berbew | 254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8b

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8bN.exe
Size

97KB
MD5

64dd7d52bca15f2d795b0ce487d05920
SHA1

ed5c516476465737609deaafa861673c609c6d8a
SHA256

254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8b
SHA512

135abfac3e4188d8a24959d737d59daff9149f61b2003219adf6666a546e1d0a00bd005307341c52b3d26a3e1168ec939a75d9e485547075c8b43f4e1b72c46b
SSDEEP

1536:IvQ27E36D25nCDyAy0Me4QAj/HMKsjDWXUwXfzwE57pvJXeYZc:6fEy2SMKKsXiPzwm7pJXeKc

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8bN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 33 IoCs

pid	Process
1700	Bcjlcn32.exe
2368	Bgehcmmm.exe
2420	Bfhhoi32.exe
2892	Bnpppgdj.exe
2696	Bmbplc32.exe
4900	Beihma32.exe
5096	Bfkedibe.exe
2856	Bmemac32.exe
4968	Belebq32.exe
2504	Cfmajipb.exe
316	Cmgjgcgo.exe
4236	Cenahpha.exe
5056	Cfpnph32.exe
2260	Cmiflbel.exe
5008	Ceqnmpfo.exe
3652	Cfbkeh32.exe
2216	Cmlcbbcj.exe
1648	Cdfkolkf.exe
3464	Cjpckf32.exe
1264	Cdhhdlid.exe
724	Calhnpgn.exe
2060	Ddjejl32.exe
3892	Dfiafg32.exe
4440	Dmcibama.exe
372	Dhhnpjmh.exe
2980	Djgjlelk.exe
3836	Dmefhako.exe
4120	Dkifae32.exe
3968	Dodbbdbb.exe
5048	Ddakjkqi.exe
1384	Dmjocp32.exe
2464	Dhocqigp.exe
1672	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8bN.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Ddakjkqi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1736	1672	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 1700	2968	254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8bN.exe	82
PID 2968 wrote to memory of 1700	2968	254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8bN.exe	82
PID 2968 wrote to memory of 1700	2968	254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8bN.exe	82
PID 1700 wrote to memory of 2368	1700	Bcjlcn32.exe	83
PID 1700 wrote to memory of 2368	1700	Bcjlcn32.exe	83
PID 1700 wrote to memory of 2368	1700	Bcjlcn32.exe	83
PID 2368 wrote to memory of 2420	2368	Bgehcmmm.exe	84
PID 2368 wrote to memory of 2420	2368	Bgehcmmm.exe	84
PID 2368 wrote to memory of 2420	2368	Bgehcmmm.exe	84
PID 2420 wrote to memory of 2892	2420	Bfhhoi32.exe	85
PID 2420 wrote to memory of 2892	2420	Bfhhoi32.exe	85
PID 2420 wrote to memory of 2892	2420	Bfhhoi32.exe	85
PID 2892 wrote to memory of 2696	2892	Bnpppgdj.exe	86
PID 2892 wrote to memory of 2696	2892	Bnpppgdj.exe	86
PID 2892 wrote to memory of 2696	2892	Bnpppgdj.exe	86
PID 2696 wrote to memory of 4900	2696	Bmbplc32.exe	87
PID 2696 wrote to memory of 4900	2696	Bmbplc32.exe	87
PID 2696 wrote to memory of 4900	2696	Bmbplc32.exe	87
PID 4900 wrote to memory of 5096	4900	Beihma32.exe	88
PID 4900 wrote to memory of 5096	4900	Beihma32.exe	88
PID 4900 wrote to memory of 5096	4900	Beihma32.exe	88
PID 5096 wrote to memory of 2856	5096	Bfkedibe.exe	89
PID 5096 wrote to memory of 2856	5096	Bfkedibe.exe	89
PID 5096 wrote to memory of 2856	5096	Bfkedibe.exe	89
PID 2856 wrote to memory of 4968	2856	Bmemac32.exe	90
PID 2856 wrote to memory of 4968	2856	Bmemac32.exe	90
PID 2856 wrote to memory of 4968	2856	Bmemac32.exe	90
PID 4968 wrote to memory of 2504	4968	Belebq32.exe	91
PID 4968 wrote to memory of 2504	4968	Belebq32.exe	91
PID 4968 wrote to memory of 2504	4968	Belebq32.exe	91
PID 2504 wrote to memory of 316	2504	Cfmajipb.exe	92
PID 2504 wrote to memory of 316	2504	Cfmajipb.exe	92
PID 2504 wrote to memory of 316	2504	Cfmajipb.exe	92
PID 316 wrote to memory of 4236	316	Cmgjgcgo.exe	93
PID 316 wrote to memory of 4236	316	Cmgjgcgo.exe	93
PID 316 wrote to memory of 4236	316	Cmgjgcgo.exe	93
PID 4236 wrote to memory of 5056	4236	Cenahpha.exe	94
PID 4236 wrote to memory of 5056	4236	Cenahpha.exe	94
PID 4236 wrote to memory of 5056	4236	Cenahpha.exe	94
PID 5056 wrote to memory of 2260	5056	Cfpnph32.exe	95
PID 5056 wrote to memory of 2260	5056	Cfpnph32.exe	95
PID 5056 wrote to memory of 2260	5056	Cfpnph32.exe	95
PID 2260 wrote to memory of 5008	2260	Cmiflbel.exe	96
PID 2260 wrote to memory of 5008	2260	Cmiflbel.exe	96
PID 2260 wrote to memory of 5008	2260	Cmiflbel.exe	96
PID 5008 wrote to memory of 3652	5008	Ceqnmpfo.exe	97
PID 5008 wrote to memory of 3652	5008	Ceqnmpfo.exe	97
PID 5008 wrote to memory of 3652	5008	Ceqnmpfo.exe	97
PID 3652 wrote to memory of 2216	3652	Cfbkeh32.exe	98
PID 3652 wrote to memory of 2216	3652	Cfbkeh32.exe	98
PID 3652 wrote to memory of 2216	3652	Cfbkeh32.exe	98
PID 2216 wrote to memory of 1648	2216	Cmlcbbcj.exe	99
PID 2216 wrote to memory of 1648	2216	Cmlcbbcj.exe	99
PID 2216 wrote to memory of 1648	2216	Cmlcbbcj.exe	99
PID 1648 wrote to memory of 3464	1648	Cdfkolkf.exe	100
PID 1648 wrote to memory of 3464	1648	Cdfkolkf.exe	100
PID 1648 wrote to memory of 3464	1648	Cdfkolkf.exe	100
PID 3464 wrote to memory of 1264	3464	Cjpckf32.exe	101
PID 3464 wrote to memory of 1264	3464	Cjpckf32.exe	101
PID 3464 wrote to memory of 1264	3464	Cjpckf32.exe	101
PID 1264 wrote to memory of 724	1264	Cdhhdlid.exe	102
PID 1264 wrote to memory of 724	1264	Cdhhdlid.exe	102
PID 1264 wrote to memory of 724	1264	Cdhhdlid.exe	102
PID 724 wrote to memory of 2060	724	Calhnpgn.exe	103

C:\Users\Admin\AppData\Local\Temp\254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8bN.exe
"C:\Users\Admin\AppData\Local\Temp\254b113c31b2b42f0af494fa2a83173b7aa635bf8f5544415088971e232f7e8bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\Bcjlcn32.exe
  C:\Windows\system32\Bcjlcn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\Bgehcmmm.exe
    C:\Windows\system32\Bgehcmmm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\SysWOW64\Bfhhoi32.exe
      C:\Windows\system32\Bfhhoi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 396
        35⤵
        Program crash
        
        PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1672 -ip 1672
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
97KB

MD5
113d6930ab85337c6e3a6fb9dbd1817a

SHA1
44c7658c52fd5be77df63c44d17282f7e506b6b7

SHA256
757efb402f369e92216db2a01af9d7ec70820c79ef80291e16d1e902d2855138

SHA512
55bf3431274bf6f2c06f9f677ae52a9e17fb68957ecc8c86aa15fde59c4da3d46ede02aaf1ed51b93f30915f3b6d98717ef60ebbc2ae278771f23d840370a12d

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
97KB

MD5
372552a3307607e1d74b1ede5045ca88

SHA1
4d3c342e8120e7916c89af9afa772af83bbb85cb

SHA256
3a6edb6f4657ced06e05e09e990417e7d042516ff9419fbe5a5465b5257ffc60

SHA512
2b06e330dc4a78a81c7958361ba7585dd12a1f742bc8183fad98641fadcca55c16d8af3faff51ff203b34b5b0f48692979dc1b71d850547d80954eab9d1d4dc8

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
97KB

MD5
4a98ad158462997d4bab1b58720f526b

SHA1
d1a398e5c9dcaa87ccb8d6354a7fc0f96e639b6b

SHA256
2998eeb06014114e761fb399cb1d9846f0039c4db4acdf1bb7a179e77311f83a

SHA512
7da0c00222e2d3f707b907b61b95de9de720acf751271bef8db6ee0510bf56be66c8e0b0fe3ff2eb1e23008a74334b2330f9488400d42348c1436542f79f8226

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
97KB

MD5
23cf0fa4496ab4ad547a7e2f2bd23194

SHA1
c389183ef5c6681fef4bac7dcb96dd637bf19357

SHA256
5dc5b40bad0877accbca0ae4a5e49ce53536f7c6b9cb5e9d72145f556f686aea

SHA512
04a74e8dd95e64987311f18110a62a86fc7b35e5c5f6ff331f84a044203cf4c7da5a4558f0b54a6bac59af3d73f66ce5a8ab151c6a3fc2717b29e431e3b95bd5

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
97KB

MD5
e18cd19e9daac8b79cad457e4066f055

SHA1
13dde514cc01c88a94268f4e9b9488fdd67ce085

SHA256
0f846ea2313ce8526f79ffff627fd23e437f1937817c4fd89acdf974b8abbd0d

SHA512
03897747bb4321846ec138c3e881e4b5f7e0313ed1bc841b90ef36e1abb84f45972728106f6c88b320bf53237c91b4cbce41048656531140e2761bc21ba98ebb

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
97KB

MD5
b5ef2b7bf2ed7d67abbefe3c5c7e7059

SHA1
80fd206568b6cb8f7833a74424a7f40513aa3c00

SHA256
d1b7bf869858833d0db8227ace3a1233eb488f25b801ddd6b6ba31806e1c3e1b

SHA512
907bf30d61de95eb89ef2242c930d72314e9fe048335faf57ce48af0e14fad7301d148170378b4ef5bd6d1f56244929f7ddeff101a1b38b25b236c84bcab60e1

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
97KB

MD5
fc124ab74a91f24b7fe054152f93b8e0

SHA1
8ccbb8023b575c376c8423962f5e3fdc02fd7400

SHA256
01caad92a05dfcfd15a7a348b6695d29012d6a821a711fdfe7fc734c78c252c8

SHA512
f47866b7579ab3de8c9642208623f0e6518e00515f653b272f3b69599c68846fc373348680be593a6a1270cd3e60e331fc5357d38fe5893db346489a0b064628

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
97KB

MD5
d8dea0e21821b021093b8e164c70d244

SHA1
938ed8b03073249d6f00d8326d92529888803354

SHA256
ed4f79e489bb8f831bcd8f620e058b9ca8784e4655060895f5f9b8a398c844d6

SHA512
b47086abf07ea4954503861962571d6280f7a60c753eb30c85f27b1b404b3e13f181bb71b27b9266f81868eb0deb8a0faffb59c3d06879dca1e911b8f9dad869

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
97KB

MD5
01c775cdb596b958eb8493d4ceb61a8d

SHA1
839be6c732b7fd528bed33d78856d1fbdf42978a

SHA256
a2f79063a440bc8e89f37638d48989134d8527008447dff56166c0b21bd14cc3

SHA512
34e5eba5d537b4970bb21bf90bf93227a40d75d031ccaf82dcab01918c8aeb693da91b03843e0b4261a5a6a492d86ba1ee4d25d269723b2a2f42d20072b5ae72

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
97KB

MD5
e66a83bfcb450092d4938ef0f93c08bb

SHA1
758de89e3572e95d25835e9f0785f70d7f7da03e

SHA256
7f42bd3f0addc76d0b223842fce3da86191ce0932f4b60a0fa8a6640029432ad

SHA512
92457b7c7b974767bfb52e1cca8bfa7bbac58d10c77f64f0889b4d00738ff7ef9a97cc509fe226e0764f8678cd183b4ba7c313e7e7b6186753bacc8e0905ab02

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
97KB

MD5
fe8f0dea09947839ec8e953d15b099db

SHA1
e1d557e6c74d476d26024dcf87e114fc5708847b

SHA256
a9db71b2f575e0e908f8d11b9cc3d24dfded02af2cb6e72cdaa29e8f212e154d

SHA512
2953791aec7a1f694841b95022de38a28b97f29a893cad39e31798c2c274652ebc8f1ca97867f6cbb078ddca9b3434682578cdec0bc1d4d17dd7c3bde1213aed

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
97KB

MD5
15b65042ec4fc49cb7cdd10a8f9a4ef9

SHA1
0a5469b55f0461e653d802a9c9b53d8992d2ceb2

SHA256
824c93a22b39638bfcc591dd072877ee644f8a9e031a127974c1698adca3e44c

SHA512
b483c342260bd4bf2df5464ac1061577a3fac7cfef60027e4f537980cf6b1712637b8b70839ecf52234c372bf2f189113a0d76d30d5dee33097dc352cca26615

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
97KB

MD5
dd542955c0021fd2e6d1676e7f72790a

SHA1
3949de9ab1e2f7537ff56d1fae6685b8a0acf796

SHA256
e6a916ede6b5109794a390c4e09db5a0606c8a5b01f703c183ed9eeab20e09fe

SHA512
e6423503b776ecd7b48b5fd8962b861feb8859d86470fc2b09eea4763c94b9d2862d46d2603252f3727414d7bd4326de7f47c824f6d9575c12a1170557988ef8

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
97KB

MD5
08f764494e8fe9ef8d2d01c77eb6062d

SHA1
503a867505cd524ff41036bc38d57260aac1b9cb

SHA256
c66b278866f9cb63fe647dd56205175281c3c50189ca561bff681ea1c12543bb

SHA512
e22989d023e6eed43e549367d9b63f9c93b83057bc78dc25ca3a75d28d405ca77fa2454ac5f1f36cc580a001d32b0865b888b76ebf842ebc687e19d7b97c019e

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
97KB

MD5
d1d405b51bcffe601e85b1f77a1df374

SHA1
8d6ec8498f423492eb437bfaf6cb830d756437a9

SHA256
91495851da0b985b1a4e6df81be9e04d35a7d6685d1c75644901dc4c84e82971

SHA512
7f0ba3e77d1dd69466f8c71b9c2a9254b1c05a024fd7c427f8e2bf84d427f229ef5203953f237906479c6275ff55cddd3a0db8e9f0ead6166e9331ea35471eb5

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
97KB

MD5
cb4e767335249eafb7770f098f0c37dd

SHA1
74f6c10256c852a17c3261473b1792c1e21a077d

SHA256
220779a3489dba176d3da9ffff5ad351be0c6b770a6751cc91bdd498270602dd

SHA512
fde9e011570e08d711add158fcaa57cc0b5ebb3aa2aa2b3c69dd5e11c6241974ad07a79f5551b3fa4108ebd12c45f6606099fa35273ae16f65fd59f96c9029ca

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
97KB

MD5
5f12c012746b7762ba5723f93659bead

SHA1
a2ebe58d0d683c18b57c4933cab38a71810b622e

SHA256
1086bf1970116a2d3e3720c05596524a5b104082a41d9de8e2d9624a777c75fb

SHA512
4a60481c8276b2dba54ed2f899f4f184a87803db6e7f8fb3e556016811e15dc2086ae059b38406f7b07b8089cc84b09f2df659d510ee3a54e898646d230a6920

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
97KB

MD5
d9fddfe43ce229c58f1054088d993051

SHA1
aba3a1e95d3fea9e200fbd65db9cff32c02627cd

SHA256
0527a674922abbe4a655992961f0da80793b316839283e422fcfbe0a7df3fef0

SHA512
3acee98386e45a8c16540478c5d1401f757186cc1ca199225c18ee31799e5a4eea3a2a5c5549765326d0e9d9b091048e2674b396598a004d148260edb431902a

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
97KB

MD5
93197a3aea2cc5991abbdd60832cff89

SHA1
fbaeacfe2d53bcb00ddbaeb6e6bbfead625c5832

SHA256
feec9b53e4be1d44cda3d4680e61c5a6fcc3ec937549cb40d3e0f4373a41ae6c

SHA512
4b2ab5c3ac26e924783190e159b0924b7616e5529e6d3f1978a0d8ef6a60d46a54685ba098cc5eec6ea100b91faa94ed3037651d1908eb61a9ab829296681308

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
97KB

MD5
1eb67e04d2f541a576ff739c2cd3be73

SHA1
6bc82d5e5d50f5f470db0f5dfbc5d67ef7ba5b5a

SHA256
3c4a7bb048b4deee6be6bbe4dc8c2db58e750112c03b1e487fbd08bdf5f19634

SHA512
580bdaaf7b3ac3997a135048f7a478ba4008242a1e8ae54c35143d21a4a60a9e9bea8e342f62385a4a0c49426416f0cc1eb75725137604010a1d0c28108e2932

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
97KB

MD5
c86b4e538da3b79f13a2672fbd4bbe85

SHA1
8ff32adb03e5bbfa11bec5930032d389eb2d62d5

SHA256
01d91d663ec3cc22b400ee50c22a55522587a37a7a6c61c47fc990d5bfddf817

SHA512
d9fd112433a88bc8b50e2efb7eba8399173e2eb4a3c1145c96927847b71e8597d74e102e0db8afafebaf256c6acbebf71fd94343555af0dd3ba3c96fd9cd6a5b

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
97KB

MD5
6fee25837603ffde466edac7a240c7f7

SHA1
cabb46ead9a883d7366997235766247cc50ad1cf

SHA256
c2e45a712f09a6e74c584adb843fc1231a2c294da757eacf496638e41ca0e8e1

SHA512
6d4917e6454a518d79485823a7cec2deca781ec78de423d7df5d5bce991e6e4b20eac17b115bbd54bea00540fcac5907f4ed80c4c9e0d3b65b5906dd653e1fb3

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
97KB

MD5
4ebf09bd5a569a3d4fdeb966526a9a02

SHA1
48b28dbfafbc45f7ab992fb388a661ffaf599ff3

SHA256
657acc7773b156fcdba399bd9cba0e2747748347373787f843ff87874b7003a6

SHA512
148d7824a11d98edf77850f8054733aacefbffa077203b15ad3495f1ba8ded7a5408fa661e8d0c9bca67e9ae30862f6bd1d2b14bc857d4048ee36882c0eb2d19

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
97KB

MD5
0cfb2bcc5ae3f287c5706b3cadf9145b

SHA1
a0e2463889a907de86bf44ad252ef40587f727b9

SHA256
cc54669de1e319236e4c2e1de5350ad8bafaa70cc61e9705bf9d59daeac309e6

SHA512
6bf425da54bc72193dcce443c192034e40500f3d3da551fbc5765464bdc13adcf86a40cdf2e04bed8c3a80040b7d8b8b0a2f0a74a4eda30edf72cafb7b27056c

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
97KB

MD5
76e40ecb103e099370fce4e1d0ab8a08

SHA1
0785faa2a7cb4fd149048155af37ce943a94be43

SHA256
76ec8fb4151b2b0c2429bc948c641fb47eab3fdbc681e56e1bc6d40a12fc7b88

SHA512
e4fc0394fadf291767563ddbb792926ea5a8d38d5575c576d840c080daa8fa539d0413e06160eeaa008c74bf2ec3e1ed3a58bdbcd25db301c0a46693a5c07e73

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
97KB

MD5
62217d4d5b237b7dd413bb596f698af0

SHA1
d435f1c4d809bd67d22d38a22da0d83b57457950

SHA256
d2812b274d84a9295f2851152cb87861d6d7af9f69257ed39556fa52b883c7d6

SHA512
f8e8581357fab670b2726c8fd9768c82853fb91c482e036006c2709eb702073eae9f8a5f03425a47d4eb4c699acb3268ee71a875152fb1a8b6af00eebcd9b6ed

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
97KB

MD5
ba9f227f9676e69adc19b3f37c586c03

SHA1
39c56f64fd0896f787a39fad0be8d696ea6455d1

SHA256
808b25932d20d120c904610194bb8e3879177a4c3c084b0687dde4beda267d2a

SHA512
8d29647cfcb66a822feca73d6ea34c6062f43abedc53427a9e713ee6cc44c89c5daf42fc1747971d7331a1c15a1e891f73002c7d6a0f9c4e195c0d4ccb147141

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
97KB

MD5
9e38e1e1e6f9b8ed8f20a7a6f0f269d8

SHA1
34516d585fef8700e5e5cd30dbe783a8e9c97cd4

SHA256
9a73695bfcb053456e3565c731338c6243836f0aad39c2a8b198443f55b20621

SHA512
156e5e1f1f3eb169d234ee7cf70947bd14ffa86de668424efb3c247ee254b777a120e10bafd1a97c8d4deb6f97780befcac94fb5983fd50c84813cf6fe5f4020

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
97KB

MD5
3c5f42583f350f780adc5c65f778a0f0

SHA1
0d1049cc542bff0ee9837cdbceedef6db9312d66

SHA256
02842930fb50ce67ed17314cb27e690978af14d0eb06179b242f03c9ceb82d0a

SHA512
be135ae0257d520f54708008928871f4f2220ca4f8ba8779a40e9001cb485d373ad986f4d6341d7fcda3cbb1d475f0c2d5ad172ab068e1e75d35838de6b1f4be

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
97KB

MD5
9a0d79789422c7677ae579830ce85248

SHA1
0574d6746602970ffa218e44d321e2cfccf31ab4

SHA256
43ae2226556165b2a67a20863906b701422b91d7e4d93bdc9e979e3b36ed01f9

SHA512
54e10bd1eb67d820e5cdf9da5b65ebb1b230169209b00c5d80c454ce790da49087dfb25c127b5a2894af8c869f18b316fcad5193b910d5525a807117cb20bbfa

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
97KB

MD5
e9e7315f8319c2bde9078a375c674210

SHA1
78e454529213b6f4f17b54bd590bc828a1716b3c

SHA256
111ea6d18e75f5a1e7825277a84244cf2d6252f3742f131ef59b2e22e4c54cbc

SHA512
353c1e04903db279762ea2abcf3387953f591f65417b7ee5518af5304e079b0cbf85da06917029c1b26b878bd25efa4e99d9e1d97ca8be2753ed70878c2748bf

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
97KB

MD5
1a3ee699ac44f1d3e47c22f2ffa3afbf

SHA1
7f8123aae657b3eb0734b2b43ee81b30f300e627

SHA256
a6d61d19537ec6f3d754a2dd3e19da154c33e41b43200a391f7a9c8414731965

SHA512
d13d8f5628d857057599d65583e4a0ee6bd1815edb53acfc566edd119128d96b011d1330a8c07128c20ccddd3e93ba5a0263e9feec1f0aac8497811dbd7a8568

Download Submit
memory/316-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/316-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-277-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/724-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/724-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1264-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1264-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2060-283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2060-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2368-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2368-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2420-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2464-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2464-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-307-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3464-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3464-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-295-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3836-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3836-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3892-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3892-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4236-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4236-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4900-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4900-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-301-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-313-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads