berbew | b8c3083f93d7984cc57426744a43f9476babe2b7d21039ddf1e74ed71e2f5f66

Analysis

max time kernel
97s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8c3083f93d7984cc57426744a43f9476babe2b7d21039ddf1e74ed71e2f5f66.exe
Size

448KB
MD5

2a15157e3f1b51dbeb1f33a8046176d9
SHA1

316627ef894f909b668c6fe48e19e7bc307b83e5
SHA256

b8c3083f93d7984cc57426744a43f9476babe2b7d21039ddf1e74ed71e2f5f66
SHA512

8b733c4318d0ade01c8a0cbe899bcc39d4a0aa0986b49b9cf78c84a639ea422ad0671b371d1b5dd742c2a619f2726dce00b918cd620ee50cc847e53a19839fb7
SSDEEP

6144:2pV0OyVhcHM+9ZiLUmKyIxLDXXoq9FJZCUmKyIxL4:2pFyVN+W32XXf9Do35

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 41 IoCs

pid	Process
1984	Bmbplc32.exe
1492	Beihma32.exe
3604	Bcoenmao.exe
1828	Chjaol32.exe
1316	Cndikf32.exe
1656	Cfpnph32.exe
1124	Cnicfe32.exe
3220	Ceckcp32.exe
2408	Chagok32.exe
2092	Cjpckf32.exe
2676	Cnkplejl.exe
1444	Cajlhqjp.exe
4804	Ceehho32.exe
4356	Cdhhdlid.exe
2888	Cffdpghg.exe
5012	Cjbpaf32.exe
4504	Cnnlaehj.exe
4156	Calhnpgn.exe
3712	Cegdnopg.exe
3316	Ddjejl32.exe
1204	Dfiafg32.exe
4032	Djdmffnn.exe
4992	Dopigd32.exe
2460	Danecp32.exe
636	Dejacond.exe
3832	Ddmaok32.exe
4440	Dfknkg32.exe
3504	Djgjlelk.exe
2052	Dmefhako.exe
4560	Daqbip32.exe
4084	Delnin32.exe
4680	Dhkjej32.exe
4252	Dfnjafap.exe
2084	Dmgbnq32.exe
1360	Deokon32.exe
2884	Ddakjkqi.exe
4948	Dfpgffpm.exe
2128	Dogogcpo.exe
3568	Dmjocp32.exe
1812	Deagdn32.exe
3520	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	b8c3083f93d7984cc57426744a43f9476babe2b7d21039ddf1e74ed71e2f5f66.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	b8c3083f93d7984cc57426744a43f9476babe2b7d21039ddf1e74ed71e2f5f66.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Beihma32.exe

Program crash 1 IoCs

pid	pid_target	Process
1660	3520	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8c3083f93d7984cc57426744a43f9476babe2b7d21039ddf1e74ed71e2f5f66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	b8c3083f93d7984cc57426744a43f9476babe2b7d21039ddf1e74ed71e2f5f66.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b8c3083f93d7984cc57426744a43f9476babe2b7d21039ddf1e74ed71e2f5f66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	b8c3083f93d7984cc57426744a43f9476babe2b7d21039ddf1e74ed71e2f5f66.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1984	2456	b8c3083f93d7984cc57426744a43f9476babe2b7d21039ddf1e74ed71e2f5f66.exe	83
PID 2456 wrote to memory of 1984	2456	b8c3083f93d7984cc57426744a43f9476babe2b7d21039ddf1e74ed71e2f5f66.exe	83
PID 2456 wrote to memory of 1984	2456	b8c3083f93d7984cc57426744a43f9476babe2b7d21039ddf1e74ed71e2f5f66.exe	83
PID 1984 wrote to memory of 1492	1984	Bmbplc32.exe	84
PID 1984 wrote to memory of 1492	1984	Bmbplc32.exe	84
PID 1984 wrote to memory of 1492	1984	Bmbplc32.exe	84
PID 1492 wrote to memory of 3604	1492	Beihma32.exe	85
PID 1492 wrote to memory of 3604	1492	Beihma32.exe	85
PID 1492 wrote to memory of 3604	1492	Beihma32.exe	85
PID 3604 wrote to memory of 1828	3604	Bcoenmao.exe	86
PID 3604 wrote to memory of 1828	3604	Bcoenmao.exe	86
PID 3604 wrote to memory of 1828	3604	Bcoenmao.exe	86
PID 1828 wrote to memory of 1316	1828	Chjaol32.exe	87
PID 1828 wrote to memory of 1316	1828	Chjaol32.exe	87
PID 1828 wrote to memory of 1316	1828	Chjaol32.exe	87
PID 1316 wrote to memory of 1656	1316	Cndikf32.exe	88
PID 1316 wrote to memory of 1656	1316	Cndikf32.exe	88
PID 1316 wrote to memory of 1656	1316	Cndikf32.exe	88
PID 1656 wrote to memory of 1124	1656	Cfpnph32.exe	89
PID 1656 wrote to memory of 1124	1656	Cfpnph32.exe	89
PID 1656 wrote to memory of 1124	1656	Cfpnph32.exe	89
PID 1124 wrote to memory of 3220	1124	Cnicfe32.exe	90
PID 1124 wrote to memory of 3220	1124	Cnicfe32.exe	90
PID 1124 wrote to memory of 3220	1124	Cnicfe32.exe	90
PID 3220 wrote to memory of 2408	3220	Ceckcp32.exe	91
PID 3220 wrote to memory of 2408	3220	Ceckcp32.exe	91
PID 3220 wrote to memory of 2408	3220	Ceckcp32.exe	91
PID 2408 wrote to memory of 2092	2408	Chagok32.exe	92
PID 2408 wrote to memory of 2092	2408	Chagok32.exe	92
PID 2408 wrote to memory of 2092	2408	Chagok32.exe	92
PID 2092 wrote to memory of 2676	2092	Cjpckf32.exe	93
PID 2092 wrote to memory of 2676	2092	Cjpckf32.exe	93
PID 2092 wrote to memory of 2676	2092	Cjpckf32.exe	93
PID 2676 wrote to memory of 1444	2676	Cnkplejl.exe	94
PID 2676 wrote to memory of 1444	2676	Cnkplejl.exe	94
PID 2676 wrote to memory of 1444	2676	Cnkplejl.exe	94
PID 1444 wrote to memory of 4804	1444	Cajlhqjp.exe	95
PID 1444 wrote to memory of 4804	1444	Cajlhqjp.exe	95
PID 1444 wrote to memory of 4804	1444	Cajlhqjp.exe	95
PID 4804 wrote to memory of 4356	4804	Ceehho32.exe	96
PID 4804 wrote to memory of 4356	4804	Ceehho32.exe	96
PID 4804 wrote to memory of 4356	4804	Ceehho32.exe	96
PID 4356 wrote to memory of 2888	4356	Cdhhdlid.exe	97
PID 4356 wrote to memory of 2888	4356	Cdhhdlid.exe	97
PID 4356 wrote to memory of 2888	4356	Cdhhdlid.exe	97
PID 2888 wrote to memory of 5012	2888	Cffdpghg.exe	98
PID 2888 wrote to memory of 5012	2888	Cffdpghg.exe	98
PID 2888 wrote to memory of 5012	2888	Cffdpghg.exe	98
PID 5012 wrote to memory of 4504	5012	Cjbpaf32.exe	99
PID 5012 wrote to memory of 4504	5012	Cjbpaf32.exe	99
PID 5012 wrote to memory of 4504	5012	Cjbpaf32.exe	99
PID 4504 wrote to memory of 4156	4504	Cnnlaehj.exe	100
PID 4504 wrote to memory of 4156	4504	Cnnlaehj.exe	100
PID 4504 wrote to memory of 4156	4504	Cnnlaehj.exe	100
PID 4156 wrote to memory of 3712	4156	Calhnpgn.exe	101
PID 4156 wrote to memory of 3712	4156	Calhnpgn.exe	101
PID 4156 wrote to memory of 3712	4156	Calhnpgn.exe	101
PID 3712 wrote to memory of 3316	3712	Cegdnopg.exe	102
PID 3712 wrote to memory of 3316	3712	Cegdnopg.exe	102
PID 3712 wrote to memory of 3316	3712	Cegdnopg.exe	102
PID 3316 wrote to memory of 1204	3316	Ddjejl32.exe	103
PID 3316 wrote to memory of 1204	3316	Ddjejl32.exe	103
PID 3316 wrote to memory of 1204	3316	Ddjejl32.exe	103
PID 1204 wrote to memory of 4032	1204	Dfiafg32.exe	104

C:\Users\Admin\AppData\Local\Temp\b8c3083f93d7984cc57426744a43f9476babe2b7d21039ddf1e74ed71e2f5f66.exe
"C:\Users\Admin\AppData\Local\Temp\b8c3083f93d7984cc57426744a43f9476babe2b7d21039ddf1e74ed71e2f5f66.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\Bmbplc32.exe
  C:\Windows\system32\Bmbplc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\Beihma32.exe
    C:\Windows\system32\Beihma32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\Bcoenmao.exe
      C:\Windows\system32\Bcoenmao.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3604
    - - C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 408
        44⤵
        Program crash
        
        PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3520 -ip 3520
1⤵
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
448KB

MD5
31a747f78fbf4c2e3c0e71d1dfe770a0

SHA1
689e1ec4b786aed03f1f908dadd26d59eb860af1

SHA256
6fd74f4152f9ad6126901f0a9ab493243a1325f9397baad0e33aa7629bf08498

SHA512
5e86ac732d9c80b2beb50a4b7b3a2d2466b99d4a44c3da3efb3b9397f7bedf86bd4fde9f7ce10c8196cd9408b7390124e6e46c09548239d13a192aee9796460e

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
448KB

MD5
e57f40abd747f6932edc662807ee0803

SHA1
b09b10e265185a626331cf7ef6712fc4b957619c

SHA256
88531e71a57794452a2efedeb5422a77d86291d0ec1c83f8dd811b236d682a6c

SHA512
922c57214a81997cfe0e9bbf7a321490730b41f2d4da7b522685b2e45aaade5b8a126f7164d7e1e2c5b842f68b16e9136a478d53e5f9159a352abed1753eef1c

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
448KB

MD5
b80cfd6de15c6451fd2411ebd9269e3f

SHA1
07660af9c545d467562335f9684dca335d9892e3

SHA256
a640a8cab92c47d6937beb447503a7e982247dae80271f1ea8fb24fb3ef56505

SHA512
d58a06a19235760ed75f291a709972dcba9b8042ec33ce58060c506166503d1c32bc2b37b2012c6417d9572bfecd3bcb0f5bf4d9cabd5e4778602ce5130f3e10

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
448KB

MD5
4c3c4c52aaac59edc3ecbabef828871b

SHA1
1b2410148328f94bf09e9a76e535918a015a8b33

SHA256
dd34fdde9dc5f7ad2a13df05cfb636a742486541e5df35847644c40779214e84

SHA512
ea15de3784d3d398476a492b1c1b2e836ae36b6e8920d96c1124f7186bf2ad15d4623f1e73d68d2d12a2f1c392c69658de7e89eba7d83c4a417e1b73778854af

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
448KB

MD5
9ee3f80a3185e7dc7b104728fe51d4be

SHA1
22fa7a5f458804703566c4b36e43e85404ce43b3

SHA256
96921f2e779165a6bc8780112d45702b13e33f1a862ab56c13d22a8243363e34

SHA512
636b36cff0caecfabe4c6c961b55d1b3e2304cf48243756cf540817819a9bd0ed237d9ea26fdb7aa46b416b7a1ffd896df9280d83b2821dde1242eaeb427a145

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
448KB

MD5
1be8df3fc86cfdd2e078b113aa574982

SHA1
b2328ca35992c874c637a97e67c20ceba65c6c5f

SHA256
e8a3d3a42be359f49632cf89342ee00089425a798cd9c37e938a424596396d33

SHA512
936ccad050bae40af84412997929291fb1bcc0244fc96510be6973c980ddfd2ac0410a2f958be575f50603083a8b9f48b6994707c2f9f3f9e04b83eff0e6af50

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
448KB

MD5
8395efe31f0d6292fbcf3eee458937a1

SHA1
5a189fe2ea55e2421d6458f361f02418809c60d2

SHA256
b700561b247eb0e82380859c99bf25f7ae05d53a712b970ddcbe9915b35e68bc

SHA512
6fd30f137718be19aac1b1102691fad3be76c4c295de99797ac6f96430b5561ec7b229527bee61ce69a9a5a889d016522b7d46cf676383ec247a222e8c4f384b

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
448KB

MD5
2921de5f9838d0cbe1788b6044c1b1d2

SHA1
5c6d55a72e82dad8b4a29ebcc704c84c8cdf7601

SHA256
ff8ad9e28095aba51e517b478f0d13096ffa540ee5eec28fc0e3336b0d19e6a2

SHA512
855ebddd2cff3bd146b727b3754e81890892b3f3a017a894d9ca16019c72b481448ec35e9fafd390d6ff246bccbce949d9f484603e91b767a0b0a3be06bcb1a7

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
448KB

MD5
974ffe4e2beb0a078ba1bc032f3f5688

SHA1
dafe97aca2c94bdc6ad400865f2d53963a116cf4

SHA256
5b3ac40b4d7cd8761106193b1ec10082ea960cd9f3efcd6cbcffb6d6e2c63018

SHA512
e591c41a5472957485fa5c03605fd4254de6d233e68d188a76062d62c05f9e2166f372a55ef2e2246f593c9137c9f8b46fcd7504333d586d23baa19f41ec5aec

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
448KB

MD5
bcd5f91cbe23f7c9c5f823d603ab39d1

SHA1
cea8a7de60c6d67ce86183d4f4432ef92f3b40d5

SHA256
a9f80497c2e6951a465907d884fd57c2c4077303c1d8316c55b708b4edf3e9ea

SHA512
5a7c479104dfd0d9f4d907e70be270da715f321350e0ebfa707a8b4fb9e950b0d40d5dbcdb19f30df6f4f8d3f24ac1c8d8e2580a76d800407013d2f8e35dce92

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
448KB

MD5
0c2f5ac772eb06b16102e7b4a1e540a3

SHA1
9c4ab4b4a5ecb991d2885bd7469937dec47890c6

SHA256
8c5660f2c20f049953b68eb766bf9cb3418627241d393440565506e513fc10cb

SHA512
3616dd47dffcf53913fb24b37c4306b085121e46599b1744c248fa948fc5c43d231bb3a797f21e083b00e58c2764d013f647dc04f30c6af88d3ef52f988dd19c

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
448KB

MD5
be6c37ab65c8498a8e9302d8d189db8f

SHA1
64c74c46231a161c2761f0366d23b4a73f2a16bc

SHA256
03340d9c26a2bcef7a545f671b4489503d25ea8b04e1bd3363685744d5a4582c

SHA512
a13c9d3943859d7c61eb24bfb24f2288b955077f6b01ec0764aee3ad5ed4cae8764a5281b7c313864c104dcfed4a07816be42052176544a9b420aaae0cdf5d04

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
448KB

MD5
2b3b9f6b26386d17b8a6026cce63e60a

SHA1
dfc8fd6d7b239101dbe213a15a07559527a40462

SHA256
42203e51b0739b010686bf016923e000720a53eb534898dc23b4501833d7e287

SHA512
5545132b740a034b5865e7bf92034a1f3916fdc4bb6a45d029b75cd1108d5a6236c1f966b35485b0db66cb793a88e7b808fc36abbc24e54f105d1a25927048c5

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
448KB

MD5
ec41fe1f0d767c480decbade37381510

SHA1
c31541507530f97012a83e150538f358fd0460cd

SHA256
4248031f3e2a1f9813f46a2c0d718298e7a9bb08e3729f5ea859eb7e0365e575

SHA512
8b1159b80e4060533c75d4e0fa9d8816cec54d5eeab6d5e5f98b5b9ccca749e3bdddbf9b5d3b35d1bba1e7e2e033e13ca1847f37039d11d1ec905522a82db88c

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
448KB

MD5
b1058e45cd0822486dd84d5bac1d1f2f

SHA1
53065ac519a240067e9bc1ddd8f1041071df7093

SHA256
b606921c75e5efe472208dcd246dc454e9746868e7becee37c8fa8382763168f

SHA512
adcdf5b3206ddcd57dfb7bddff28a71ea2f43c62a29a5eebfcc88cb77075d12944366746c4cb5c71aa093a0977006968e7cd107258add1435f27abf1eee8ff57

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
448KB

MD5
2572cfa1ec9379c58769ebdce6bacd99

SHA1
27c8f0054bc6ba619178ee3f36ab1b1b5ccd02d7

SHA256
ea36c8a46237d0452d59018c00a3161544424829b8535239d48401f16532b1cb

SHA512
d0d879ec295c928ce1d144b61ecce4e5a077301813f031264a9e20dc6b3c776ae2ebcc4061c1653b9593c2fd3f6edd9bdb9b8d20fa58bb73c7ec2eddf9ad8c04

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
448KB

MD5
61a5ad2168ef67bc3ff4431efe1a68f8

SHA1
d072db105953b4b0281f200c83f7aea7c5183ac0

SHA256
1227fe8e421536983935b6a10fb981d02b3df408f739a9f4dbc73ff51bb6bc0a

SHA512
4c6446c03276a62f9abc69c3e72194c7897b308d647e50a6f41a6c4c630b7ee6839706bd8592f3851ff5a45e04e1094a7ebb3f3461b3bf25bc8f3235822ef6bd

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
448KB

MD5
6e370143bb11be85852faef3734e10bf

SHA1
5dc5de4e415975a8d3cdcd48e3c4484b278d548d

SHA256
b1e4a6fe5ceacb2d707d431202e7496312f54ce948b9f9b81942dcbcc4c20526

SHA512
8540fd49a0fefec6478c43c240dc1e37f99f90c9e2827571bfe7c84aff52bb10ae5c3a9085cb1d8a186c1d35247ce223b57530b5c411a56c072216f0bdfd71aa

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
448KB

MD5
5accec9c28696ecaea34970c2ec863aa

SHA1
c8d919d15052200ebc8f6484a5553ba4c3275195

SHA256
bee06b89f1858a72801f01629a818e66923f592fc1861851b86dba39667abf0d

SHA512
6ef4034ba9ab26fd02744d66bc285d0f98daf79f32c2f390af0a68871a354cfb1df981c02a66114c35ff210361e102d70ba1e52fc91e70d5af5f4153d8652bb0

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
448KB

MD5
004ed6369015d60fd22ca667c1669d42

SHA1
90729fa29e628bfeccc7928cbd63b48c689dc5ed

SHA256
6d032ab77c9e555bff10fa432b5e2da1cc9db96d92906bfdd63b3bb48eac6e59

SHA512
0a130306aa4e7ac47eea563de89b5fa998faf46a54eec9c50d4ff16aab474d9ae02de967920d2de932adbaa6c18a821647dd93c7e793400d71c0c4dc75e690cb

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
448KB

MD5
e2617d18f8553b5f25dd87a05984e99a

SHA1
30d59ac24e77a690e27bea34bffea2551728872d

SHA256
3447c623e93b9bb41f3dc23da2944d692817703e037e3be30348389b92e47ae2

SHA512
f62be250b09efe4953c763186792c862906903eb74d5ba26272d614d4c8cb240742591e91a56e4abb8d0af0688798f9129f4c2ad6c48900f754d5fde39feb3cd

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
448KB

MD5
9fef1fec0beede52153fc167162f586a

SHA1
32ab8f20345e2028b892439592b1d1926fdcfefb

SHA256
0bcbc89590c51f68cdc8e4c09b34e72c0f095546532f85f0e30cf5a2382947cf

SHA512
a9011276b98c1f20c2f583c71046f243ce9fc6c5245dd2923dc15dd069c33269ab386ecd2e5d35162acac0c61d42f7233560ab97be98416c857a0f7d50e32e49

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
448KB

MD5
7597a2a146c4f5f39224bce191fde892

SHA1
ab94875d9ba628766c0493499fe8eb0d0d459dd3

SHA256
c5cd5f1adae076a35d32c5847667f15062784808e5825682887ecbca591b3803

SHA512
a4eb801c07e9d6be3048988f54c5bfaa542fda1a7b4da9ae12dd6ce997d3f3524f5e8569ea45f735c2e66c457f70ec655972cce8a530c1b340ea90230ffc5d34

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
448KB

MD5
f9098c74b4f99919f7b54271d8d6d6fa

SHA1
65cd77bbb024ed17913f2781eb7de12ad34a6725

SHA256
de4447634627054d7a89d43e3a23090b08bdb2b4fc60fe663b44bfc4289d5804

SHA512
8c7751185b720b645ed526fe6ab6c845485b91e023b3dfaa07ef03a444c8c28eac71a40fb4730c0fe8d46c947690de9bfb62904b7ab096884aad979ea001787a

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
448KB

MD5
44846ed35dc66e43950db50ad713fa46

SHA1
0157fbcb8429245f349294c91c8082cd454335f7

SHA256
e57efe5509f015fef50e8555f6ec683cfdafc8cb9febe45056d719401b08b769

SHA512
aa7de2829938f1cb7dbc64d321a1b5a9f6597fcc0550002d2ef10a05239f33c745022dfc895452000fed5fb9e3406f13fd637752db25069255104d03ff0a12a3

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
448KB

MD5
9a85fbd8a275a81205d308baaa3a2957

SHA1
7b40f4836667d77b57c425b2d152326016bfba1b

SHA256
125becde10c17ac318e606e0a8a44afdeeef168b407cc2901fa5cdbcee8c7c5b

SHA512
f91e16c1cef839eb9e2b9e4026a67f6cf4e62f10978b906fe01cb66784617a8b8c49fc0b177dbde980afcdb646f394952feb2783e7ccf1f3f6c5dd5421f956d8

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
448KB

MD5
936836a632dce71f8f01de689d366424

SHA1
7fa09dfe719365c5a7e50a4c8d2f44c3522a7082

SHA256
79b25d8a40f5da2fd473bfb88fc5493abf55f748ac0bd60b0ded5a9a5429f9a5

SHA512
ee160274fb4a0befe5e12ed5b9859abaa1a2311b630ae98c9ab277a178554a05ca50aab44f5c8e124c88c813c73bfb2d4874cf1ca9b01dd3396380057992720e

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
448KB

MD5
328d8a71c763da3cb92c8be46190f3c3

SHA1
893713c581d678853a9896a39549a1d4b677f733

SHA256
a21b0808ddb451dc74add3a526494c2d10321de2aed441dda90dad464dfd8b93

SHA512
a9f9f70e0a1ccd35bb9a1bae2ca2d85865eb7a07ef04323473594343573d74c0f9b997f2b94c270620e78938148f898e17296d5fa5663120e511efe8be5a4a19

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
448KB

MD5
329b77108742a63c730cfafa764c0059

SHA1
b5eb1f1a1ef05ae077da3d477a889bcb7a6f32f5

SHA256
e2f7d870a1b704f149112cc5130a7da731e4195e05cb1f5b7c2b50cde6a4b821

SHA512
668050437106d14b03581098f4c60d53478f8b2775f289b8ca5e99c81854b8036e8a5a91f3907d7adc5965cbc90a9a556f3f9e262f3d293928542a04366d9e76

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
448KB

MD5
00ea1a1fa96b2759b31561b0b7d4f302

SHA1
4838f1481d896d7cd2fab79fb87ad4e163dd1576

SHA256
74cd9c36f78598975058faf49bc39770a3ee2c8353b71433040e4c9a0270c26d

SHA512
3724f53b9c675249a3116d2fdab2cd7e5a8d52839f7d1dc61ae38eb2c836b67985f788b6aa553084c454023ec9b08c1d5a07385b8384a954e79cd1a4fd432d0a

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
448KB

MD5
9e2b7365c80ca7e1b7be62cef2c79c17

SHA1
5de2317a64682f5c9c2ed0a8c8f27f5bde8111a1

SHA256
6a4e2c4ffdb2f6399381db35e29b9ca28c787abe735625a336dfe948d758279d

SHA512
4093c662f8e80ba70465a30e9cf252311811672d595b89b30f6dc7db202394217b6594245df71c0a48ee13787374790bd1413b6786904396e519640c674bad76

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
448KB

MD5
5884e817f528d0b4ff34bbbab70af561

SHA1
e9776f6e8f1e120b086867be91ac27161dee8d2c

SHA256
8de0c419707e7de3216f767f9801ceb9f773a8261a525847066dd1fad1eee2d5

SHA512
080c0a1e08c4876482218dce06b986a2db059fe1857b6a83ad72aee637099e6883345d1fc86790b1c7791c84ea8a10cbaf0eb178eb928f251cff57a208193b6a

Download Submit
C:\Windows\SysWOW64\Fqjamcpe.dll

Filesize
7KB

MD5
ccad7743fee9e5af0107c79167ae03cf

SHA1
b04f491b82e9e1ea4cf59abd4685f6835c5c2d74

SHA256
003de7bdbe3ea8a0339b5c5d7af6087d665f4dba015117fdf09bbff9adbefaaa

SHA512
1500dd64e5285e12e07bc908c256e9003fd1fa467b9aed90f0c56ab7f12207e28145a03d2dd06dcb7180dae4c42b46e303c8339da1dea19f3fa7f8bc2144f4ab

Download Submit
memory/636-336-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/636-200-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1124-56-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1124-372-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1204-344-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1316-376-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1316-40-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1360-272-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1360-313-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1444-100-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1444-362-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1492-382-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1492-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1656-374-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1656-48-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1812-305-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-34-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-378-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1984-384-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1984-7-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2052-328-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2052-232-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2084-266-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2084-315-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2092-366-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2092-84-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2128-308-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2408-368-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2408-71-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2456-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2456-386-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2460-338-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2460-193-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2676-93-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2676-364-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2884-278-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2884-318-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2888-125-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2888-356-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3220-64-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3220-370-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3316-346-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3504-224-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3504-330-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3520-302-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3520-300-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3568-306-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3604-380-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3604-24-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3712-348-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3712-156-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3832-334-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3832-209-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4032-342-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4084-324-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4156-149-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4156-350-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4252-255-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4252-320-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4356-358-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4356-117-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4440-332-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4504-140-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4504-352-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4560-326-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4680-254-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4680-322-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4704-317-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4804-109-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4804-360-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4948-284-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4948-310-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4992-340-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5012-354-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5012-133-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads