berbew | 33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9

Analysis

max time kernel
93s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe
Size

64KB
MD5

4e0fbc0fcb20bf814682a250ef1bc7e5
SHA1

d6aefaaf25f2677246e2d6ef1ff50aea7c326c10
SHA256

33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9
SHA512

465a1b00531102630bee0d00d94daa46a95b0b09e759c9d4626c459e615a6c512c98af07717da1926f9351bc6e0d4ab2df0eeef8d5a76ba9ba76a84326a2002d
SSDEEP

1536:R3wqsPXQOXYH0qzYl9Yjp72Fo3pEslLBsLnVLdGUHyNwy:R3wq4XYH0q69YjJT3pllLBsLnVUUHyNN

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 37 IoCs

pid	Process
1540	Bmbplc32.exe
1668	Beihma32.exe
3592	Bclhhnca.exe
3836	Bjfaeh32.exe
2416	Bmemac32.exe
3624	Bcoenmao.exe
520	Cjinkg32.exe
2560	Cmgjgcgo.exe
4340	Cdabcm32.exe
2804	Chmndlge.exe
848	Cnffqf32.exe
116	Caebma32.exe
2848	Cdcoim32.exe
3092	Cfbkeh32.exe
2148	Cmlcbbcj.exe
4980	Cdfkolkf.exe
3820	Cjpckf32.exe
232	Ceehho32.exe
4844	Cffdpghg.exe
1940	Cmqmma32.exe
1492	Calhnpgn.exe
3260	Ddjejl32.exe
2636	Djdmffnn.exe
5096	Dejacond.exe
2856	Dhhnpjmh.exe
4536	Dobfld32.exe
4416	Ddonekbl.exe
4748	Dhkjej32.exe
4792	Dkifae32.exe
2184	Dmgbnq32.exe
1496	Deokon32.exe
4176	Dhmgki32.exe
1476	Dkkcge32.exe
2244	Dogogcpo.exe
1856	Deagdn32.exe
1976	Dhocqigp.exe
4528	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4168	4528	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cjpckf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1540	1460	33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe	83
PID 1460 wrote to memory of 1540	1460	33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe	83
PID 1460 wrote to memory of 1540	1460	33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe	83
PID 1540 wrote to memory of 1668	1540	Bmbplc32.exe	84
PID 1540 wrote to memory of 1668	1540	Bmbplc32.exe	84
PID 1540 wrote to memory of 1668	1540	Bmbplc32.exe	84
PID 1668 wrote to memory of 3592	1668	Beihma32.exe	85
PID 1668 wrote to memory of 3592	1668	Beihma32.exe	85
PID 1668 wrote to memory of 3592	1668	Beihma32.exe	85
PID 3592 wrote to memory of 3836	3592	Bclhhnca.exe	86
PID 3592 wrote to memory of 3836	3592	Bclhhnca.exe	86
PID 3592 wrote to memory of 3836	3592	Bclhhnca.exe	86
PID 3836 wrote to memory of 2416	3836	Bjfaeh32.exe	87
PID 3836 wrote to memory of 2416	3836	Bjfaeh32.exe	87
PID 3836 wrote to memory of 2416	3836	Bjfaeh32.exe	87
PID 2416 wrote to memory of 3624	2416	Bmemac32.exe	88
PID 2416 wrote to memory of 3624	2416	Bmemac32.exe	88
PID 2416 wrote to memory of 3624	2416	Bmemac32.exe	88
PID 3624 wrote to memory of 520	3624	Bcoenmao.exe	89
PID 3624 wrote to memory of 520	3624	Bcoenmao.exe	89
PID 3624 wrote to memory of 520	3624	Bcoenmao.exe	89
PID 520 wrote to memory of 2560	520	Cjinkg32.exe	90
PID 520 wrote to memory of 2560	520	Cjinkg32.exe	90
PID 520 wrote to memory of 2560	520	Cjinkg32.exe	90
PID 2560 wrote to memory of 4340	2560	Cmgjgcgo.exe	91
PID 2560 wrote to memory of 4340	2560	Cmgjgcgo.exe	91
PID 2560 wrote to memory of 4340	2560	Cmgjgcgo.exe	91
PID 4340 wrote to memory of 2804	4340	Cdabcm32.exe	92
PID 4340 wrote to memory of 2804	4340	Cdabcm32.exe	92
PID 4340 wrote to memory of 2804	4340	Cdabcm32.exe	92
PID 2804 wrote to memory of 848	2804	Chmndlge.exe	93
PID 2804 wrote to memory of 848	2804	Chmndlge.exe	93
PID 2804 wrote to memory of 848	2804	Chmndlge.exe	93
PID 848 wrote to memory of 116	848	Cnffqf32.exe	94
PID 848 wrote to memory of 116	848	Cnffqf32.exe	94
PID 848 wrote to memory of 116	848	Cnffqf32.exe	94
PID 116 wrote to memory of 2848	116	Caebma32.exe	95
PID 116 wrote to memory of 2848	116	Caebma32.exe	95
PID 116 wrote to memory of 2848	116	Caebma32.exe	95
PID 2848 wrote to memory of 3092	2848	Cdcoim32.exe	96
PID 2848 wrote to memory of 3092	2848	Cdcoim32.exe	96
PID 2848 wrote to memory of 3092	2848	Cdcoim32.exe	96
PID 3092 wrote to memory of 2148	3092	Cfbkeh32.exe	97
PID 3092 wrote to memory of 2148	3092	Cfbkeh32.exe	97
PID 3092 wrote to memory of 2148	3092	Cfbkeh32.exe	97
PID 2148 wrote to memory of 4980	2148	Cmlcbbcj.exe	98
PID 2148 wrote to memory of 4980	2148	Cmlcbbcj.exe	98
PID 2148 wrote to memory of 4980	2148	Cmlcbbcj.exe	98
PID 4980 wrote to memory of 3820	4980	Cdfkolkf.exe	99
PID 4980 wrote to memory of 3820	4980	Cdfkolkf.exe	99
PID 4980 wrote to memory of 3820	4980	Cdfkolkf.exe	99
PID 3820 wrote to memory of 232	3820	Cjpckf32.exe	100
PID 3820 wrote to memory of 232	3820	Cjpckf32.exe	100
PID 3820 wrote to memory of 232	3820	Cjpckf32.exe	100
PID 232 wrote to memory of 4844	232	Ceehho32.exe	101
PID 232 wrote to memory of 4844	232	Ceehho32.exe	101
PID 232 wrote to memory of 4844	232	Ceehho32.exe	101
PID 4844 wrote to memory of 1940	4844	Cffdpghg.exe	102
PID 4844 wrote to memory of 1940	4844	Cffdpghg.exe	102
PID 4844 wrote to memory of 1940	4844	Cffdpghg.exe	102
PID 1940 wrote to memory of 1492	1940	Cmqmma32.exe	103
PID 1940 wrote to memory of 1492	1940	Cmqmma32.exe	103
PID 1940 wrote to memory of 1492	1940	Cmqmma32.exe	103
PID 1492 wrote to memory of 3260	1492	Calhnpgn.exe	104

C:\Users\Admin\AppData\Local\Temp\33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe
"C:\Users\Admin\AppData\Local\Temp\33652a5153f99c2eaf4add0b0302736b393f7db8a121b6e98e1b57024aa605f9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\Bmbplc32.exe
  C:\Windows\system32\Bmbplc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\Beihma32.exe
    C:\Windows\system32\Beihma32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\Bclhhnca.exe
      C:\Windows\system32\Bclhhnca.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3836
      - C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 404
        39⤵
        Program crash
        
        PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4528 -ip 4528
1⤵
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
64KB

MD5
60e9da9b7728360abece2d205c3314d8

SHA1
4619d3ea281ea3ad61af59b4a1dba5d763eec561

SHA256
5a8a1550a8cd9dae7b88a7b9dfe091c56b1a0e05de32d2f138fecac60752202e

SHA512
f0c5ca79cc99e6398f6699aa287ed1de8695925b3ce3b9affea9286bc28965b6d47f13bc8085b01569077035750d4954c1bacf89d1e953747493a913960e7836

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
64KB

MD5
bd67a2aa2611f8ea069e0e5c6848d310

SHA1
dc197532470fd341496f6fa8ab8824e8d45c513c

SHA256
cd190f9e62af90e42efd576f32ecec856df90967944527714f4f045ff3ef3c5a

SHA512
4aa5fe2f1b4e722cd38d82d84b3fd581e7bd9ec91236109b9c5670978bb0f06cec9364d0f03224f08c87f4a1fcf6e99619ab89fab7025c0a8275aab5360666cf

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
64KB

MD5
effca086ce91ce3ae8fc14629f2f39b1

SHA1
907ea0c73ec7117e427541179d91084c84913642

SHA256
cf7d08fe6db06d94caa5b7b56187645f922b5e76303cd1fd14b981de30938b4f

SHA512
20e264772cad9606d005e974ef549e0d8affa660dc535460666f5aa4377cd823408d0ab3ff3b792ab1a5f7df91e25bbfff1f65966478977112aecdfeaf29c5f8

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
64KB

MD5
3870e681ee9ca0b9a1b0b3718358b153

SHA1
2b6fbf0fcb09a8b177557ffe1292f12508dc094c

SHA256
84ece21ee3511ca6e5062d4a8167e9264af9ca28b390ce699846e5273254c2e8

SHA512
ce8eaa0780c858c9f779ea4dbed66747f22c3ab5bd9e02ff1056afa4cef423bb288ec985157af8e3b65ef8342923715e5b5a748354e87168ae4ac58f2497ca20

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
64KB

MD5
569cb776cdabc6f7a5105779657479a3

SHA1
d4b4e494f3f508b62f9e77ac73ef4adfe7b2a338

SHA256
dac005d7bb43ef01df377904b4476efd766b6aecd0d8c925ec43ea3b7ff5a099

SHA512
bbe4f3c5f122fab317404029906e40b648c9ed9b87e3969d3bf222737b2a612bb12f3258c6c8ab31edacf2eccad622575b9f2078caff1e14a4eddd99d976fabf

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
64KB

MD5
c26ee4f1fcf92f794f1c90c0173c4e69

SHA1
0c93a388eb139639f69a1ee2914e6331f8e56325

SHA256
20c7dd6f6f59bdeef6ccbc0f48267e403450c436c915fc7d5fd74e3a6bed6f99

SHA512
cbec2777581fbbc1e11afec1839d4afbad3a061b9682dc9e3494918aae1a110ce93cb0c5ee692dcc32562b0b63ddbba0ae3d155d7f914766c0834d5c99065625

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
64KB

MD5
fef4a7f6af2ba6be1a3e3019aad0d862

SHA1
8c1ee3bd69e341a474152df26f6226e53f5108ec

SHA256
5da85ad3c13eac2251bb189ae9b54df6565681709ebb1a15ab795462b353e0ce

SHA512
93d2cd69e27832ec46a4776f09d0bbfd217cb2548f81ab80b7b6e510bcc43208fb79ad9d5357ae136abf9c444e757d50b413a17f8da6ebe5965160a511dc8016

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
64KB

MD5
2fac4998e5627587d87e6ed0c6c65246

SHA1
cd1c11e951c1b3b514b94689724099d96641383e

SHA256
5161201e272e437dbda942f62d37616f6343863893e65dd5c3a8c293a00a657b

SHA512
9858e2d52031feef4edaef640f484b60d2e719efe59b82865907e689cb8ed3bc8e37fc83111f55afc78bf9e877bb2470bb1771a028677b0c8b78acae8020e89a

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
64KB

MD5
e75335cb17390ccc5affbec1d370fbff

SHA1
741e0e0d778b922a3be2e9795343f6ebeff612fd

SHA256
65fad761aa17f949403b56d61df9e714ec429a3f6de7c53d049e7df1be96293d

SHA512
3603187c8065d3a2a591bb478daa984a0217e2a3c1e04ac2bfeb0c88bbe5c8b3a9de0c9d6454e60460c3a955e04ed53d47bfea30b56528ab625edcf3c263c916

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
64KB

MD5
c82afa7172e0855982c5a1eba5dceb76

SHA1
6b3f4d3ff08eff0537cb82ffe481928888e26861

SHA256
7b17fb1d7226b419ec76fbc6ef79f43f25d17a17cc266427414a41e7a3421165

SHA512
7d0e6fed4ef9ff1cefc95d6eff4d0c18165941c268ebaf96f7803d0bc4bca0bce9e00581b5a14a1bd0b38ef3acaae821472d55679ea75583a48bbb58af77c211

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
64KB

MD5
e6c19cadf0c5e583d9e0b632410f4ee2

SHA1
c2ea8271ec8aaa6bfc42b3d35fd113749e2a9fcc

SHA256
3530ad60ffe1ec88fa48a08c981c4fa5e842b9dcf09eec71715398817a7feee4

SHA512
c2779e361f33400c8de04d2c8d192dc743b188ade2e289c165f45e6b8d6830206c71456f7542ec4199b24a20c5dc7a4456049748fb22c1b7bc227f77ab8ec294

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
64KB

MD5
20c2aa31417161fdcb32fc6995e83626

SHA1
6d4c74944d574e93addca4d764cd1e5fe12f24bc

SHA256
b3e029596dea7c6436f82ca057b01746c3e7a5bfded7956bbd21e3a1cde4f2c4

SHA512
41011d1f3a3171ae381a0c12d22978bd4eacd9f63e0cca9e69a22a99e18d62263b8420c963acd1c424ca65e0b1f14b61dd2ea84cc7ebcbf9a2e71df6da9175b1

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
64KB

MD5
a06874c35c4fdc530e9aa7e8f5629a80

SHA1
cc0fdbce6baa5a05cd8ff9c983c2863d82b2adf8

SHA256
71bc9ab8bf1172aaec9e2d1faff9fcd3f1f96329b0534a8f68d0514b6b73ac54

SHA512
c79fdc2df08af8cb8a468ab2ddc4260bad8327bf4876d33d700abf3311440a17cec18cfc145604cbf2a6737c75da098deea93d1279ec07f96d31fb466fc0ab81

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
64KB

MD5
d747d06e86a617da6ebf4933a8584fc9

SHA1
a92341a235ef1608c46d78c537309438c55e4898

SHA256
a2331233bdc16c45b545190cc92c3a6d2637c2894a8936a8ae1d2b72d90595cf

SHA512
479e64a74a6ca5dfcf2048d9c013d000c2d9882f3f2565c9289f127a113d491ddeaec17445f576f59f8111e6c255ccc9ba42af3b1c3a5a96c416cf571b855fda

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
64KB

MD5
69a924300201efa06f2cfbdbe53cbfef

SHA1
9577b46efd2dc3b0f06388051d9097909e8f81e2

SHA256
6e9446a77457490f80c3a493752d3546989e1061da17ad5d1a671884088f8623

SHA512
8aff4c80c83b26d51c4827fe0246c327e9811565b1bf422f87f791c274e7dc3327ede1c4d3b4e632477a9884072acd2e91fedad3d828cd7257b4ddad6279d389

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
64KB

MD5
3822c2353b682e56aec599262bcb048a

SHA1
70456a77be655054148af7179a610eb3370353a3

SHA256
36c99217e11c04a9b80ed65e0a76162bc7f780f9e287e710ac450606f12716b9

SHA512
0eb290cd51e471a4980f4a5abf233c4cd60642a18fe267b9af96229dc8c830e895147bb6a24a440b46bd5e0ae95e69556d15a7c2cac5c34df49583580f02b3fc

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
64KB

MD5
60a496c22e4387de46bdf09377d6dba3

SHA1
1e9192fcd06514e23c4486e0eb7b755c94eaa2cf

SHA256
eb7c092c04c117373225bdb59bfebac95cdc9226e9520850356e3b8dd6f7c938

SHA512
4696e89a82bcbf6805ead877521954069bc78b4425986ed64ba5c1dbff17f0a7f3a5e0babe482d40f4f704e4dff2655ca136d9ddad956c307199155179ea423a

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
64KB

MD5
c08aec39ffba63d3fb0dfd6e64c37f69

SHA1
9d480a70fbe702b72129cd7af537a6f45a93992b

SHA256
587474b34d03e18c3a6f91496d80515dc697f8fcf63ee71c1d6d30ffa5d85d4e

SHA512
5603e1b5a0bd29663509975889d0b6705610ee90b6711368670ea169dd628f6f3538c7f6048be205e796ef4db636dde729d0422aeebee64df6c7f825f995667c

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
64KB

MD5
64e09dabf9ea88840e78a67317d538fb

SHA1
f2b43c8a7ea42bd6cb5096503736ebf664ed8350

SHA256
09972fa2c458063b2cf4b2c497c25d5e12a024850e01e258b5a2f487ea8d7f5d

SHA512
f927c11ed2178788466030f5ac5c975b1fa0e361d84e98a754a9a681057828b26b97bb063799f8feedb67e964f0870413bff549d033e05d2246fae3f5d72e67a

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
64KB

MD5
980166307d3918b60f1d1687a0777032

SHA1
5264fdcf96b9b0c490e0829ee55a69ef1d59fccf

SHA256
6caefd32421ad675a14c9fa43eb452fcc9ad62373b659d39277364c3988fff0a

SHA512
3c6ecf18877bd7e0b29723e290865d1f9ba02df8f767d29d65395a6fd67426fa6b937ef05e28e8d5aaed540a6386e2f63193a2b38051b09ef272d43f9a6ed8d8

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
64KB

MD5
b80125487eeb348fa92c103d69dd4aad

SHA1
f88776685a3bbcbd970097726e10ac51af26745a

SHA256
05a0f21b3e6acdaedca86d46983f8922fcce93fa6510432e797d5b865bc70c43

SHA512
8555d3821cbd71316bbd2b170482d3061b0d2a7393fd7e35d7c9d235e7f5db0ccd33bd6841bc27c63ec18c348c01bd93eb43883fd35bf90d17c62835df88c984

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
64KB

MD5
431c3c7fef833672f75b2cf31cf88349

SHA1
d95602f7edae065514d7255fcd7d575e4b9ca021

SHA256
afb0e8cb3e8e8a3dc2da19bfaeb15599b1e57ae221337a4db845865baee77444

SHA512
6c633c28a29abf7805e5d4ba06a1dd800bf1ab288965f55365929dca866105dfa479e8a2079d4ae5ebc7b3c19cebdf62b25d4f5ff3400f2c1cad08bc1c0b765f

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
64KB

MD5
b2b08638e44393883fb3bc11c0c36e4f

SHA1
6af78e28de52d736925923a2dc8b9441cbe0ca92

SHA256
c9c95722e259925e2d709b4d0eef12a4e0e43ba1bccca5038a904b429c97a0cc

SHA512
023f302a60f7527de9129ddb0b971f296bacd169cc02f3ded7dd7be5496959d63b3fdbc358c81313d447b51e846bc3aa9bad31b956670f9e98d463862539defe

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
64KB

MD5
1205d1195a42875faa0e3655eb1fa535

SHA1
bc646a8ff56102b5095b1a5ed2b736d17a6a3c36

SHA256
ec18ff4d81cfa2058d4cd70300bc0947419996fde2a9e5f2e4d950b6fecbb9dc

SHA512
7f478e68477079071491bcd71b4169625afa42bb97a2e6d37da5b4a48d4ca03fa012fa8e9130e4d7f8c73d989cec6d615648736f3cab1d289d0ecb4e29ca889f

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
64KB

MD5
efbc63f9d9b136c2efde5cbb8b908264

SHA1
647616c4c9443f6a57d975105eea7d97a40b780d

SHA256
c1aa4edf29b15e43bff9227f47ebef6799d5b25eb1b6d6a06e660df6f5ee27c8

SHA512
ba8a40c7eb4f68554c6b92b31d9ab274908900b3c97dfbba68f119ffb5499e5165765f3973bfe1def4084155b37ef986f1a853dae7d95988bc967dcd2d8d585e

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
64KB

MD5
ada9f01f329fd6a0e0483479b2187176

SHA1
9689fb0d0802cd55b470a475d91e941081ee9d5a

SHA256
5a292c4c3712c0c352bcc4787020e818fc9f159fccfe285b555328a165b0b885

SHA512
ca9236166bd31e275a8ef14bc443eb2a70d03e2a1459745ac99e96d3505b694550cae10d9e3e1f968d45e555a29c627be7de237fbe4e34be4f4cf64519ded8da

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
2bfe1f1f64fc33fb25afe83cc2f87d19

SHA1
946b5890c234aa70bdda561ed1ebea575f516717

SHA256
133d0d669e501a216b7ddba370ee60c5659fc01e0ce221b12fc072e6da731eaf

SHA512
89a130de0df68f330a8c549b48d8dd9b99032b6d703760e1e3744417a40556000bde763d8701f5f9c587a70dc2a66552c265c4e82a9500826a3419bc568aab8c

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
64KB

MD5
a9322b9df4102a086b5a443cc4eb1122

SHA1
47fe84d465348cbb26f37a596c8f1d9357944357

SHA256
3238f9e79dae7de39a0243897d35b989fae29a2a3541812c3746f1d11b586bd6

SHA512
675268d29ea668a2f7b04bcf3207286eb57911b5222c79c7a6a54afa2013b069c6523e4a3072ef61afe1b30de8b8c1f0025078ca8065e501cdab67ef0b74f36d

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
64KB

MD5
e0aa7311fad1a11a2b72e3e9f8a539fe

SHA1
65069be46ea29d83f49818eb34ebb8b39e04e748

SHA256
ad5dbe2a9d054823a5504c005895afb2b3770bd2bc9c7be374174266d478675e

SHA512
c75336f8003818c835c88d4b7481cc4e0be51247c09c6d55049a7e96030c690e1296199cd174a0d3bbe9f922696ed43780bcc919aaf11b83a717497b62fe72a1

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
64KB

MD5
86a5b286d1f43a2a60be25f318999bf1

SHA1
7777e266479565d51eaf0ea73da4b565a4e42871

SHA256
29d50362839d77ecb88e55ca76a742941910af3de391c5822b4d44bc3d989e9a

SHA512
16347743414c60a1b54076b63792dee7dbbe86c21b4753bd3e8ee34584b17cef2bad3dad5502a037a02eb03e721ecaf9757b91dd48184aa0dd4a3d8ae647faa9

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
e85b7e68dcd7104a5ecb3e2239409d2b

SHA1
ecc5ff74a2b211bfdd840c1eab8bc70a882c24e9

SHA256
5163ea57ce2eb20b223ebd944117996cc34291e5408569371879ef8377b350cb

SHA512
36af15b190063fcb174b43962924ceccf900bafb27421e501a5dec1487ae5c6aab4f31337391d9db70bbc8af7da975e3aa0514578d1d1c38984a2431db45d0f8

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
f247d03a2844fe22d349bbb18e3c63ce

SHA1
cd821fa991d2dc08dc28d1291f084e67bd14b60b

SHA256
07edf0f7d7b65cacbdf32b6adf65fbe5eb2a82584d91b2227f484122d4fe2063

SHA512
13454dcde017a6fec3fda2c8af419374c38fb0ae116215e943090c23103f3833a21248c9644f92ebfcfd7b7d382263054d66cf56fad896e08df855c1fb0c00b5

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
64KB

MD5
0e93c75d1e14a4c7883158b2df74c409

SHA1
dbf8c060777e58f38e3204261ba1ce4fae0d624c

SHA256
a00b320c75cc9a963d5adeb6fd54876527eac968c159d9d1823cced33dfab09f

SHA512
b95ff7cf23fb4393a9c19099beaa6e5c9d60ee8f6360d8565fe686a3a1957e789f9ed876d8b524566564c6063801a153ba663017cf831dc5971a7f9d2edb1134

Download Submit
memory/116-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/116-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/232-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/232-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/520-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/520-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/848-336-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/848-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-295-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1668-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1668-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2244-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2244-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-342-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3092-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3092-330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3592-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3592-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3820-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3820-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3836-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3836-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4176-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-306-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads