berbew | 03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe
Size

64KB
MD5

5920048b15945f9bc57240119df9ba80
SHA1

f0b382ab0b2c34dcd4ca98d0fa7500dd6c5cc7c3
SHA256

03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2
SHA512

f9301684eb569c42de48f327c386394c940f351e0a68ed09ee0228a65182e57ba8ac3d134d01a4a4a8af9c46958c03a87bf78253368fc1fbbb722bef56a4df33
SSDEEP

1536:6s2+p1V9byKXmEE7wwt4vbP2L25XdZgQe:6s2mv9m/0w6ICXds

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 33 IoCs

pid	Process
2320	Chokikeb.exe
4088	Cjmgfgdf.exe
1136	Cmlcbbcj.exe
3032	Ceckcp32.exe
864	Cdfkolkf.exe
3516	Cfdhkhjj.exe
3028	Cnkplejl.exe
2596	Cmnpgb32.exe
4284	Cajlhqjp.exe
4296	Chcddk32.exe
1568	Cjbpaf32.exe
3924	Cmqmma32.exe
3488	Calhnpgn.exe
1608	Dhfajjoj.exe
3544	Djdmffnn.exe
3540	Dopigd32.exe
3196	Danecp32.exe
1304	Ddmaok32.exe
920	Dhhnpjmh.exe
4836	Dobfld32.exe
392	Daqbip32.exe
4848	Ddonekbl.exe
3816	Dhkjej32.exe
4372	Dkifae32.exe
5080	Dmgbnq32.exe
4776	Ddakjkqi.exe
4584	Dfpgffpm.exe
1260	Dkkcge32.exe
4276	Dmjocp32.exe
1164	Deagdn32.exe
4112	Dgbdlf32.exe
3716	Dknpmdfc.exe
4732	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3916	4732	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 2320	4352	03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe	83
PID 4352 wrote to memory of 2320	4352	03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe	83
PID 4352 wrote to memory of 2320	4352	03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe	83
PID 2320 wrote to memory of 4088	2320	Chokikeb.exe	84
PID 2320 wrote to memory of 4088	2320	Chokikeb.exe	84
PID 2320 wrote to memory of 4088	2320	Chokikeb.exe	84
PID 4088 wrote to memory of 1136	4088	Cjmgfgdf.exe	85
PID 4088 wrote to memory of 1136	4088	Cjmgfgdf.exe	85
PID 4088 wrote to memory of 1136	4088	Cjmgfgdf.exe	85
PID 1136 wrote to memory of 3032	1136	Cmlcbbcj.exe	86
PID 1136 wrote to memory of 3032	1136	Cmlcbbcj.exe	86
PID 1136 wrote to memory of 3032	1136	Cmlcbbcj.exe	86
PID 3032 wrote to memory of 864	3032	Ceckcp32.exe	87
PID 3032 wrote to memory of 864	3032	Ceckcp32.exe	87
PID 3032 wrote to memory of 864	3032	Ceckcp32.exe	87
PID 864 wrote to memory of 3516	864	Cdfkolkf.exe	89
PID 864 wrote to memory of 3516	864	Cdfkolkf.exe	89
PID 864 wrote to memory of 3516	864	Cdfkolkf.exe	89
PID 3516 wrote to memory of 3028	3516	Cfdhkhjj.exe	90
PID 3516 wrote to memory of 3028	3516	Cfdhkhjj.exe	90
PID 3516 wrote to memory of 3028	3516	Cfdhkhjj.exe	90
PID 3028 wrote to memory of 2596	3028	Cnkplejl.exe	92
PID 3028 wrote to memory of 2596	3028	Cnkplejl.exe	92
PID 3028 wrote to memory of 2596	3028	Cnkplejl.exe	92
PID 2596 wrote to memory of 4284	2596	Cmnpgb32.exe	93
PID 2596 wrote to memory of 4284	2596	Cmnpgb32.exe	93
PID 2596 wrote to memory of 4284	2596	Cmnpgb32.exe	93
PID 4284 wrote to memory of 4296	4284	Cajlhqjp.exe	94
PID 4284 wrote to memory of 4296	4284	Cajlhqjp.exe	94
PID 4284 wrote to memory of 4296	4284	Cajlhqjp.exe	94
PID 4296 wrote to memory of 1568	4296	Chcddk32.exe	95
PID 4296 wrote to memory of 1568	4296	Chcddk32.exe	95
PID 4296 wrote to memory of 1568	4296	Chcddk32.exe	95
PID 1568 wrote to memory of 3924	1568	Cjbpaf32.exe	96
PID 1568 wrote to memory of 3924	1568	Cjbpaf32.exe	96
PID 1568 wrote to memory of 3924	1568	Cjbpaf32.exe	96
PID 3924 wrote to memory of 3488	3924	Cmqmma32.exe	98
PID 3924 wrote to memory of 3488	3924	Cmqmma32.exe	98
PID 3924 wrote to memory of 3488	3924	Cmqmma32.exe	98
PID 3488 wrote to memory of 1608	3488	Calhnpgn.exe	99
PID 3488 wrote to memory of 1608	3488	Calhnpgn.exe	99
PID 3488 wrote to memory of 1608	3488	Calhnpgn.exe	99
PID 1608 wrote to memory of 3544	1608	Dhfajjoj.exe	100
PID 1608 wrote to memory of 3544	1608	Dhfajjoj.exe	100
PID 1608 wrote to memory of 3544	1608	Dhfajjoj.exe	100
PID 3544 wrote to memory of 3540	3544	Djdmffnn.exe	101
PID 3544 wrote to memory of 3540	3544	Djdmffnn.exe	101
PID 3544 wrote to memory of 3540	3544	Djdmffnn.exe	101
PID 3540 wrote to memory of 3196	3540	Dopigd32.exe	102
PID 3540 wrote to memory of 3196	3540	Dopigd32.exe	102
PID 3540 wrote to memory of 3196	3540	Dopigd32.exe	102
PID 3196 wrote to memory of 1304	3196	Danecp32.exe	103
PID 3196 wrote to memory of 1304	3196	Danecp32.exe	103
PID 3196 wrote to memory of 1304	3196	Danecp32.exe	103
PID 1304 wrote to memory of 920	1304	Ddmaok32.exe	104
PID 1304 wrote to memory of 920	1304	Ddmaok32.exe	104
PID 1304 wrote to memory of 920	1304	Ddmaok32.exe	104
PID 920 wrote to memory of 4836	920	Dhhnpjmh.exe	105
PID 920 wrote to memory of 4836	920	Dhhnpjmh.exe	105
PID 920 wrote to memory of 4836	920	Dhhnpjmh.exe	105
PID 4836 wrote to memory of 392	4836	Dobfld32.exe	106
PID 4836 wrote to memory of 392	4836	Dobfld32.exe	106
PID 4836 wrote to memory of 392	4836	Dobfld32.exe	106
PID 392 wrote to memory of 4848	392	Daqbip32.exe	107

C:\Users\Admin\AppData\Local\Temp\03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe
"C:\Users\Admin\AppData\Local\Temp\03207df6b33f5a05074237c25d2050aae9caadd411afc928a9585f3b52e78aa2N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Windows\SysWOW64\Chokikeb.exe
  C:\Windows\system32\Chokikeb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\Cjmgfgdf.exe
    C:\Windows\system32\Cjmgfgdf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\SysWOW64\Cmlcbbcj.exe
      C:\Windows\system32\Cmlcbbcj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 220
        35⤵
        Program crash
        
        PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4732 -ip 4732
1⤵
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
64KB

MD5
679c8f75e055e7e779a8f39062a1bc69

SHA1
c1b5ba2fb64d7beb302db36747e4bcebdc028c85

SHA256
8f410434b6e6184eafadd49cbf71e680d8cf750563e2b8a7a02104662302a704

SHA512
86c2486a90c0d2b82afe6da38fa35a5797861aff088dd52b9dc3158e14b2fed2fd47f04426fba40e296c9367cfb9c3a2bac5fdd68d4c8776af3bea5936f9d5be

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
64KB

MD5
023286a25cf86f9883071061a7d2ee02

SHA1
6a86f0b82b14f5c4d16e7009e2815a05ecf4ec8a

SHA256
88849fe32415fa6c16b757fd4cc5d5a50b50c2b78e1a2460fdfce20197bc8abc

SHA512
cd16d589a99d2392f7f554d7567453373e72a41b6397fb9932a0c2b49b687fca8d375b9a75d3f94c1b4448b458dd54e97c1563e9e07a4f38f8ee3da3c7a0bbf7

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
64KB

MD5
97e742f33c946adf220860f9478644b0

SHA1
23d136424e419ab903f8c9eb650e8d5e0c9d9fc4

SHA256
13833fbc473488377621ae8400abc2f4f3bd8b34d7bf371dc0f41143e5a6006b

SHA512
de203dedb7a8305edc12a1c7aba44b6eed4f19672134c18439e6e3413405b1ed3669a5d6898c68f78fe26bb5bc34bc4778fe858419479e8cb3187bcdbd4a8544

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
64KB

MD5
6e0f0f96f2d2b09b2101730486fcac24

SHA1
55d0fcc3fe6ff6c811f76eff6bebcffe7431de5d

SHA256
038a8d02536f347b0ccc4350dfc29733048c6788a76aca8ca17d2e879ca74379

SHA512
32dfdf4fb52ffa04b3aab1feb3878b5d946d7c91c631d35f58af3ec3cdcb4d3633d50d1cc3f0c64c6f877469437b6e774117c826e6b7ffef460a48fe75f10d0b

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
64KB

MD5
66b15d52af27f0307ae6e1cf5a4efea2

SHA1
5afe70bf22a91e567a837059389e2ec4b6879bfd

SHA256
c1cf133e7d50721117874fcc88869923899d60fbc2a6f047d811c1f88147c41b

SHA512
4455a2ed67c3ef53f5307d15dc75b486485de5a2e5e9e0fcecc725a674404fc0c16fb1d71e81427080e43d03eb295d5fda1cf608969f3c51b81edc6da82dcc0f

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
64KB

MD5
edd6c32be5c5c1e481153d560241dd95

SHA1
09e6d5eac27e5c37a4437ad4239efc20ff944eb7

SHA256
ab1f0fe03854f2f8f3e51c0b818293c4d68e843fdc823ca67286a2416ab75112

SHA512
ac2feedb9f0b84d41af0ac98955578a9954c8a0220c96b699cf422c45e0b0a6c3a109b6e54e946c6e3cbe4ed4edb7ec7231bda240164c8489efd0d9d427c5867

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
64KB

MD5
c1f923593b83167398f1ac4a03abd410

SHA1
239b808e2c3efc11af4fe12111676ec9580c1e4f

SHA256
4a8f9ba53e6eab15ba50b750c401c5e2e2254cc7b710f0ed5db724f91a325de6

SHA512
30b6a67505df4d3d16bf69c66e21c5787ad751a29e6d3fd14004cf45fedc057b4a1f98f11598c4a5ced3dde032510901072fee8485b97e8703c165201ed13df0

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
64KB

MD5
e56f2fe193cf96e5d809224886b68705

SHA1
a2f5acea957b3986e23a980c95a78d644a9946f9

SHA256
c84c14b6fbf0767c9aef3938e4af3c7813cdddcf53ae2eaec73cdcefa3e6bead

SHA512
37c1b5ac091798721c9da480a50a0efc6cfe1b12ff20f60aedcd41541f4f414a5f6215da8b738395db84fc65647a45a2477caca09d00a1aa94785272e9698d39

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
64KB

MD5
211ca34eb9e5949b92a3dc374d6f2305

SHA1
f38bcc19d4b655b0aba01b0c1e35975da410f4fc

SHA256
f6404fe1c6fbdfaff734f865c40c0b48bfb4cc3aac2acb6698a40fd77b519ae5

SHA512
3354e6fcc2e7aab4c1f7b695c2f4f1a6b0a209aa2445b9b198877b82ecd1549a09031c0a86452e94626523a759e2da412b542c1e588515db6f484ccc363f1442

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
64KB

MD5
c5392302713ae853b2ace36eab801798

SHA1
0839b8b5540a6be0ce9fa1a8360a42807b9457c4

SHA256
1fafe82c706ce1bf0c4dc9e0c9a7d724f15d955c4d55970f8857a2356167680e

SHA512
4c89f041027030aaa2532ecdf099893c8633e1b0b900aad32fe040a9e8828f5079e00227fa927f10f4d3bd1e7c817484d7b5a19da3e8a3b23d7436c7cfc0bc38

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
64KB

MD5
9ac09b4bfad4e2fb1aac537520ae56b8

SHA1
94a75e34e1d93fdc981d55d988e5611ea0b01e08

SHA256
70ab5005689bbe1bcd3f7d643ac013d2abfad69deca0b1279f38096740eb9f49

SHA512
b1036e9567ce9ae25a96bc190f8ce8d0112625c152b69feef5d6c8fe2302c49670ab19e6bfd3395eb0c5745cd2607f7a9790cea4a07eb38618c739e63abceede

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
64KB

MD5
4bc4d759d1b87c9834158228c61a0ddb

SHA1
f7c779846a897925dcdf46744ae1baa6bea3542d

SHA256
9595f486db6ea0b6ae6bfdf129c7c9b1e948572ffd68a4a7d5d1ee0404bd43e5

SHA512
1ef15d69e21dc195a692593d5361d2e90a1930f33a5e3f2749a95ba7c7701c766071bc7df8a9b5cee6e21a683d45cc521cd5aba67c32fd3f4692f4bf5d15c719

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
64KB

MD5
56d2d2048e9dad69082a005791b85ec5

SHA1
612ecd6bd4257d7d26b2256f6c6eda769a495db5

SHA256
0eb1a450b5d2b3e9e34f2a69822aa5ee1ac9162b5cf6b28365afc1b21ae4765d

SHA512
ebfb00bb44159d1befe40debf126d1d120abc46fb880f86d222d328021d09d77b5049155080d6bc0856e1d825e333b4db01488a4273b0009acb2808fbe99ccf3

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
64KB

MD5
7fbc0aec169dfa3ba952f84458ecef09

SHA1
71d3da64b380e16ae277c215981b4c067b73c5b9

SHA256
7d1c0184cfcd158288c8830d485cc2916c5f63b650dbdb0d45a5050e301a59ee

SHA512
bb9157be0dfcd4527c8ea1605d325d86939571ca51927887ffa414965f764b70748b8e61e9ab191e47254bed15f2c9bb78231d47c4305f2656cb067bc6f6e63e

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
64KB

MD5
121fe7beb8b1f1fd0c58749fd11d6939

SHA1
9bfa9bf950bd20ed1d677ad591910feb86b1e49a

SHA256
eb672c0d8527bad89ada5750c1e7b3e6c3434c3bbe96c545c904b723c13febb5

SHA512
a05fe387ec65016edce63d0da7599778010982e976b64ab5fd7c64a9c4163a9f00562ddbea6778b96b4d2c93a550d78d5fce8c7503753366f442730f768693f3

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
64KB

MD5
01463de39389f044b8ba73d8d2bdf000

SHA1
334cb34a1b55d897b987835851fec6a663dd30a1

SHA256
de88230f28fa3192eb7493a11dc42d9f6dfc97ce71a377618ead32923abfeb57

SHA512
3ba5bcb227c01b2c9aca5fdacb9ecc3e4760b0f6c9c3befb9afce5e0f932edf1c3d6a1520f9beb0f0446b8e1d5f42abfce0f60c0ea8c8d7fe6d6d6d642897d48

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
52a24d63cc8d5645fde9cbac43d96804

SHA1
4fb5d69cdbb72ff590ac2ddc64caad20b571fb1a

SHA256
e4e8b63829ebcefd0c2ef2e4a2bd2d9e3857ab50b73aeb1ee85228cfc6757dac

SHA512
57435ba323637318abaa6513d41cc8db28f4c94ba11950826b1ec2dea7900769dca48dfe64c5f575528543b2b1ac6507b76560da5b079ca58b26402c3f0e590b

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
64KB

MD5
f7bffa671803f3644fc7bcb8a23fe345

SHA1
55e3fd189f1d8b5514b2e253b50c2201fab8aeb2

SHA256
e1ed6816ebc8e08a56f9ee3268b41d5c9acf6c35d325e66c385f6b98b585258e

SHA512
acdf448b49446a9f13829e1badeb826af87e3dbf31c84179508e339d8ade602e14d8db0c336d1eea1c800d1b03c9cdba096be0cb9d467ee3da5acf0b952dd95c

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
64KB

MD5
289b6ae495bf82eac010edc59bc32c7f

SHA1
2bdf431ab4c2e937780b11c21912565f845c5104

SHA256
68e961be3a90864f63eb4baf265544ae7f045d0a577769ffa83a3979133b8ae5

SHA512
416fe5f5652fe01c91b9273831815b4398d4fa6c5d9c288fcd416718edb759bf57e5f675aac3affa53e1109ab430eb51f230b35b057849389127d737a575ba80

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
64KB

MD5
11628ec1cd193fde9d1c197eeec70a8f

SHA1
dcd8bf6a043e60c30d0dc76d149a7347f31cd79e

SHA256
61414e1b75f7c185ff2932df31bf8d09c922da1f6a290205ea543a72d2163318

SHA512
00e4b9aade63cf1a35d92e44482813377dbfe21dbb223f44890c7f6362435142f8472b738f91b332c2ce3dd0c4ac1155bc543d99d91b20482fb2112e8d07f140

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
64KB

MD5
c37d53d41335c1d0fada3e18a0b1ae66

SHA1
3c9da77031a8613396c7eff08251f377a4b2a64b

SHA256
e09cdd778f29dde85110c2f9322cfa726429f446756053c2869126e9b000d0a9

SHA512
1b945686ffb25929a2ca689da9cc415663a53aa6994d6b04b40aff0bdb657471d4990ef2c1d8d2b006ae36ffeca20788119f6afc2d4e886d033d6bdbba9bb4dc

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
fd6d69c58fd3445ba32d5dcc4cfbbdae

SHA1
669cc4f9729f329b6379573cb78e91f6117d1b78

SHA256
2e773ee9ec9fbc9b7fffd972921aa6d404d7294860bc3d1603aab02fdd1eb48a

SHA512
1bb9521c829bf4851b4f6baca912ba8373b136d091d75a8a25cb7511cd95ba7cac2c7527c6464c875140d93676aea8fabf95fe2dfffdf890ba87571d13f87cb2

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
64KB

MD5
ec47bc0d7c986445b4875c85c5d44f1c

SHA1
a14e82f132b390e2d1d989f05423a95dba2bb98b

SHA256
18cfdbbcc6fcd164e3e8f9e144a49de28a1d4db535bde8f0850bfe29dcd28287

SHA512
26c183a719fc5154a80b3d7478a10bb44bfa077373ade4792516d2ee17fecf20e05ca79f9f9d7559e42668f045152bf777bb8eccf0eb32aaa56cc278af887f03

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
3ca9521d3b35d2ade8a17862c09f6151

SHA1
6a529528be3fb027f8f9c71f01dc2516f7dfb074

SHA256
1fd313bc33b943285282c4eb2d3032af222189c84cb4c38ae9842de6a15ddae4

SHA512
6d0418c30a276988fcec1675c26587faae32087f4a4b11759afc373d74e8233e6d609e1491754349956b3d84522729cec1af8f73ad04778609cf17311ae0567f

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
64KB

MD5
ed301989d84db67cc676e25b2c2ef287

SHA1
5df9449e9e1c2a21df63c99bba00931235abf94e

SHA256
9be3898c188c3013212daa42a6de543557b5b82b59924b23d12648a5cc3946eb

SHA512
e4231cb17c97e188115642d30d4f0b07f13b85352aee572f55a76dd1ef1f50a34151f7329faa3ec28d18822a06823f1293323e8a5a66948d275e36a1fa1cc303

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
64KB

MD5
f207007e18944a1dfafbcb7b6d338992

SHA1
d9e33f1507410a6278c89dfbb5e0618ca4179094

SHA256
d4f09501288917dd4e4cb836f6caa3ae674ed648c36c5467cba82015feecfc98

SHA512
0e4caf62e5c7801ccf61b6bf7764a5eeb77a22c2fbf2812657dacfe5dd10208c38513f7dc3465ae59040c6fc76db635ebff72aefa06464e82d5dd4bf50cecd66

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
64KB

MD5
73d35aa97401bafc46f33a96e669022d

SHA1
2a4c323b286991afb505ff73ed009fd18fe72195

SHA256
8e2fbb0f2ea6529ca7ac468f889b78c1f6dd21c648795d670bffd267a71df3a0

SHA512
0b3804b91b4234018d845230e27fd0184972a893f8fd45f1132668c19404c6dd1535a61a656e61036fdb2625a3f16918906d684c2d0330236679320a8c66b366

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
64KB

MD5
69eb8516b4afb3110c524c88f43aa77a

SHA1
65dccfbf5911cc0244c32fd30956945eb638c9e3

SHA256
cfdde7d1c55ac80e33bcebc78a20a03a7a0050d6c21f2d2605965f1356f16ec8

SHA512
3cac0001c3e5dc6c7921e1e15cc2e4acae5ab0403c0c4b4c3b4ffae2ac48114ad5add8758857920111d1096f08f9b6d7e6172db2101efe57012529ca70ac2ec5

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
e9372e6209108405e83426ad37cdeaec

SHA1
51fa667b8cfce95a75166c915975945187bad20e

SHA256
559b579b4b0e709bc40eb12f6d3f61b84eedcccf2a77d379603596ca89dc4fc8

SHA512
f98ae516838888e73eca953415a4fd3049256dc50be3e34b061384a54ac1cc5388662d0d33ff5a133869c0f4e7db5672f03f69f89aa0d00d6dec6176090bdd9e

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
64KB

MD5
bb9c59b985925901dd45dbaadbc40ebe

SHA1
f2776bad28bfce7b701b4f82f893d66a127566ed

SHA256
6176eea0a0a5606ec3a08761a72371c478906b9c7c32f64e2b01c61edaa7e250

SHA512
cf57b981a872af5a90318acb055efc74cfa6b110c8f23126f3ab34738c7954c5c99ad982e51c2679c7c2ccd8c7659cd775048249afc0f0a47b5db4b0330f9ff9

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
64KB

MD5
c42e342ecca92181cf4067dfe7d05f3b

SHA1
b226d02b6119348095e368d3ae1c4c041c3c7e4c

SHA256
3770d85e9196a4859207746d61c66a270442453373725194ec24ccef39b86028

SHA512
9efac36f61bc20d472f2f64ca0573c5b242a680372af8c11bd0bd3a20b12bd219e076f0122522a2144b3a833047461090ac9e6b52aebd84a6ff111e1ee353f77

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
64KB

MD5
95661f398371914c4d2b133d772aec95

SHA1
38f30606590d2f4282ab5e8d4407964de90a6289

SHA256
038c7681ffe6de0034c9c156297ee620716faa6c473f745b85feccae371b1bf5

SHA512
77a34f6a928e19a6b5e5bd0c88a57b6ec99aad0df6af229f99e78f35ecd2407a2c6d6fa5352257d6b35b770fece3c6b55c2e26da1e4a77d98bde3bc91396726a

Download Submit
memory/392-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/392-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/864-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/864-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/920-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/920-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1136-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1136-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1164-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1164-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1260-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1260-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1304-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1304-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1568-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1568-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1608-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1608-283-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2320-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2320-295-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2596-289-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2596-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3196-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3196-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3488-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3488-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3516-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3516-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3540-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3540-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3544-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3544-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3716-265-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3716-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3816-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3816-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3924-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3924-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4088-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4088-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4112-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4112-266-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4276-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4276-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4284-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4284-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4296-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4296-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4352-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4372-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4372-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4776-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4776-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads