1664-226-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1664-235-0x0000000001F50000-0x0000000001FA3000-memory.dmp

Filesize
332KB

Download
memory/1664-236-0x0000000001F50000-0x0000000001FA3000-memory.dmp

Filesize
332KB

Download
memory/1664-434-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1664-432-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1856-166-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1856-158-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1856-440-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1856-442-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2016-390-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2016-404-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2092-408-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2092-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2092-344-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2132-17-0x0000000000280000-0x00000000002D3000-memory.dmp

Filesize
332KB

Download
memory/2132-452-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-350-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-18-0x0000000000280000-0x00000000002D3000-memory.dmp

Filesize
332KB

Download
memory/2132-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2136-453-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2136-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2164-426-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2164-269-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2164-268-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2164-258-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2220-257-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2220-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2220-423-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2220-420-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2220-259-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2332-433-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2332-197-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/2332-196-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/2332-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2352-431-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2352-203-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2352-211-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/2352-212-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/2352-429-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2404-414-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2404-291-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/2404-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2404-290-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/2420-224-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/2420-225-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/2420-214-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2480-61-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/2480-54-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2480-463-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2500-375-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2500-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2500-402-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-418-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2656-371-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2656-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2656-450-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2656-449-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2672-334-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/2672-333-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/2672-409-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2728-35-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2728-27-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2728-451-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2756-443-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2800-396-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2800-435-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2836-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2836-352-0x0000000000300000-0x0000000000353000-memory.dmp

Filesize
332KB

Download
memory/2836-345-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2936-88-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/2936-445-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2936-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2936-447-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3016-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3016-380-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3016-386-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/3016-385-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads