berbew | eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe
Size

93KB
MD5

e21ae015615ad525ff7765eac752de59
SHA1

aa4eb66c8ada2ea3b7f12d140208396f201e8eca
SHA256

eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589
SHA512

763be2bd95effaf975c1f7b66447fc9588f869a30bf6fdbd759fdbe05ea9b4f847c842e0b7990ef77033831248ae38110d4e549b2d62f6c765c3a69f6d197213
SSDEEP

1536:AdZDUkqyxQ2f82bPqbI0jk3NVWX1P1DaYfMZRWuLsV+1L:AdB5TQ+82bPqsqgrs1PgYfc0DV+1L

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcmlcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgejac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dndlim32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egllae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fidoim32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjpacfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eojnkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnqkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggcffhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcmlcja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpkbdiqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chnqkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cafecmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdikkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejkima32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceodnl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpnojioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpnojioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dndlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgejac32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdikkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccngld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlkepi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ednpej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egoife32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egoife32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eojnkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceodnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjpacfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cafecmlj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhnmij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlkepi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpkbdiqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcenlceh.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 33 IoCs

pid	Process
3028	Ckjpacfp.exe
2848	Ceodnl32.exe
2776	Chnqkg32.exe
2732	Cafecmlj.exe
2664	Cgcmlcja.exe
1064	Cpkbdiqb.exe
2704	Cgejac32.exe
1868	Cpnojioo.exe
2876	Cdikkg32.exe
1744	Ccngld32.exe
2984	Dndlim32.exe
1268	Dfoqmo32.exe
768	Dhnmij32.exe
2204	Dbfabp32.exe
896	Dlkepi32.exe
1104	Dcenlceh.exe
956	Dhbfdjdp.exe
2140	Ddigjkid.exe
1444	Dggcffhg.exe
972	Eqpgol32.exe
1356	Ehgppi32.exe
1912	Ekelld32.exe
836	Ebodiofk.exe
2528	Ednpej32.exe
2148	Egllae32.exe
2636	Ejkima32.exe
2644	Egoife32.exe
2080	Eqgnokip.exe
2272	Eojnkg32.exe
484	Efcfga32.exe
584	Ejobhppq.exe
2104	Fidoim32.exe
2868	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
2812	eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe
2812	eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe
3028	Ckjpacfp.exe
3028	Ckjpacfp.exe
2848	Ceodnl32.exe
2848	Ceodnl32.exe
2776	Chnqkg32.exe
2776	Chnqkg32.exe
2732	Cafecmlj.exe
2732	Cafecmlj.exe
2664	Cgcmlcja.exe
2664	Cgcmlcja.exe
1064	Cpkbdiqb.exe
1064	Cpkbdiqb.exe
2704	Cgejac32.exe
2704	Cgejac32.exe
1868	Cpnojioo.exe
1868	Cpnojioo.exe
2876	Cdikkg32.exe
2876	Cdikkg32.exe
1744	Ccngld32.exe
1744	Ccngld32.exe
2984	Dndlim32.exe
2984	Dndlim32.exe
1268	Dfoqmo32.exe
1268	Dfoqmo32.exe
768	Dhnmij32.exe
768	Dhnmij32.exe
2204	Dbfabp32.exe
2204	Dbfabp32.exe
896	Dlkepi32.exe
896	Dlkepi32.exe
1104	Dcenlceh.exe
1104	Dcenlceh.exe
956	Dhbfdjdp.exe
956	Dhbfdjdp.exe
2140	Ddigjkid.exe
2140	Ddigjkid.exe
1444	Dggcffhg.exe
1444	Dggcffhg.exe
972	Eqpgol32.exe
972	Eqpgol32.exe
1356	Ehgppi32.exe
1356	Ehgppi32.exe
1912	Ekelld32.exe
1912	Ekelld32.exe
836	Ebodiofk.exe
836	Ebodiofk.exe
2528	Ednpej32.exe
2528	Ednpej32.exe
2148	Egllae32.exe
2148	Egllae32.exe
2636	Ejkima32.exe
2636	Ejkima32.exe
2644	Egoife32.exe
2644	Egoife32.exe
2080	Eqgnokip.exe
2080	Eqgnokip.exe
2272	Eojnkg32.exe
2272	Eojnkg32.exe
484	Efcfga32.exe
484	Efcfga32.exe
584	Ejobhppq.exe
584	Ejobhppq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mcfidhng.dll	Dndlim32.exe
File created	C:\Windows\SysWOW64\Mledlaqd.dll	Dhbfdjdp.exe
File created	C:\Windows\SysWOW64\Jaqddb32.dll	Egoife32.exe
File created	C:\Windows\SysWOW64\Eojnkg32.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Ejobhppq.exe	Efcfga32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Fidoim32.exe
File created	C:\Windows\SysWOW64\Qfjnod32.dll	Cafecmlj.exe
File created	C:\Windows\SysWOW64\Dfoqmo32.exe	Dndlim32.exe
File opened for modification	C:\Windows\SysWOW64\Dbfabp32.exe	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Ajfaqa32.dll	Dbfabp32.exe
File opened for modification	C:\Windows\SysWOW64\Dcenlceh.exe	Dlkepi32.exe
File created	C:\Windows\SysWOW64\Olfeho32.dll	Ehgppi32.exe
File opened for modification	C:\Windows\SysWOW64\Fidoim32.exe	Ejobhppq.exe
File created	C:\Windows\SysWOW64\Bebpkk32.dll	Cpnojioo.exe
File opened for modification	C:\Windows\SysWOW64\Cpkbdiqb.exe	Cgcmlcja.exe
File created	C:\Windows\SysWOW64\Akigbbni.dll	Cdikkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhnmij32.exe	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Ednpej32.exe	Ebodiofk.exe
File created	C:\Windows\SysWOW64\Ffpncj32.dll	Ejkima32.exe
File opened for modification	C:\Windows\SysWOW64\Efcfga32.exe	Eojnkg32.exe
File created	C:\Windows\SysWOW64\Cpkbdiqb.exe	Cgcmlcja.exe
File created	C:\Windows\SysWOW64\Chnqkg32.exe	Ceodnl32.exe
File created	C:\Windows\SysWOW64\Cpnojioo.exe	Cgejac32.exe
File created	C:\Windows\SysWOW64\Kcbabf32.dll	Ednpej32.exe
File opened for modification	C:\Windows\SysWOW64\Ejkima32.exe	Egllae32.exe
File opened for modification	C:\Windows\SysWOW64\Ejobhppq.exe	Efcfga32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjpacfp.exe	eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe
File opened for modification	C:\Windows\SysWOW64\Dlkepi32.exe	Dbfabp32.exe
File created	C:\Windows\SysWOW64\Hhijaf32.dll	Dggcffhg.exe
File created	C:\Windows\SysWOW64\Ekelld32.exe	Ehgppi32.exe
File opened for modification	C:\Windows\SysWOW64\Egllae32.exe	Ednpej32.exe
File opened for modification	C:\Windows\SysWOW64\Eqgnokip.exe	Egoife32.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dfoqmo32.exe	Dndlim32.exe
File opened for modification	C:\Windows\SysWOW64\Chnqkg32.exe	Ceodnl32.exe
File created	C:\Windows\SysWOW64\Flojhn32.dll	Ceodnl32.exe
File opened for modification	C:\Windows\SysWOW64\Cgejac32.exe	Cpkbdiqb.exe
File created	C:\Windows\SysWOW64\Bjidgghp.dll	Dlkepi32.exe
File opened for modification	C:\Windows\SysWOW64\Egoife32.exe	Ejkima32.exe
File created	C:\Windows\SysWOW64\Fdilpjih.dll	Eojnkg32.exe
File created	C:\Windows\SysWOW64\Nhokkp32.dll	Ckjpacfp.exe
File created	C:\Windows\SysWOW64\Cgcmlcja.exe	Cafecmlj.exe
File created	C:\Windows\SysWOW64\Ehgppi32.exe	Eqpgol32.exe
File opened for modification	C:\Windows\SysWOW64\Cafecmlj.exe	Chnqkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcmlcja.exe	Cafecmlj.exe
File created	C:\Windows\SysWOW64\Ccngld32.exe	Cdikkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ehgppi32.exe	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Ekgednng.dll	Efcfga32.exe
File created	C:\Windows\SysWOW64\Ilpedi32.dll	eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe
File created	C:\Windows\SysWOW64\Gjpmgg32.dll	Ccngld32.exe
File created	C:\Windows\SysWOW64\Dlkepi32.exe	Dbfabp32.exe
File created	C:\Windows\SysWOW64\Dggcffhg.exe	Ddigjkid.exe
File created	C:\Windows\SysWOW64\Njmggi32.dll	Ekelld32.exe
File opened for modification	C:\Windows\SysWOW64\Ednpej32.exe	Ebodiofk.exe
File created	C:\Windows\SysWOW64\Egllae32.exe	Ednpej32.exe
File created	C:\Windows\SysWOW64\Elgkkpon.dll	Cgejac32.exe
File created	C:\Windows\SysWOW64\Dbfabp32.exe	Dhnmij32.exe
File opened for modification	C:\Windows\SysWOW64\Dhbfdjdp.exe	Dcenlceh.exe
File opened for modification	C:\Windows\SysWOW64\Ddigjkid.exe	Dhbfdjdp.exe
File opened for modification	C:\Windows\SysWOW64\Dggcffhg.exe	Ddigjkid.exe
File opened for modification	C:\Windows\SysWOW64\Eojnkg32.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Fileil32.dll	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Geemiobo.dll	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Mmjale32.dll	Egllae32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1956	2868	WerFault.exe	62

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcmlcja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egoife32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgejac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdikkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhnmij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjpacfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpkbdiqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ednpej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbfdjdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebodiofk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqgnokip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cafecmlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqpgol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehgppi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekelld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eojnkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpnojioo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dndlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbfabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlkepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcenlceh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddigjkid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egllae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceodnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccngld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efcfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggcffhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejkima32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejobhppq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fidoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnqkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfoqmo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbabf32.dll"	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgnhbba.dll"	Chnqkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dndlim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geemiobo.dll"	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egoife32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdidec32.dll"	Cgcmlcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgejac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll"	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmkpl32.dll"	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfaqa32.dll"	Dbfabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll"	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll"	Egoife32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eojnkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcmlcja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgejac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egoife32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpnojioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbfabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpncj32.dll"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flojhn32.dll"	Ceodnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpkbdiqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdikkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccngld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mledlaqd.dll"	Dhbfdjdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfjnod32.dll"	Cafecmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cafecmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgkkpon.dll"	Cgejac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebpkk32.dll"	Cpnojioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilpjih.dll"	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akigbbni.dll"	Cdikkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfidhng.dll"	Dndlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlkepi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpedi32.dll"	eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceodnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpkbdiqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdikkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll"	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khknah32.dll"	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjpacfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceodnl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 3028	2812	eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe	30
PID 2812 wrote to memory of 3028	2812	eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe	30
PID 2812 wrote to memory of 3028	2812	eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe	30
PID 2812 wrote to memory of 3028	2812	eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe	30
PID 3028 wrote to memory of 2848	3028	Ckjpacfp.exe	31
PID 3028 wrote to memory of 2848	3028	Ckjpacfp.exe	31
PID 3028 wrote to memory of 2848	3028	Ckjpacfp.exe	31
PID 3028 wrote to memory of 2848	3028	Ckjpacfp.exe	31
PID 2848 wrote to memory of 2776	2848	Ceodnl32.exe	32
PID 2848 wrote to memory of 2776	2848	Ceodnl32.exe	32
PID 2848 wrote to memory of 2776	2848	Ceodnl32.exe	32
PID 2848 wrote to memory of 2776	2848	Ceodnl32.exe	32
PID 2776 wrote to memory of 2732	2776	Chnqkg32.exe	33
PID 2776 wrote to memory of 2732	2776	Chnqkg32.exe	33
PID 2776 wrote to memory of 2732	2776	Chnqkg32.exe	33
PID 2776 wrote to memory of 2732	2776	Chnqkg32.exe	33
PID 2732 wrote to memory of 2664	2732	Cafecmlj.exe	34
PID 2732 wrote to memory of 2664	2732	Cafecmlj.exe	34
PID 2732 wrote to memory of 2664	2732	Cafecmlj.exe	34
PID 2732 wrote to memory of 2664	2732	Cafecmlj.exe	34
PID 2664 wrote to memory of 1064	2664	Cgcmlcja.exe	35
PID 2664 wrote to memory of 1064	2664	Cgcmlcja.exe	35
PID 2664 wrote to memory of 1064	2664	Cgcmlcja.exe	35
PID 2664 wrote to memory of 1064	2664	Cgcmlcja.exe	35
PID 1064 wrote to memory of 2704	1064	Cpkbdiqb.exe	36
PID 1064 wrote to memory of 2704	1064	Cpkbdiqb.exe	36
PID 1064 wrote to memory of 2704	1064	Cpkbdiqb.exe	36
PID 1064 wrote to memory of 2704	1064	Cpkbdiqb.exe	36
PID 2704 wrote to memory of 1868	2704	Cgejac32.exe	37
PID 2704 wrote to memory of 1868	2704	Cgejac32.exe	37
PID 2704 wrote to memory of 1868	2704	Cgejac32.exe	37
PID 2704 wrote to memory of 1868	2704	Cgejac32.exe	37
PID 1868 wrote to memory of 2876	1868	Cpnojioo.exe	38
PID 1868 wrote to memory of 2876	1868	Cpnojioo.exe	38
PID 1868 wrote to memory of 2876	1868	Cpnojioo.exe	38
PID 1868 wrote to memory of 2876	1868	Cpnojioo.exe	38
PID 2876 wrote to memory of 1744	2876	Cdikkg32.exe	39
PID 2876 wrote to memory of 1744	2876	Cdikkg32.exe	39
PID 2876 wrote to memory of 1744	2876	Cdikkg32.exe	39
PID 2876 wrote to memory of 1744	2876	Cdikkg32.exe	39
PID 1744 wrote to memory of 2984	1744	Ccngld32.exe	40
PID 1744 wrote to memory of 2984	1744	Ccngld32.exe	40
PID 1744 wrote to memory of 2984	1744	Ccngld32.exe	40
PID 1744 wrote to memory of 2984	1744	Ccngld32.exe	40
PID 2984 wrote to memory of 1268	2984	Dndlim32.exe	41
PID 2984 wrote to memory of 1268	2984	Dndlim32.exe	41
PID 2984 wrote to memory of 1268	2984	Dndlim32.exe	41
PID 2984 wrote to memory of 1268	2984	Dndlim32.exe	41
PID 1268 wrote to memory of 768	1268	Dfoqmo32.exe	42
PID 1268 wrote to memory of 768	1268	Dfoqmo32.exe	42
PID 1268 wrote to memory of 768	1268	Dfoqmo32.exe	42
PID 1268 wrote to memory of 768	1268	Dfoqmo32.exe	42
PID 768 wrote to memory of 2204	768	Dhnmij32.exe	43
PID 768 wrote to memory of 2204	768	Dhnmij32.exe	43
PID 768 wrote to memory of 2204	768	Dhnmij32.exe	43
PID 768 wrote to memory of 2204	768	Dhnmij32.exe	43
PID 2204 wrote to memory of 896	2204	Dbfabp32.exe	44
PID 2204 wrote to memory of 896	2204	Dbfabp32.exe	44
PID 2204 wrote to memory of 896	2204	Dbfabp32.exe	44
PID 2204 wrote to memory of 896	2204	Dbfabp32.exe	44
PID 896 wrote to memory of 1104	896	Dlkepi32.exe	45
PID 896 wrote to memory of 1104	896	Dlkepi32.exe	45
PID 896 wrote to memory of 1104	896	Dlkepi32.exe	45
PID 896 wrote to memory of 1104	896	Dlkepi32.exe	45

C:\Users\Admin\AppData\Local\Temp\eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe
"C:\Users\Admin\AppData\Local\Temp\eb840e80afb23879687ca26f5e2a2b9cd317670bfa90cb7fd105d20513c73589.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\Ckjpacfp.exe
  C:\Windows\system32\Ckjpacfp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\Ceodnl32.exe
    C:\Windows\system32\Ceodnl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\Chnqkg32.exe
      C:\Windows\system32\Chnqkg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Cafecmlj.exe
        
        C:\Windows\system32\Cafecmlj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\Cgcmlcja.exe
        
        C:\Windows\system32\Cgcmlcja.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Cpkbdiqb.exe
        
        C:\Windows\system32\Cpkbdiqb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Cgejac32.exe
        
        C:\Windows\system32\Cgejac32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Cpnojioo.exe
        
        C:\Windows\system32\Cpnojioo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Cdikkg32.exe
        
        C:\Windows\system32\Cdikkg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Ccngld32.exe
        
        C:\Windows\system32\Ccngld32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Dndlim32.exe
        
        C:\Windows\system32\Dndlim32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Dfoqmo32.exe
        
        C:\Windows\system32\Dfoqmo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Dhnmij32.exe
        
        C:\Windows\system32\Dhnmij32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Dbfabp32.exe
        
        C:\Windows\system32\Dbfabp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Dlkepi32.exe
        
        C:\Windows\system32\Dlkepi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Dcenlceh.exe
        
        C:\Windows\system32\Dcenlceh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Dhbfdjdp.exe
        
        C:\Windows\system32\Dhbfdjdp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Ddigjkid.exe
        
        C:\Windows\system32\Ddigjkid.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\Dggcffhg.exe
        
        C:\Windows\system32\Dggcffhg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Eqpgol32.exe
        
        C:\Windows\system32\Eqpgol32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Ehgppi32.exe
        
        C:\Windows\system32\Ehgppi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\Ekelld32.exe
        
        C:\Windows\system32\Ekelld32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Ebodiofk.exe
        
        C:\Windows\system32\Ebodiofk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\Ednpej32.exe
        
        C:\Windows\system32\Ednpej32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Egllae32.exe
        
        C:\Windows\system32\Egllae32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Ejkima32.exe
        
        C:\Windows\system32\Ejkima32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Egoife32.exe
        
        C:\Windows\system32\Egoife32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Eqgnokip.exe
        
        C:\Windows\system32\Eqgnokip.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Eojnkg32.exe
        
        C:\Windows\system32\Eojnkg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Efcfga32.exe
        
        C:\Windows\system32\Efcfga32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:484
        
        C:\Windows\SysWOW64\Ejobhppq.exe
        
        C:\Windows\system32\Ejobhppq.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Fidoim32.exe
        
        C:\Windows\system32\Fidoim32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 140
        35⤵
        Program crash
        
        PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cafecmlj.exe

Filesize
93KB

MD5
5e05d41fef59dc248f600a2ca77b68fc

SHA1
57e270b6ffb66d6e15ea921204ca9abc41da7e02

SHA256
62da780ba695ba9c5a4b9398d55b965b6ad5f28686bf0c5dbf1a53cffae893c5

SHA512
ce3295486507bd9d941f34f52ccd2a797c6eaa9c50fb5504738c681626f7169af09a6e74a5696ad216dc5cffbb6301d88b0064632c7eb16adc71b88af9fe650a

Download Submit
C:\Windows\SysWOW64\Ceodnl32.exe

Filesize
93KB

MD5
3762a8d642dd33aa322ab657c0941ca0

SHA1
011569893f7cb478c61e38ae20dc4fd42aa90a58

SHA256
d8eb4eb821f83df0212820e081cad491d8d4d35c9ead21005fa457764509a535

SHA512
f87e8e8f21b679915c0183fc89b6b10483abb0d8e1303206717d6b378eafb580a02e5f6ae9fedcb413e2be9cf15d47a98dddf6b4627d4650450f8d68c6bca97f

Download Submit
C:\Windows\SysWOW64\Cgcmlcja.exe

Filesize
93KB

MD5
778ab72cbb70679f5817b6df88035a12

SHA1
ef792b5cc61577a1e9e936e673ce7b54e4ab7330

SHA256
6084dfcaffbe0e249c594f248ad82abcb594fca261507e59af512312fb65a4d8

SHA512
d05d531675db45d4a0165329c369110371a8e6949b5c6b17bff4b56c674e1ff5f7026cbe8de6bd4d71bfa57f2ed9117a809447ccd22b80cc03e8d696f12f090a

Download Submit
C:\Windows\SysWOW64\Dbfabp32.exe

Filesize
93KB

MD5
42958256af8a0e6bd616afd3b2acd343

SHA1
cae78d36b2c5dbfe65bbf38914c3bbae9a6f1ce3

SHA256
55e4f1ac6bbd0c07ad5c7b7e263a5d2ef8bb13b26842672d8e3828ca7da58a50

SHA512
4827d0b869508273ccce562f229b12b044826b1a176cb2bbb29f9ae0513d070fb78b6c0b444917d86a8032dd6ba7400d0ba4e80162b1a9f00455392d89cdd688

Download Submit
C:\Windows\SysWOW64\Ddigjkid.exe

Filesize
93KB

MD5
b3610bf875fec2e03632bdf90ae52124

SHA1
c56d635fd2507dbb1e13c4146ff7032188f2cd94

SHA256
28adfa56f4f065e6aa6d688913a303b139e61d0e78c7c3d36e13d8e382d98a12

SHA512
a2096259ebd6574509611a80b57943588612643da35c7634b6378eb21a0c26e6f7690b0caa8ea299611cdf76fe29b84b430aad217ee26100d095a240ff01eb31

Download Submit
C:\Windows\SysWOW64\Dggcffhg.exe

Filesize
93KB

MD5
225e4fc32c655b6514cc9a916c53bdff

SHA1
d9f09380d6effa7bab125d42fe1292fea524a7e7

SHA256
52fb3faa949673b4c68a5a8d567b5aa4ca78a33b23b06044b024da244dbe631c

SHA512
cba92d936701deb5b39cb6364c81dc90d318943c7b952ff2de89e20fb3d51546531f19e189e001a02bc375427499f5c31f4b52e3f71a7387a22544f9ff6592aa

Download Submit
C:\Windows\SysWOW64\Dhbfdjdp.exe

Filesize
93KB

MD5
5085185c085a33ae67662f0c5b142a05

SHA1
4bbf9069f94efa2bb69eb805e16e74eaff181e3a

SHA256
d1c36c756ce60e354f8b8d54bfefd6ff48aefd7561711dff3a332800f02c786c

SHA512
d8ac851ee2f787d505c1c08c965c753afd7ff9d5751c0cc3d799f9ff52ee56c470132ef77c774430507c02e94e8a4ac1e193bf21e8ecaedce63e3d018e40f42d

Download Submit
C:\Windows\SysWOW64\Dhnmij32.exe

Filesize
93KB

MD5
8dc6f6313f9f343645cfe9c6dd162b0d

SHA1
d274882b0b506bf72beccc24ac62b1bef217ea6a

SHA256
15bb2073d1563d57bf44ac205c0bf54de84bf281f5829cee5846f0c7007442c4

SHA512
0c019a9fd75d430f3d5657e98ea429ae0ab9af484838102f39919b663d81c3f12e73bd2eece79ea60790cdaa8e3e93fda29489be89d582e5491cde2d72b92a55

Download Submit
C:\Windows\SysWOW64\Ebodiofk.exe

Filesize
93KB

MD5
01db0b4c55a910230686263b4e9dd100

SHA1
0677f4d79e9a55f2a194f96fe9a688f295c6ec2e

SHA256
c4908219daeb80773226fc4c76b28a739f3564bcd469e4096cc0c701d6fe7df7

SHA512
c48885eb972166cf98c62ae6bd8ee5d08458dd96e3fe92e9555d772d3a39631aeb70e57e34389ce8920a084595427dcd4cbdb8a79833bcba5b4deb5171cc870f

Download Submit
C:\Windows\SysWOW64\Ednpej32.exe

Filesize
93KB

MD5
4f8f97e85f92328aa4683150c6b992a9

SHA1
45aa164b532eb9135245083b74ffd0c873e1ecae

SHA256
fe555b7f83810fc1ab2da7a4a9bb9902a8000e8ee202c44675593e0737298f3d

SHA512
2998000861c406d5a527a94731233c53b1e80b06a8ed948db1abe92f3e7f8d777c6b0e829068bfac8c2a4e4ddf4fe5d06fedc166cc537545ce2e6ca492b84190

Download Submit
C:\Windows\SysWOW64\Efcfga32.exe

Filesize
93KB

MD5
2c77a73944f92a53cbb06fe6fbfb50c5

SHA1
2f67167bcdfaa68efea1b296b7a53a9cda1753eb

SHA256
bee63dca77b1669e4dcce868816fc030d85bc2fcfd5494086c42bc0537634db8

SHA512
1efdaa4c4297e532799d035da1f1cbf28e960c27481d87686f6abf9eeca82bff46b49feb7b95c6f4f70bb02c7adba43f741a34cfb26e665b6eecd59955d72046

Download Submit
C:\Windows\SysWOW64\Egllae32.exe

Filesize
93KB

MD5
c54d54da51f8dae276badd30b50759b3

SHA1
7482248147695ad091c78f521f60755739e11afb

SHA256
914741c42ea6645b4ed8391ed73dd33aea5cefe4516681db7b0af41e81809219

SHA512
77636ea9dd3a4816043e3906a2d2626eda190ad2cd1ae2c39694ed1fc4c4e7aa485bb497bfb5b7cd3bea41717b95c389c011dc170e6917bf8a8613fb90b6b0bd

Download Submit
C:\Windows\SysWOW64\Egoife32.exe

Filesize
93KB

MD5
196838938b9579b3fc349ca657a5684a

SHA1
41ebe230e14f637da416ad06438c9908c712d592

SHA256
9728844fbf1a88e478a085fb1accb5bf8a2f42917c3cfeba19f3aac8eeded4af

SHA512
1910574406f74ff630fbd3d79269197a15c9ff1e0c27d0b34b63a01b924c0df61d2f88c3d88f046ee98feeebed9eb4a704f9f32dda28f8e5ad6bd0ec06c0c282

Download Submit
C:\Windows\SysWOW64\Ehgppi32.exe

Filesize
93KB

MD5
a7b3b5730b3bb8d6a23ba119be189905

SHA1
8e60919d63cd85571e989360ec15f5946537b5b0

SHA256
4473337a6fdb84459de60d9c1bc5c5b3a343414dfc3903642435bcd8d9d1af4f

SHA512
b5d179e75d0a8601243ec93b0c8db244089b99f5cc2ed34d364dd1babf910c1c9d8f3f13b49aa9c79315ef0b33d8933efafe4cc7ebc8705f329a6b9d74434ad9

Download Submit
C:\Windows\SysWOW64\Ejkima32.exe

Filesize
93KB

MD5
c4a5a7c806f013c7895c110e2431f4d7

SHA1
a96466f98e4a41d9d549328f75a6746a4e2a77cd

SHA256
fadeb91845fd536de9981e689648d4419028cca30b86a0cc6355f9ecafb084fe

SHA512
377acccc83c393ae7ffc5b5d1acf03141c4d30ad47c891202caec3bdb6e6f2d666100d0644fc2b1b953ef25af62592c1fdb2b080377ad80ed4eddeb130abcc3c

Download Submit
C:\Windows\SysWOW64\Ejobhppq.exe

Filesize
93KB

MD5
48709afcb5e38edf54a6339d603fd9f4

SHA1
51647c4f2e721267e54325c35ff0f4c15677b78a

SHA256
1b42b6bc5634cc72a95084e0ffa663fe1ec7f2561dd123028454c7ed4a8d282e

SHA512
b462ce8a1bc50d0e151c97211b6fffd7168d339b2e549489189dbe6d9728cd98fde78a9578e5ce94d2496994d035ee7aed1574e60bc8696cba344bb29fc15542

Download Submit
C:\Windows\SysWOW64\Ekelld32.exe

Filesize
93KB

MD5
12d3a191ab19197ad53ac4553db53f81

SHA1
c17600e605e8c0bbd57359b42871827d86b45ce8

SHA256
be2851b4684c1d5d8d6eb905f981cdf9fc7ef8271ab222b2c0cf350df00677e9

SHA512
3f5f5d3185558d612f4e82c7d6f304f49674d177a1c15f9a4c7c069b89e003bce98387f46005583dd532813dda7bf3f951c2894e35947c2a5a00a1ac0a335f4c

Download Submit
C:\Windows\SysWOW64\Eojnkg32.exe

Filesize
93KB

MD5
8dc21c7acd9cf128f706b14768b55e66

SHA1
4cdba3095e7959bbb79b0e7c00f9090e453a5093

SHA256
2fe9e5acdaf11541a99d6e9e5a80c45ac7cd7de789ceabb4f6cae49deb3072f7

SHA512
165a277999c548ca1238c3685f85c26b5aa2ad7bc049f6bc5cf086ba69749292d5215ffec2979b571ea24a22a8bc7b61e2d36b88b96f51e6eb76b322eb669213

Download Submit
C:\Windows\SysWOW64\Eqgnokip.exe

Filesize
93KB

MD5
f589bdfd49fc34febd0965f4babe9a17

SHA1
422d882624fa0dd3efac530207141d129d6d0d35

SHA256
e275e366a1b944e8f35ee16400a1d9a60b4603028f403eeb09c3d72ee131fd70

SHA512
fd995f340b6d2d9c3d36b3a1c958017bdc2c7dfb23b492de275df6b3ab34678794a8a297350ac512de6326c60575087454dcd1d4e0d952d4aa701326e5507b0f

Download Submit
C:\Windows\SysWOW64\Eqpgol32.exe

Filesize
93KB

MD5
eb59c521f84468f886e8120235643b79

SHA1
b9e1a32e2df62f62bc25a887b890fbc78ae7a118

SHA256
d98c8bff536ba4baecc6eb9f5f92b4c57adacebbf428b6d9eed31369109f2cda

SHA512
32ae13b9fbe0b578722da964991b335b312cf1a0e472a251b3bebbf5883245a440789c88973d40508dac966cad276fa676f0601d184bc9e280227e47cde79506

Download Submit
C:\Windows\SysWOW64\Fidoim32.exe

Filesize
93KB

MD5
838953b6a6fb813fc6251ac5188cd296

SHA1
87ec4e76281c686f890c1d5e0978bb046f59a896

SHA256
0093f88d2fb83f93c3d69e923cc051fb54d4bbf56840ebd8a2a558d916b6f894

SHA512
83be7deb3452de4139cf9a1e9c78653f044480a99ef2432c9ed71382749f894e711d6d5c80c5b492056b888c36f972b2cf06b800ff04ee9ea3572fcacfd35251

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
93KB

MD5
e98a25e0bdeb2ffea8cc65f721f4ec25

SHA1
c3596b36bc97ccfb1e860c7b21c22b6a9908efeb

SHA256
cf660ea6faca2f2fa7539ce02b499e317950ac53e7c76468680bfaf1578c5024

SHA512
4c7ba9363b8450439da9f491a2163b182a5e4b9f4ba16d24b43b381d1d817d267e46efc7686b43ee4dfb5af7139661aeda5af77f846df1b4fa53cdf29bf3bed6

Download Submit
\Windows\SysWOW64\Ccngld32.exe

Filesize
93KB

MD5
df52843961c1a3385d5e8db2826cf3e3

SHA1
e8c97236c0e397a37e9f88cb84abbc199668b107

SHA256
98463600d744a6f0bb0ba9efd77b1a2fdc9baaa11a200a8e247845da0218d9f8

SHA512
6b487c2b380881f2e5511cee3b030c9d5876244383eac13954c5a6aaee11abb4836d5fdd61311a14dc5f94def0fa17d082b071c4147803545d645b52a143e167

Download Submit
\Windows\SysWOW64\Cdikkg32.exe

Filesize
93KB

MD5
edc6d276be58fe94a5b76147682d3503

SHA1
bdfa83bb61092d611afb02ed4709d3ef959c9685

SHA256
b6d5d5213fe6b78e3bcadc3f0564f93b0dafd500ae69ae5d30cfeb3a80d39571

SHA512
5ed3a0d53cf3ecd316b6312fdb33431752ca60793dd2c643336c18a70211d3f414910db0d8be64e0b5e46c89f7e203e6368ca182eed1cc66ac200d0b51009e4d

Download Submit
\Windows\SysWOW64\Cgejac32.exe

Filesize
93KB

MD5
3c00c2b0b05e66c305cf621a46d3efe6

SHA1
578508dc45b8772905d753aa754005cb7ca00986

SHA256
e46105884a701deb03c993682da58faa7f350e417961ca28ca61ca15d9eb142a

SHA512
33081dab7a63cd931fd4a6ba7e6d8bcb5c6cb10115369f37da96c71e03e42ce0635176d71248fd32f51e6fcfa19b3578433068a17244e5f8e749d772a01bc313

Download Submit
\Windows\SysWOW64\Chnqkg32.exe

Filesize
93KB

MD5
acd2961c69ff9122da7f76a19b5867ff

SHA1
582552a8f1cd843ec8b42ad5ceb94cd6a78b1155

SHA256
4226a2d347a7650dde8c057778fd7624a34a7368bacd2ee50c0749dfe2fb6763

SHA512
33487876662fbb767f146a82aa41846f6c36d7422aee2524172253d2484c1bd8f3b052c6b1f0598f9ff8f2c0242e02b64bd712538f4fd395e13b711c20d763d4

Download Submit
\Windows\SysWOW64\Ckjpacfp.exe

Filesize
93KB

MD5
3398532d6736ada80e96d11aee03e7f2

SHA1
51a2e4883c578cf2778640c15db7f6923c4732df

SHA256
0f44290cd8ca1a1db94ca7e5f98c1e01e46a8abe0386f32273bc90cc8039dc92

SHA512
e38092830dcaf2a7c44f4c6d7bc8e54f66efcf92690d805ccb0a9771a2ed51df5c6a23dc8e00abc00289b79ffa6fc4e08d06d05bcd75c1bef89188468ded294f

Download Submit
\Windows\SysWOW64\Cpkbdiqb.exe

Filesize
93KB

MD5
c6465d670fbc0a4e643f32031d72b6bf

SHA1
312ffd3ee3d5ac882ba85077e0672b14d18169a7

SHA256
b2c7187839c00e0b1523c4571d250992e76c2185b78d74d204ec88135fe7d674

SHA512
ef68fc5e2254382c3ff2de34e902d2e44bd53f234985e77c430950594c8dea1c3c1b4a92b2769597262113036bfd024fb850c47c4895760b210d7a5095d5faae

Download Submit
\Windows\SysWOW64\Cpnojioo.exe

Filesize
93KB

MD5
7c206c1b66999df18e3fda52e725ce02

SHA1
8057c6a4a1e5335b82286bb16c7746182a8f38be

SHA256
67eacf2795ae2eb8eec208424056c8b51a5789ac88aa297d5c7b0ea1a949dc5b

SHA512
144c50a193a43404414df3d95e19199fa0e15b65491d71664a19419264db631705e076625bd3f4a3b289a99fcf597ee8765c493d980901be1557257e432a44f2

Download Submit
\Windows\SysWOW64\Dcenlceh.exe

Filesize
93KB

MD5
5ba6a6839214e57d323f945223ef87a1

SHA1
3ab4d07f840c5336f9ce974179499293aaecf2bd

SHA256
a12aa8b850159463b743f1d92e5d139f36486f47670bee2d8e26967bfc083941

SHA512
2c2f54183dd90a5378d6d21f31a83ca301059ef3e29746a7e641c28bf6f94fd065472be9a2f168ffdcb17d7e03c8b38e8c2d81f22b2753f98aa02d65bb11f546

Download Submit
\Windows\SysWOW64\Dfoqmo32.exe

Filesize
93KB

MD5
88e9a428ba0660a9870d490897dc7f24

SHA1
37020189f044615b82f49946220ae83479b74e4a

SHA256
e49ecddb27843aeb360cde82c85f41dd4954391700380da414fd990aaa8eb124

SHA512
2936dd001de6b2da51833fd6d8fa9d638ce0790d808de258e43f0b978e66663190490a963b5c2f7894c38b10c5e6a1c7c0f91ae2041807e8aea4fb925fad9d7b

Download Submit
\Windows\SysWOW64\Dlkepi32.exe

Filesize
93KB

MD5
fe9b2d6b49306175b10d6af646e4b20b

SHA1
27c5eb47d8c6fca094884d47a23fccea4a8189c2

SHA256
a04a01f8c40728193320994e63736b32e3c08c0debde45b59b70d05bf98b8cc1

SHA512
f30d1077f9de04441915d91366e02d2e89e8ba3f116c3ee37a27ecd6c0fe78a18c8f377843cf76c56df21f66f384360efd165aed75aaa9d4373d48930da75ed7

Download Submit
\Windows\SysWOW64\Dndlim32.exe

Filesize
93KB

MD5
16772ebbb32c2d5e040182c38534ad2a

SHA1
5947b82d1ba5fca3a1f42110a48d7693ad3e761c

SHA256
2be8ff81b1b7238eb17c5bcc5f40fd019bb42ea1e6c4cd852f6c49bc46f251fe

SHA512
b7f41f59aaa22a14b03f242a2dff1edc3e61620eb662c51ceabbc6d6e277f454dc90c2ff740e18c55f56b1410b2038064483aba39edd7571d2777870833119fb

Download Submit
memory/484-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/484-363-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/484-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/584-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/584-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/584-371-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/768-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-184-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/836-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-288-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/836-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/956-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-96-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1064-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-222-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1268-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-249-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1744-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-118-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1912-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-346-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2080-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-340-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2104-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-310-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2148-305-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2148-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-348-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2272-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-352-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2272-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-299-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2528-298-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2636-316-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2636-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-320-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2644-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-330-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2644-329-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2664-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-77-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2704-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-55-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2812-375-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2812-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-12-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2812-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-365-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2848-40-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2848-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-35-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2868-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-132-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2984-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-26-0x0000000000320000-0x0000000000353000-memory.dmp

Filesize
204KB

Download
memory/3028-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads