berbew | 6eed81b5eee13f9638996ab9e5d79b8c998c7b542385e500267e27e9837760a8

Analysis

max time kernel
95s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6eed81b5eee13f9638996ab9e5d79b8c998c7b542385e500267e27e9837760a8.exe
Size

208KB
MD5

2c3381844bcd51a0a1b8ecdec15c64ad
SHA1

c672aa9f55c843225b3ca13a807c9400ba263c2a
SHA256

6eed81b5eee13f9638996ab9e5d79b8c998c7b542385e500267e27e9837760a8
SHA512

9a6fb73327ce3c9401ed4b10b1480654f93b3ca201d12da5406ba381039510d4fa812156776eed91a154c210a914f45850cb1719b87477976231f347d071cff1
SSDEEP

3072:STSMh9LOh4hVKiNYsv26+oXO56hKpi9poF5aY6+oocpGHHQnNJuIb:SmMhY8VK+H+Eu6QnFw5+0pU8b

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6eed81b5eee13f9638996ab9e5d79b8c998c7b542385e500267e27e9837760a8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	6eed81b5eee13f9638996ab9e5d79b8c998c7b542385e500267e27e9837760a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 46 IoCs

pid	Process
3640	Cmgjgcgo.exe
3184	Cenahpha.exe
64	Chmndlge.exe
3412	Cfpnph32.exe
4612	Cmiflbel.exe
2592	Ceqnmpfo.exe
1316	Chokikeb.exe
5000	Cjmgfgdf.exe
5036	Cnicfe32.exe
944	Cagobalc.exe
5008	Ceckcp32.exe
2452	Cdfkolkf.exe
3508	Cfdhkhjj.exe
4800	Cnkplejl.exe
5092	Cmnpgb32.exe
3748	Cajlhqjp.exe
4336	Cdhhdlid.exe
4048	Chcddk32.exe
1496	Cjbpaf32.exe
1224	Cnnlaehj.exe
4148	Calhnpgn.exe
4732	Ddjejl32.exe
460	Dfiafg32.exe
4208	Dopigd32.exe
972	Dmcibama.exe
3148	Dejacond.exe
3348	Ddmaok32.exe
2284	Dhhnpjmh.exe
3264	Djgjlelk.exe
4824	Dobfld32.exe
4580	Daqbip32.exe
4996	Ddonekbl.exe
1660	Dhkjej32.exe
4340	Dkifae32.exe
4384	Dmgbnq32.exe
4328	Daconoae.exe
2884	Ddakjkqi.exe
4452	Dhmgki32.exe
4232	Dkkcge32.exe
5116	Dogogcpo.exe
1348	Daekdooc.exe
1836	Deagdn32.exe
1020	Dddhpjof.exe
4772	Dgbdlf32.exe
4656	Doilmc32.exe
2236	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	6eed81b5eee13f9638996ab9e5d79b8c998c7b542385e500267e27e9837760a8.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe

Program crash 1 IoCs

pid	pid_target	Process
2900	2236	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6eed81b5eee13f9638996ab9e5d79b8c998c7b542385e500267e27e9837760a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6eed81b5eee13f9638996ab9e5d79b8c998c7b542385e500267e27e9837760a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	6eed81b5eee13f9638996ab9e5d79b8c998c7b542385e500267e27e9837760a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6eed81b5eee13f9638996ab9e5d79b8c998c7b542385e500267e27e9837760a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 3640	1312	6eed81b5eee13f9638996ab9e5d79b8c998c7b542385e500267e27e9837760a8.exe	85
PID 1312 wrote to memory of 3640	1312	6eed81b5eee13f9638996ab9e5d79b8c998c7b542385e500267e27e9837760a8.exe	85
PID 1312 wrote to memory of 3640	1312	6eed81b5eee13f9638996ab9e5d79b8c998c7b542385e500267e27e9837760a8.exe	85
PID 3640 wrote to memory of 3184	3640	Cmgjgcgo.exe	86
PID 3640 wrote to memory of 3184	3640	Cmgjgcgo.exe	86
PID 3640 wrote to memory of 3184	3640	Cmgjgcgo.exe	86
PID 3184 wrote to memory of 64	3184	Cenahpha.exe	87
PID 3184 wrote to memory of 64	3184	Cenahpha.exe	87
PID 3184 wrote to memory of 64	3184	Cenahpha.exe	87
PID 64 wrote to memory of 3412	64	Chmndlge.exe	88
PID 64 wrote to memory of 3412	64	Chmndlge.exe	88
PID 64 wrote to memory of 3412	64	Chmndlge.exe	88
PID 3412 wrote to memory of 4612	3412	Cfpnph32.exe	89
PID 3412 wrote to memory of 4612	3412	Cfpnph32.exe	89
PID 3412 wrote to memory of 4612	3412	Cfpnph32.exe	89
PID 4612 wrote to memory of 2592	4612	Cmiflbel.exe	90
PID 4612 wrote to memory of 2592	4612	Cmiflbel.exe	90
PID 4612 wrote to memory of 2592	4612	Cmiflbel.exe	90
PID 2592 wrote to memory of 1316	2592	Ceqnmpfo.exe	91
PID 2592 wrote to memory of 1316	2592	Ceqnmpfo.exe	91
PID 2592 wrote to memory of 1316	2592	Ceqnmpfo.exe	91
PID 1316 wrote to memory of 5000	1316	Chokikeb.exe	92
PID 1316 wrote to memory of 5000	1316	Chokikeb.exe	92
PID 1316 wrote to memory of 5000	1316	Chokikeb.exe	92
PID 5000 wrote to memory of 5036	5000	Cjmgfgdf.exe	93
PID 5000 wrote to memory of 5036	5000	Cjmgfgdf.exe	93
PID 5000 wrote to memory of 5036	5000	Cjmgfgdf.exe	93
PID 5036 wrote to memory of 944	5036	Cnicfe32.exe	94
PID 5036 wrote to memory of 944	5036	Cnicfe32.exe	94
PID 5036 wrote to memory of 944	5036	Cnicfe32.exe	94
PID 944 wrote to memory of 5008	944	Cagobalc.exe	95
PID 944 wrote to memory of 5008	944	Cagobalc.exe	95
PID 944 wrote to memory of 5008	944	Cagobalc.exe	95
PID 5008 wrote to memory of 2452	5008	Ceckcp32.exe	96
PID 5008 wrote to memory of 2452	5008	Ceckcp32.exe	96
PID 5008 wrote to memory of 2452	5008	Ceckcp32.exe	96
PID 2452 wrote to memory of 3508	2452	Cdfkolkf.exe	97
PID 2452 wrote to memory of 3508	2452	Cdfkolkf.exe	97
PID 2452 wrote to memory of 3508	2452	Cdfkolkf.exe	97
PID 3508 wrote to memory of 4800	3508	Cfdhkhjj.exe	98
PID 3508 wrote to memory of 4800	3508	Cfdhkhjj.exe	98
PID 3508 wrote to memory of 4800	3508	Cfdhkhjj.exe	98
PID 4800 wrote to memory of 5092	4800	Cnkplejl.exe	99
PID 4800 wrote to memory of 5092	4800	Cnkplejl.exe	99
PID 4800 wrote to memory of 5092	4800	Cnkplejl.exe	99
PID 5092 wrote to memory of 3748	5092	Cmnpgb32.exe	100
PID 5092 wrote to memory of 3748	5092	Cmnpgb32.exe	100
PID 5092 wrote to memory of 3748	5092	Cmnpgb32.exe	100
PID 3748 wrote to memory of 4336	3748	Cajlhqjp.exe	101
PID 3748 wrote to memory of 4336	3748	Cajlhqjp.exe	101
PID 3748 wrote to memory of 4336	3748	Cajlhqjp.exe	101
PID 4336 wrote to memory of 4048	4336	Cdhhdlid.exe	102
PID 4336 wrote to memory of 4048	4336	Cdhhdlid.exe	102
PID 4336 wrote to memory of 4048	4336	Cdhhdlid.exe	102
PID 4048 wrote to memory of 1496	4048	Chcddk32.exe	103
PID 4048 wrote to memory of 1496	4048	Chcddk32.exe	103
PID 4048 wrote to memory of 1496	4048	Chcddk32.exe	103
PID 1496 wrote to memory of 1224	1496	Cjbpaf32.exe	104
PID 1496 wrote to memory of 1224	1496	Cjbpaf32.exe	104
PID 1496 wrote to memory of 1224	1496	Cjbpaf32.exe	104
PID 1224 wrote to memory of 4148	1224	Cnnlaehj.exe	105
PID 1224 wrote to memory of 4148	1224	Cnnlaehj.exe	105
PID 1224 wrote to memory of 4148	1224	Cnnlaehj.exe	105
PID 4148 wrote to memory of 4732	4148	Calhnpgn.exe	106

C:\Users\Admin\AppData\Local\Temp\6eed81b5eee13f9638996ab9e5d79b8c998c7b542385e500267e27e9837760a8.exe
"C:\Users\Admin\AppData\Local\Temp\6eed81b5eee13f9638996ab9e5d79b8c998c7b542385e500267e27e9837760a8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\SysWOW64\Cmgjgcgo.exe
  C:\Windows\system32\Cmgjgcgo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\Cenahpha.exe
    C:\Windows\system32\Cenahpha.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Windows\SysWOW64\Chmndlge.exe
      C:\Windows\system32\Chmndlge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:64
    - - C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
      - C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 408
        48⤵
        Program crash
        
        PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2236 -ip 2236
1⤵
PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbloam32.dll

Filesize
7KB

MD5
9f6fd0d46979ecca5bf4791134d3ae92

SHA1
4f5b0bfcc280d8a6bbcdd7e337e57072f1c27134

SHA256
744ae26d57bcb880111586150dcde2cb3d1501927ab7c68c40403234a594b899

SHA512
4f2435b60042cc88496a4743d7ddbf5d87fe469bb8a442161f446e21bc14688468ac4618c5205884f721f0f8e1091bad80335bec787d40457078bb920b128643

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
208KB

MD5
a98d9cc7f66e8f46ba46cfc4bb812805

SHA1
57fba9211f7ebe9e160538cd76ae713522e6753c

SHA256
41239e8f3da701c10571a7d91c14dfb3a2461451fd58a173a99586bd5b7de8ca

SHA512
fb924da05a0dc1cb74e9b5d65ad73568389bf9a3ba7a7b1837253f480878ea138d719a1fe9bb129910e3cd52f942bcc640f376e001cadbde685c03bb81f8eec8

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
208KB

MD5
283918a9ff3055b26747a7e0ff83e662

SHA1
0a8d2e352079b5ab3fc736aa769ee8c59b7b0f55

SHA256
4dbeb43798f010d34f6eac990ddecc178bdaae78dbd5c812956385ba33d445a1

SHA512
c99c260f64f8f8593793e671060997e7ca1ed9e486bcd2a7e00e05a94d0e4ded662776794be46db105d48cdeca63531591019a41bce2f6ab6b40f870c116cc45

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
208KB

MD5
9a22ff0d8c99f08c23b3e556de29a9ad

SHA1
b092af233269620ffad36e508231cde73b2e7a2d

SHA256
03c72880056c22c59dec3948805bc20d217b10672544aa77986b20ed83f1ff02

SHA512
8cf8b5ab5d70fe7d6faaacd2aeb3173179c28592ca242bdf94718249f18e56254b703802eea76c853cef72762730dde31d3801feb1c232d4e4e60118497fa740

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
208KB

MD5
6f9a394b63158305ef61988a15fd9fd8

SHA1
4206fae00b051d35b9a7c6bbf530c8407f25ef7e

SHA256
eb37ccf106bbdb5975839ddd5f6faacd75285fd386b0b10f251ca1d91773ef09

SHA512
0e9f3bf19b42afd3415e86871b93ae03a0e8cc131d452e15396ea34ebe0a6f82c8966b1a1a3670594f5cd6b6892e5292cbb98c6f830590be12a8acc48b72f92e

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
208KB

MD5
9035b037c0f6229d81c3dd014ea791ee

SHA1
8a51352bf8293eca6857e43bb0f77780f2be5d0e

SHA256
877d842408dbfc03da0c0c16eb21c2a4b4561ed1dbafe28955212751641f012c

SHA512
4c74cc0f3b07784ebdab00a8efd030d305ff6e335b249d79f30add9b742ba28fadcd95528fa285979ddb354eb5a2ee93bbeb0781e854fe4951904dbe3c75d44f

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
208KB

MD5
5262ef36072ce9375454b65bc17a19ac

SHA1
c8430164acb3a9a1230387d91b82eb4fc001a217

SHA256
f164e5adfe4be45f63a29b05cd50738403edf76178c2417bad851d8518c9ae83

SHA512
33792a14b3b26c815160fb377eb4767328d53e9b16e066855ad8cdbd817744c70027c01a0845955696d53c81f6a1466205266648483c765c9aaed93e8c0674bc

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
208KB

MD5
6dfbdd0376afb3ec06e494156d46d6ae

SHA1
570eb253fb48b2529c642757d48b3eb1b6939f95

SHA256
8b72e2546dc6e48dd273f25c997e239fc8a1a5a40a6c9de4a89aab0fdd0b2099

SHA512
2743c298b6a345b9b78ad332be24302a1dddfb779e90859d219c259ba83372aa06d46dc964872fd97f285d17815394e7761622c0bf34662098794bbdaa527531

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
208KB

MD5
c06cfc68b1744aeb79b4e5687eb6469f

SHA1
b30b4c3639bccc64ebb79191f38454428c3f3c21

SHA256
e1ac281f7ee4f2818e78b502eb6e37f90cbb9b9a3e620901dd249dd4611094a4

SHA512
3b6d9062f7af1fa6f78ab40f40a77e9e13adc95da448aadb3b93797986cd78acb8c7adb8d1ceb2f785ab87f01f23b90d01e16b00ee5bc807d4639de9df99c698

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
208KB

MD5
0354e3923772f3fe61969517b7b47c4d

SHA1
9eaf5225e88e27f6e28d99807c14f2bd79b88975

SHA256
dea8b090f4eb50488c6cfe438e9a4fbd8299ac1bb3ef279a041724da969a68dd

SHA512
6a36e03a67b6c2ed1216af0e6aeea52231ee7678c8b7e559f5ffe5aeb26e35803005b2c2c926f5d5c1b647165258512c65e5eed645ad036272393bf106c019e4

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
208KB

MD5
267cc1bab36ca35011858432ea32b329

SHA1
8d093716bd77e7ec34feb5e4414f2378537e1220

SHA256
73874aa7ac5cd2838ba5c30ec8128bf6c98d61c38d16bdba725b0e49c3d2eb81

SHA512
7f7f7d4674e73ad68fb9df4ddd648d1556d48db7e76704be64078451f1ab4f2d8e2d66b0546a94a659ad93639ecaee8c652aca4c19091075fd222b9ca275ccf9

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
208KB

MD5
0b233d0cb1e1274c58a6afb0e2b6fb7e

SHA1
04f2ea69253be03e36b6b957c2e1ed37ecd6d529

SHA256
51a3928edc3f609e5c8e0bf9a4c44d53af2c4aceac3f24a59904a1876d99da46

SHA512
e0bc651511125f6509b0b0372d259f56e8f4e017bc79c9c4dbe3ecfe4ec21a8efd83b243514190acb9e0fc316bc02fcb9bad3d3ffbb6e1c1b53491516e3a18fd

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
208KB

MD5
1dee5e3cbf385ae0501b64183f717db4

SHA1
da0b5088600b871ba3d7853925864f4fae6088d9

SHA256
0d11e84e38948b5ecd0c846ac1bfe854c71400c53fc54b80ce76327425f96382

SHA512
7ab7b5a601c4f694706cf9514d8fa7d34d5f9d75e2eefc8a854dd9f9d24635774a7351ed1617bb9bd587649f9f577b5d6317d3f4f663867247751cf297dcc208

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
208KB

MD5
55b47b83d767b56f2bb1a6072751525a

SHA1
97cb4b4986f1e8c0aed1784d9021844e203faa47

SHA256
b3a6e855894dffad94e102064572dd842bd02cc8e395e8aa5276efa93ee941f6

SHA512
0c225b660935e914ef1b0b23c1cc1036b7b2a6f99a7a34f48529f97d4081eee12da58f9902fffa8211ad07245da64835ec54b0208b6f81a9a6f122fcd16c08ec

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
208KB

MD5
f785f3cfdf359d5d656b8086c47efa57

SHA1
bc537719f177a5c7d7e2d5339695721fb958869a

SHA256
f67d163b9300d20f21f889cbbaa05846e08f78859ea9d5b9467433b1f4ce2b6a

SHA512
8e7a745ae75c3d3653c0ba37b4b9dd15a36399c021ce6c0ef778171f7aff22cfa8de5bfa9b316e67b8e63872dbe3d2fd782defab61f51d0172e5208e98034d6b

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
208KB

MD5
4382213277c2e34f0073e084e1e65742

SHA1
d2168dc0cfa21982c7ea7db0f491bb82ede320e1

SHA256
6273e7a410a3d6480cdb7891b36e6ba10bb130a2057159925e13e9c097b5534c

SHA512
6e873c57cfcf05e08949a56ec9641507a9a7cf470104d4ac2d03aadbef8656e54944d73fcd823c7fcb2fa8ce8f606262cff384cac1909c550135e0beda010318

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
208KB

MD5
be403ad1857e237aef5fe2036e93eeea

SHA1
f785e5ce57b0b9f7a3513e48f9d1e6b892de3413

SHA256
61b5fd784bdea9a3d7aa023368f79583d21256869ce281f258bda88c7ee964b8

SHA512
93ba4bfeeac6d2c2599d8cbc51574f050a9067c401701a7e67c7a1b67cba605b08b2b13e7011e2817e331dd3813c863f92ae120f63748c979ec492c56614fb03

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
208KB

MD5
9f043083c2ddcb04a775a6220e338645

SHA1
e0ac017b2a08192af1d89f8683f89ac1ed5a5536

SHA256
76a268cce63a8a40d92b5fe5c9fde87503681a743c45f61e31eaf78dfc67cf79

SHA512
3078544d6db44596f8bbf9805d7d8118b45cedb1a13fdaefb5c1ced0a155b905b4cbd7d75ebad68ac71d63e4b5c9b3a7e9eec83d19e82c9292a3e6282cb69ecd

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
208KB

MD5
0522e5c990dabd9de318d3abd278fa6a

SHA1
7881a1a10fb57e57b88402ed223283472bc3ed16

SHA256
3ce1c4302f1b46ce583a247cdf84de114fad5e065a4caffd4ffe2faadf6d7ca7

SHA512
2e1ff74649d1e2e831373c7e2db3cf74189b43b130b827bbd4d7a9df4603a9a29e3d10024b3f2d784706e04e1f00873b5c0d2b3ada276d765498bbafa130c50a

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
208KB

MD5
33d9a86cda1904e20b737d96ed30d214

SHA1
d6ef00033ea1b8e6142d1a3eaa818ddfb3b77f9b

SHA256
8c4d6c27d2a3d44d127a0838941627015479bd2d1bc53e75a76e84b686a1eb4f

SHA512
23d55eee95b2310dab60ab2270cb66a8e7ac0a00a5b251df699d33f1fdf66c4b36ab510021ae449b0e72f228a071b548ff1547bb81f98a33e31ba67faaf27bc3

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
208KB

MD5
17a9ae2f8a8c4a26ba45afeac2300f2b

SHA1
1e9f9dffcc4b1f561ae8bb8799ae152e73ad260f

SHA256
b618517486fc00d69921bed3dae6de79f4b55aede0d835d7041f0bac29075e97

SHA512
a829e92f0e10d7f4d1306b4e9abfc561538266addda7e8c1a03ffbf541c6dcde02b1a2a863a2c180173d066fd02f99a39e7b9432de27c44e67703fb738c46b43

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
208KB

MD5
7d1c738f2c1cff7f0b1fc842af9929c2

SHA1
67889e9a40f477736421442cf9a4d4655e51c339

SHA256
3833fb3a1f67fba3a56169817030340ff688bcbf141e7364815dd56363d1f621

SHA512
ac684e4dd46bd4b32aa61f3411732069c272eb324cadd53ae457a8ef1bccf2890890c06f5fcbaeecbee55af1e64035d67a7928fccd372902f29814d1da3f210c

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
208KB

MD5
5d559267c5c329e570176739fbd1cc53

SHA1
6bde11f0c43213f474a6ef61c7c1aa9903ac9aed

SHA256
7d6d19235a8a3af44fcc95ca9b7d5a5741a936870431f669030fc72b7448a0b1

SHA512
1c5eebec7c06331046178fff71db3ae3b6f12c8166bef98370ec2fc71ea4d73f79256770dd1f6c8ea0451d8355b6f5c562eb8923de0faefe50f55f3f2e459ea6

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
208KB

MD5
8b41769fc0cba06087c199e3091ee614

SHA1
219c6724b80e6100d77e39e5dc4c5ca8d8c21252

SHA256
518c4b1e3afdde23205a8b3234bea33491f480089cf65a75d0a881673ad605ce

SHA512
bb6441557c7cdc8daccb8da43627439cf67a30abbee21f6fdcd6338286b5485774340534a21a3abb1320db7d586e66194fdbed5717be7e36803c27f29f2cda5f

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
208KB

MD5
55f9ad1a3bf1c0b8919597cf8bea5498

SHA1
5d5cdd07aad190275fe135c3b4d91b05b128ac9f

SHA256
5f8833478dc3b20f54e9aa56b1a915b7e9e6fbdfd83785a3a9c9f9c46d2d7116

SHA512
2fe8775203379e375a2cb61c83f7e0e65f3f5ff46b4845afb79a3a14fcb92ac1027f87e775f17ff806aad72fcf45cb5bb2a2134d385206229c267ee108fc0b94

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
208KB

MD5
be6ff31e7a5901c945bfdeb2602745b4

SHA1
3276366710c3dcf70071f17201943b45a0dd997b

SHA256
c4e631b17012c8334bd8a8c8e9a7a726c2a9a32c249b1c975e6bd91e47632d1f

SHA512
71551a2977fc39456b569e8732ee8b3f50196f5b7995704a6278cb1c93ec30356141ff651e21fd03628063d109352777d41ecd0b4f294399a0dbd00e15d1e97c

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
208KB

MD5
4f29195c61f1efa1037d2e02f2c0ab4b

SHA1
562e281899f86a73f18b4c35f03cc2e3ef7aef2a

SHA256
3396fa297a5793ee6a61baa2c56c209487c853f49200364c1236732184a55b95

SHA512
2166047cbc83ddeb869ba3487fa71c60fa2eff4bddcf0cb74d4559df01dcb0d07efc87148c89f32d78e7beac938899672c383291c34fe8fbd0b2429eb746fd75

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
208KB

MD5
7b72aab00568b6b635a32bfec9ba4389

SHA1
6ace628359aaf4d80442736b1f930523872bdb21

SHA256
3638d20e3b968b2c86f129ac8567266d787991846ac8be4425326f218286c279

SHA512
beae80556c59f8d4569bcab802b5e53cf4fc901e2c86afbc09e9d2baf4a4b004557ce4ca264b900352fa282370259a08828b423885c7e904ad82d866e741cd2d

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
208KB

MD5
4f8c41f0f6e9aa1a1ad6acedc9ed1a56

SHA1
ddc5c33002662214b77317628cbcf2220dfa825a

SHA256
e2148ea1f5d300c7d0ca9e8d8305167940caa0251e43c70b55dd41faa7d47725

SHA512
6b45ff544018a616e6ee7e3f57ac0e536a140be6e374fc10a6a9902a728ea59987e1cc73d84e23c9a11d33771b7c403ac39d4c5083d220d26891626cefb7771d

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
208KB

MD5
afac63867ce5c6910f1e733c3f2f0e77

SHA1
4b14f7af0f5bcd05cf127145ef3fb176885f88b6

SHA256
04d0c96f4ad3eeb31cbb8ee4865ebc14bb15b777af17cfef42ccf1bbf4214e47

SHA512
ded3ac9378a49070178817741b31238e6169bd86144013b4a5f6cb693fa2005b501493fcd58150e0e81dc3a3e8003b78a507c264ca677f34c03d227535dfb3ce

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
208KB

MD5
12b71e79059006c1ce7d4b350c405d4c

SHA1
fcf07aed0a636f15947076ee6691628b1966593e

SHA256
f5f6644c5384359f151e576ca0f74f67acfe8175b45875f068db533829c555ce

SHA512
08ced565ccf30f453e44b9050d6f15ab76e5bdf18ea193c462cdad8f53d304676f0a9c0114ecb12dbd9a06e1e46ba000b003c7e765c18e0e74ad40c16a91fe98

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
208KB

MD5
3c0ad7f75cb57e7ec6714af7018a3e3e

SHA1
c01df86fecaeac04cb81ce1ac92a1a559be87d0b

SHA256
7dbc4066733e24d26b7133cfd5cf2b6c300d1a75e653fe3357e57a7a04a479fe

SHA512
53d0f4f2bca24d893fa97ce06abef50abedc4bfacea97ce7f544a000f5b780e23b2df950da1a284e47a347709fd7e4aca0c3ff45a2fba758dd1f3b05c53cce6a

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
208KB

MD5
c8c9f17891de5c7280e0580e25fc91dd

SHA1
a249d47daa1c70578c4d68eb249bc6de3a146f1f

SHA256
3ce70ae8d4f4a29184a45ab6ae07dc3c56846bc56c5ee6113291353410c54db9

SHA512
ecfdf9c095f7775bde2f5add82bf6526eef8e293747223afd84530631108d397da36525b804a704c1a98c6bbd1412a33ca88cd8338a3ec5baaca8f4e6e4a8262

Download Submit
memory/64-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/64-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/460-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/944-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/972-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1020-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1224-164-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-314-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1496-156-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1660-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2284-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-100-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2592-51-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3148-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3184-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3264-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3348-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3412-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3508-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3640-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3640-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3748-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4048-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4148-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4208-196-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4232-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4336-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4340-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4384-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4452-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4580-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4612-52-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4656-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4772-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-116-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4824-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4996-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5008-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-76-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5092-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5116-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads