berbew | 200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6.exe
Size

163KB
MD5

639cb17f4721361b3e3ee76c7bcf1034
SHA1

609c5875b9af316c1af93ce8ce9a1f0f82d109bb
SHA256

200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6
SHA512

7beeb2226fcb6a788990376c5dc31caddb2b90a04a04387593af6ce677949a1b8250c021cf606d06d53b14d095ca1ab11917b60ff55975097ca234a30894b9a9
SSDEEP

3072:Cf/TwxbJmA3NfDNkpo+2q/J2FdTltOrWKDBr+yJbA:Cf/TwxR9fDNkpoxqUFdTLOfA

Score

10^/10

berbew bruteratel gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ce1-215.dat	family_bruteratel

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 39 IoCs

pid	Process
1948	Cndikf32.exe
1632	Cabfga32.exe
5072	Cdabcm32.exe
3044	Cfpnph32.exe
1488	Cnffqf32.exe
4376	Ceqnmpfo.exe
1200	Cdcoim32.exe
4552	Cjmgfgdf.exe
4720	Cmlcbbcj.exe
4344	Cdfkolkf.exe
400	Cfdhkhjj.exe
1388	Cmnpgb32.exe
4284	Ceehho32.exe
1812	Chcddk32.exe
4492	Cffdpghg.exe
4692	Cnnlaehj.exe
4636	Cmqmma32.exe
2276	Cegdnopg.exe
4816	Ddjejl32.exe
4924	Dhfajjoj.exe
4880	Djdmffnn.exe
640	Dmcibama.exe
1692	Danecp32.exe
4236	Ddmaok32.exe
3368	Djgjlelk.exe
4432	Dmefhako.exe
5088	Ddonekbl.exe
3864	Dfnjafap.exe
528	Dodbbdbb.exe
3416	Dmgbnq32.exe
3628	Deokon32.exe
4808	Dhmgki32.exe
1224	Dfpgffpm.exe
1472	Dogogcpo.exe
4364	Deagdn32.exe
4872	Dddhpjof.exe
4648	Dgbdlf32.exe
4072	Dknpmdfc.exe
952	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
864	952	WerFault.exe	120

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1948	1100	200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6.exe	82
PID 1100 wrote to memory of 1948	1100	200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6.exe	82
PID 1100 wrote to memory of 1948	1100	200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6.exe	82
PID 1948 wrote to memory of 1632	1948	Cndikf32.exe	83
PID 1948 wrote to memory of 1632	1948	Cndikf32.exe	83
PID 1948 wrote to memory of 1632	1948	Cndikf32.exe	83
PID 1632 wrote to memory of 5072	1632	Cabfga32.exe	84
PID 1632 wrote to memory of 5072	1632	Cabfga32.exe	84
PID 1632 wrote to memory of 5072	1632	Cabfga32.exe	84
PID 5072 wrote to memory of 3044	5072	Cdabcm32.exe	85
PID 5072 wrote to memory of 3044	5072	Cdabcm32.exe	85
PID 5072 wrote to memory of 3044	5072	Cdabcm32.exe	85
PID 3044 wrote to memory of 1488	3044	Cfpnph32.exe	86
PID 3044 wrote to memory of 1488	3044	Cfpnph32.exe	86
PID 3044 wrote to memory of 1488	3044	Cfpnph32.exe	86
PID 1488 wrote to memory of 4376	1488	Cnffqf32.exe	87
PID 1488 wrote to memory of 4376	1488	Cnffqf32.exe	87
PID 1488 wrote to memory of 4376	1488	Cnffqf32.exe	87
PID 4376 wrote to memory of 1200	4376	Ceqnmpfo.exe	88
PID 4376 wrote to memory of 1200	4376	Ceqnmpfo.exe	88
PID 4376 wrote to memory of 1200	4376	Ceqnmpfo.exe	88
PID 1200 wrote to memory of 4552	1200	Cdcoim32.exe	89
PID 1200 wrote to memory of 4552	1200	Cdcoim32.exe	89
PID 1200 wrote to memory of 4552	1200	Cdcoim32.exe	89
PID 4552 wrote to memory of 4720	4552	Cjmgfgdf.exe	90
PID 4552 wrote to memory of 4720	4552	Cjmgfgdf.exe	90
PID 4552 wrote to memory of 4720	4552	Cjmgfgdf.exe	90
PID 4720 wrote to memory of 4344	4720	Cmlcbbcj.exe	91
PID 4720 wrote to memory of 4344	4720	Cmlcbbcj.exe	91
PID 4720 wrote to memory of 4344	4720	Cmlcbbcj.exe	91
PID 4344 wrote to memory of 400	4344	Cdfkolkf.exe	92
PID 4344 wrote to memory of 400	4344	Cdfkolkf.exe	92
PID 4344 wrote to memory of 400	4344	Cdfkolkf.exe	92
PID 400 wrote to memory of 1388	400	Cfdhkhjj.exe	93
PID 400 wrote to memory of 1388	400	Cfdhkhjj.exe	93
PID 400 wrote to memory of 1388	400	Cfdhkhjj.exe	93
PID 1388 wrote to memory of 4284	1388	Cmnpgb32.exe	94
PID 1388 wrote to memory of 4284	1388	Cmnpgb32.exe	94
PID 1388 wrote to memory of 4284	1388	Cmnpgb32.exe	94
PID 4284 wrote to memory of 1812	4284	Ceehho32.exe	95
PID 4284 wrote to memory of 1812	4284	Ceehho32.exe	95
PID 4284 wrote to memory of 1812	4284	Ceehho32.exe	95
PID 1812 wrote to memory of 4492	1812	Chcddk32.exe	96
PID 1812 wrote to memory of 4492	1812	Chcddk32.exe	96
PID 1812 wrote to memory of 4492	1812	Chcddk32.exe	96
PID 4492 wrote to memory of 4692	4492	Cffdpghg.exe	97
PID 4492 wrote to memory of 4692	4492	Cffdpghg.exe	97
PID 4492 wrote to memory of 4692	4492	Cffdpghg.exe	97
PID 4692 wrote to memory of 4636	4692	Cnnlaehj.exe	98
PID 4692 wrote to memory of 4636	4692	Cnnlaehj.exe	98
PID 4692 wrote to memory of 4636	4692	Cnnlaehj.exe	98
PID 4636 wrote to memory of 2276	4636	Cmqmma32.exe	99
PID 4636 wrote to memory of 2276	4636	Cmqmma32.exe	99
PID 4636 wrote to memory of 2276	4636	Cmqmma32.exe	99
PID 2276 wrote to memory of 4816	2276	Cegdnopg.exe	100
PID 2276 wrote to memory of 4816	2276	Cegdnopg.exe	100
PID 2276 wrote to memory of 4816	2276	Cegdnopg.exe	100
PID 4816 wrote to memory of 4924	4816	Ddjejl32.exe	101
PID 4816 wrote to memory of 4924	4816	Ddjejl32.exe	101
PID 4816 wrote to memory of 4924	4816	Ddjejl32.exe	101
PID 4924 wrote to memory of 4880	4924	Dhfajjoj.exe	102
PID 4924 wrote to memory of 4880	4924	Dhfajjoj.exe	102
PID 4924 wrote to memory of 4880	4924	Dhfajjoj.exe	102
PID 4880 wrote to memory of 640	4880	Djdmffnn.exe	103

C:\Users\Admin\AppData\Local\Temp\200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6.exe
"C:\Users\Admin\AppData\Local\Temp\200bd01d4f3c7c6cd0dfcda27018227fb121804a3407634d15bcb3dd710d7eb6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\Cndikf32.exe
  C:\Windows\system32\Cndikf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\Cabfga32.exe
    C:\Windows\system32\Cabfga32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\Cdabcm32.exe
      C:\Windows\system32\Cdabcm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 404
        41⤵
        Program crash
        
        PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 952 -ip 952
1⤵
PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cabfga32.exe

Filesize
163KB

MD5
148ffee991565dd026b9944541fcaba9

SHA1
1a6c8ac030e9c29fe3466945b3323686cdd8558c

SHA256
61979cca7f3a44ea38186d3c1811d6a39ac40c8d54fb829838705381197c84d2

SHA512
036d5f7d251be60767012a06666a5215cb350e0d56df7e73aa1e5a817092ded03606272c024493928ec1bb62ca871b3bd6dc2dd3cc26f5ea11f3fc86bc382a77

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
163KB

MD5
e85aade31c6b65b0ac87e4add9c41ec2

SHA1
be4cfd4160a5d684a4b885411859f27054b15691

SHA256
3aa247eb9cd6856acea809be637128d739f7e2ba39485301f5d4b3dfa00cc135

SHA512
411da28214a4b0bf78d31942088c10f95537cbbacdb10445bc1341acc2d014d8ce8eafdfe2a432d128198bff9fa67cd9352143063c883c152bf0ccb5dca5ca40

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
163KB

MD5
c9f800cea9af7fd6d1964f433ca857c3

SHA1
28f3a5a9d93f7157524c555c7c82c5696038a74a

SHA256
19f035cd91e01ca250851bf0bbea07c25c71a141ffbed432fe4b4c67f1ec0ef5

SHA512
b59f87f2a46b4e330bd570ae921d4d2910e8edc5a2fcb5654a2597c3e6e31fbe5e677a9bc186baa946511f6889d2edc7cb6165ee3a13025689040661d4d17c8a

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
163KB

MD5
ca9124924c7db60c15c179a404d551c9

SHA1
d55441d5a1d4cfa683698909822c992631e626be

SHA256
a7d8bd4ecceeedcd7d80d1f8bf7c4601a1dec2046938ddf0988b200046111545

SHA512
c341b6d201a3d7200f6253a3f310ecc4f8b62d6c95f81014040550313d84fd788119156bfc9557b7c6d43467c6fa5e7d16e7c3750209488dead41c6f642307dc

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
163KB

MD5
342a50b515da3e29042f5f980010e2e3

SHA1
629b728f62084a745b5f9c4ccc8dbe8bf8f0c954

SHA256
805ae5fa9f609809a7fd557500c70bd20ca694b4a43c284f5e97615948a07c12

SHA512
b5b33edc3451b12076a8a731443e7de7af20b6d9ae43d8bc0678aa4b17d7cf74c72c36ac6bb7111a1e4b35b6b8ae80da07a593d1cc758998295ebad39840b9db

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
163KB

MD5
143311be6e1dc6809414a7885f0ebf9c

SHA1
919a6d9fc51f2c00256590e2bfb3da0aed0dbb45

SHA256
5577b3dfb239519b0f8745892559a2c92625705b03de7ee04aa11848844b3a8f

SHA512
8153251b3414e83dce4e8302724dc4e351d369b9ec5b77841c4e458204f094d752214668198fd897646b2e7cbb947225aa581f1c1f313fbbc3618fb95ed650db

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
163KB

MD5
e775c76124cbd4670d48f218fc487254

SHA1
6bdb522fd25f9551378c09d0e61e4d4357bbfc82

SHA256
b2a1fdb5dc0f0a12e9cdafa20bd423e257552bfee5af8eba575f2c80bcb54188

SHA512
259170a59a3084ef335a0799077264f63be0666ed9015a4461d06b27361244a7f11b571197f0468d17a1b761c4d1705e8f447bfc346d12d42749bb1e4fbd7822

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
163KB

MD5
c6191d2047ead6b3a1d231fce3a97d5b

SHA1
5c343237cdb959e236e5f5e220d8ff6e95687e1a

SHA256
8f304353b4069cfbd6b55da808febf49e454e5b40ff6fd989893419a172bb666

SHA512
55dad302275a545bcf82004257228e00ce6f30269fe530e8a66970828a515c50809c50b4e0346340fd8f136967e0bcc3f34798823cb6cf5919652f7318fbd3da

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
163KB

MD5
f8a4a131760f2eb5a192f35036d66f2c

SHA1
ad45e3878144623947fb8675d42c75863da77b46

SHA256
3c2880c1fb9254fd61800119f7648f630f8d573c4d10cf46c4340f97a5e587c0

SHA512
198e4053503b52b20a57d536073dc2a4197ff4f074a2f610a2db1533f35aa830bd462f0c33b95d041b16d0fc562a970221ef504aebf355cb95f931dd54bdc095

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
163KB

MD5
fec3535c3122c7ee6827372fe84ce990

SHA1
96226ccf9a284811b92dbffb41d3249eda79e0ef

SHA256
a560ef8a5771a99c168cbaa372e58b5744887ace26f502801aaf017075bf9728

SHA512
ccb1679d6efcadd9cf7a66c33e145479df515a2571d458cbaf8b1b4f17082f784f49c0c837526ec73c2687c367c8bd2323ef21973ba2d4ff80ec608591a2187b

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
163KB

MD5
94a7bbbe1420d3b472954d4923a2a3bc

SHA1
864d734a068d4b5214205f3d73370734e39c4ec7

SHA256
05910822254c190d2c043d8f0489f025daba9fb195521bd264373a7e8f067231

SHA512
2bbe936c5899f8aaf3d8571385166e9a5e7b5b0b15ab2ff7e2ecf3083c1dc53edcd10ceaecc08adca9349978a1b1df139d1515435246bc18122873d0801e73d6

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
163KB

MD5
f005db1f9d45d8db94904dc9342deeb7

SHA1
6439aab582b9110876179c33c168e054b60b5d0c

SHA256
629fa4a847539444383c18d7867bdcbe2b70684d3a569a6b9693098dc771e83b

SHA512
fe8ceb9c777f4f0c71296b60d4872533b9b9706b15b1ac6132142770d0d13c7410940e42f2b493d91e7322d50e9f638cc67de56162e509be525bc3acdd68929f

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
163KB

MD5
9773c5140937544c0e49ba68a5e92782

SHA1
8780bd60d71c771782396c659126a428482ab8b8

SHA256
3eda720a00552741d65adb84951a4f273e637dce99a3fc8b310e6c8a6aacc331

SHA512
b709bf444ad5906d840c9c148c43485db69a32164eb794bbf4b9e03ef33b47d61a36e965031f2825ca769a64c9f5f2dd1d09f2ad2a7ff81edc3a2fb4db99254c

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
163KB

MD5
6041340b9b38482a62eb2f00ed7b0467

SHA1
b42755723e7dbfda842058e5d38ac7da2a7a48e7

SHA256
6539eca016ed9c23dceb7fea7eadcd8ef954d41c277930a5d0773694ed528811

SHA512
b61f1017f76916ed76a8d4ae8e8cb94256a8c3609681da28bdf3fca6c80b4e0c7b858e7cd3c4cd83e9f98e93de23e3d65b65ec3dcfdc48de4b7c53186b33db25

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
163KB

MD5
d0766e002dfcee5567594a0b157fac30

SHA1
379d748a923b4c826ad6c540ac03446bba55c2d7

SHA256
4e8de4c210dac74d1710326706c106251da48267664fee450504378b2ca9ca14

SHA512
0498fb048fd68cfd5182b459cbe69b0e13ef95bbda4b872c069a8c80431d23360708fe1180f6d680f16d4eac8180afbc202368bbaea982a9a995e5456908cb48

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
163KB

MD5
fae90b334d2f4e8771b3a00c27f83f64

SHA1
5cd296a61e803ac5de4e81420648128bbef66ac3

SHA256
ccffde7b6978cfbc30b304004f24352d6821eab3f80100af525a0afede4c6a4e

SHA512
c1abec73ccc029d1d5273ba6c5c0777b7087170775acfda2a4a54b517c7281590a02dc5f46bac9c72293c670935df6f25825d82c0f9c789182d445953e65db57

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
163KB

MD5
8e88bdedaefa338e9de7825bddce2530

SHA1
a7f6b4ed1f4a511c7d77199f63fd7fbebf70e84c

SHA256
84f284325bcf6ac6e227f01a5a23737962936ce4a4d70644fbfb1fcdeba30bb6

SHA512
c69e143ef9794914cdd09d690216e743ee348c2921555579a938d58aaafeb2262f2c1e23ee7e10f40c6370de290d9d604cbf98399596552fcb02099bee00c16e

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
163KB

MD5
987a709f67fdbc0904ba1ee60af6eaad

SHA1
5f8881c4da86c33c8ae031e34a084696fab2503b

SHA256
f3f6c6cf1d6f8e2b15fd1a411bdeac3914a124aead720c91e215c9d6a0a55c88

SHA512
423dbf8a34ee1c583ce350dfed350767eeb00d16842b8b8693b80db0c332c73c3085769be65eaac957da5b78063771718f5d9d2a3c70eeb9713465d87f99f14b

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
163KB

MD5
0aa0def95540deccf78b0f1c156b37d4

SHA1
bb658f15a195a52ace1ab76d9f005b2decdb7e8b

SHA256
957456edeef133b870b8a7c2672381eb731ad0f6d06f285935fd3e067452dc12

SHA512
5bcc856881236fa16364efd3c1638094f6018bcaf59510cf84997e472bee41b0c60f92fe2dca7a4d4f9d3fd64d988759fe6ce684059b16f26b165f878ffe1e23

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
163KB

MD5
2b077e42984aa65ec53947d4df65caa1

SHA1
334fd2eaac0c31c472ff2ea99c9d8faac2185d99

SHA256
81dc822b77d95c9f0e44b7b368a578c020102e5a0817b8bd705e10918e45fcba

SHA512
122bba972b44cf5866bff3fd11aaf309096653d45f711d3b552dd0762db834d2ef7b2cca89aecb0712774a05d3031c774345877888a4e2cfbc90f6d9c43ab444

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
163KB

MD5
89d11c3fb3cd4bc1f39bb53dc0270407

SHA1
6491ddff9ef44ff9ccde117480eb986f05d0a774

SHA256
d22359ee0b8e9972836904eef80fa5562201688e65c1c921d4a4f6c7de30d15f

SHA512
964f8bc63df180a0bb3c27d59bbd0d71330e9fa4f644f1cfbd30c508251f7679df7d21fe258533dbc57d717ae8f62dc5e73115821344fb80450fdd3d1cfdd1b9

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
163KB

MD5
c393cb52874d33ce70cfa2d676b5de79

SHA1
6ae1fd9cde950f67e0dd602a07c135e1b980440f

SHA256
6d4b8e3f2a3f2db27bdb59869f93866a2c0d48ea267091c65ade0ae6e7ef0c11

SHA512
edf11b44374ce33fd54a08cc4ec4785df9f1e7fd856d1c154f723d00df941ea0e9dc270d13add165d7e7ff7bc5d65dd46f0d35300c9569ae9c1ab6a401fd1845

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
163KB

MD5
f3f5b98de46fa35d49bee0092ba3b3d1

SHA1
30455770a9cdbfcce47625e58ef5b62dcc7132d9

SHA256
0868ddfd6a6bbe07d88449e2084bbde2ceb18240a86142bb9b4b6b33b582a7dc

SHA512
4a8af8dd3334d64f4a7726eecd0be5e92006e5e82020bb650d93ff229aa4d95ef1f9d60c0723cfdfb0b065aeb0220697a35c45b071352585530620bf938aa899

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
163KB

MD5
b1f057e133f7bb5c79fa78097d2f6cbf

SHA1
56bd0ca4129359d12621cbd02018712e668922d4

SHA256
a1f79dcfb3686deb354df6c614ef190aa1298a6e47e64ba9688ffb7f6467be21

SHA512
182b3bf16b410d00ad0ad1170af0264d72341cb95cbad2ab7a0a8cc7ff052cf7812a478e7334122b0192bdb01995467a6258c090109a0e60ac14693ceaaf81b6

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
163KB

MD5
cab32966b290e9eec548167641bb0f07

SHA1
450b5f0fe44e57727c0b300f3f1ef31320176a2c

SHA256
b6005cb8d26c575278502640a6b64508ae7270d578be58bdc937d9048e02c0b0

SHA512
0f475ca28ff885b32a0a94b11cc6b9b353be22240fe55564e1a781f7a7252e2ea27a2a7dc65943ca000637bba95a43507fe8f8fa8bde6d5c7c3e9c4d95c47e1f

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
163KB

MD5
7a1eed17a0c999439a575c6e154cc26d

SHA1
73b4082d6051a63c96bf263f7e524042bfd78821

SHA256
e272185a5d385f8e96798557b968194aae3561631efc95f452bc3a16dfa5e1fd

SHA512
fc7f371ab59cfa0477759e22bc540019af68be95b0643bfca3ecb3f80197033771daa3380702e2f726d5ed8661cbbabd2f909dec6c758426eb71160cc6576782

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
163KB

MD5
7ad936fe6a6f31fad1823539cbc24ac2

SHA1
aeeca2cb4776048918e7c676d0d6290f12d3afb1

SHA256
12109a4fa6722bf98ec153b5116e7971724a22c2cfab256df50c0e28e6a036a3

SHA512
5ddd716f9b191491c3caf67ff1ed025b6f719b3ff6418cdebf6f06d058de38d129799f4b56cc92a8280673d628555cf4bafe50e050cc86de84f0018fefc7a2ae

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
163KB

MD5
09ae5bf6395535b1c22f8c2ec0ea77e5

SHA1
20023e94485f3a25ccfe6bc61284c4d7da8aea19

SHA256
ffabc9e1f372ae77d608e39e708111073ac625b1392ec91d046a47c9d078caa5

SHA512
d2da1a9bd042991aa9ec29b95b1ffa55ccc7b49a5d8d5b7db45b7d379a97440ba199b34b1d64b9aaac0ca83c6d17981e4d2f844782e7ecc47c993d39cd0d4598

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
163KB

MD5
d92b2d9a5d07042457ddfc26d69ed9d8

SHA1
8ea1f698d27e3945e915047f03a2e1ad7bc2ff1a

SHA256
4ee320fb4f401c01ecf39e3d4340cf2fa5dae6398f679d792ab74ca804381943

SHA512
4dae7610fd30b5faf372819a747562c7eeba86e651e90da876476dcd3fdeae0676105f3687a48a402476fb9e06d65735c9dfcfe8afdc8b86f8640bf1ccd19953

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
163KB

MD5
7a897b7e336be81bf2d9534618fc1361

SHA1
86471ad75ab31b3fcb74c3cd722f6fd0a9dd0b1b

SHA256
2412e2f39384dd74a734ff9ef40be346441e46260921eee3da9a7dde57a80d44

SHA512
a734aac931ea0792dc977dcd3ae6221d6a735d623f1aa7ae093a80e33456856acfdecde0e28b4da23a7cba8839ad131d02b8be687a18ef85ca720e4a61a8d30f

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
163KB

MD5
c2434d48f7916f65ed0afa36558ff25f

SHA1
4ade21b0470d46c06db0fd86f05eacf5c2966023

SHA256
a3213a46f01d32330a3334ff4155f22034340a6b76d4665371d384312b47c05f

SHA512
8b05e979385d1864c402d6ba634156b79d86dc9eab3e288f01eb9caa5cbf15e08da438a96e795774e842291d5e57c04248fde7e91c767945492a3512838f15a4

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
163KB

MD5
3c66788f0e3bd37d0d9df8454bac60af

SHA1
6ec316159bfd839c0e07141459a3f742bbff8f04

SHA256
d94af5c1a64480c0b01ab446f36223cc4153f47657103205f0ca23a7255621df

SHA512
d3909861bbfb5fd66418d2a8724df0f57fbdb62f7173f987861619de2ba33f4fd1ff0dd0a0f8956d5a28e76bc2131e8cf6db57f43db6ea754891ab1a219c956d

Download Submit
memory/400-358-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/400-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/528-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/528-321-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/640-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/640-181-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/640-334-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/952-303-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/952-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1100-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1100-374-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1100-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1200-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1200-368-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1224-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1224-312-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1388-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1388-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1472-313-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1472-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1488-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1488-379-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1632-373-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1632-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1692-333-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1692-189-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1812-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1812-354-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1948-369-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1948-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2276-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2276-344-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3044-366-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3044-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3368-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3368-201-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3416-319-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3416-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3628-249-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3628-318-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3864-324-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3864-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4072-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4072-302-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4236-332-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4236-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4284-352-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4284-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4344-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4344-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4364-309-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4364-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4376-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4376-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4432-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4432-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4492-349-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4492-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4552-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4552-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4636-345-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4636-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4648-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4648-306-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4692-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4692-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4720-376-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4720-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4808-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4808-315-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4816-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4816-342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4872-307-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4872-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4880-337-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4880-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4924-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4924-340-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5072-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5072-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5088-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5088-326-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads