berbew | d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19

Analysis

max time kernel
142s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe
Size

96KB
MD5

45c400a3eb57a4d1cf4690d368b485f7
SHA1

66f3df1dd7501532e81422bec92942ebf12330e5
SHA256

d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19
SHA512

462382fe018b3aba8d53665fe72879f438a8016fb1c1c3726a82b4113b1c4decf2047ab9c34002475cb3d748c183f314c6576f4620a05721108aa158ad4a1d3d
SSDEEP

1536:DHGfYDgMMLIetnH3WGcIrmfDdwLL1F+2Lh17RZObZUUWaegPYA:jGAkM3etnX/9+sBlPClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 31 IoCs

pid	Process
4076	Bcoenmao.exe
3308	Cfmajipb.exe
1904	Cmgjgcgo.exe
3824	Cdabcm32.exe
1028	Cnffqf32.exe
2500	Caebma32.exe
1412	Chokikeb.exe
2568	Cjmgfgdf.exe
4464	Cmlcbbcj.exe
4036	Cdfkolkf.exe
1976	Cjpckf32.exe
2320	Cnkplejl.exe
4400	Ceehho32.exe
2004	Chcddk32.exe
3164	Cjbpaf32.exe
2988	Cmqmma32.exe
1088	Dhfajjoj.exe
2964	Dmcibama.exe
4576	Dejacond.exe
1580	Dfknkg32.exe
2656	Dmefhako.exe
3960	Daqbip32.exe
3588	Dhkjej32.exe
2720	Dodbbdbb.exe
4912	Daconoae.exe
4300	Ddakjkqi.exe
3520	Dfpgffpm.exe
2284	Dmjocp32.exe
1380	Dddhpjof.exe
2616	Dgbdlf32.exe
2952	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3216	2952	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 4076	3808	d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe	84
PID 3808 wrote to memory of 4076	3808	d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe	84
PID 3808 wrote to memory of 4076	3808	d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe	84
PID 4076 wrote to memory of 3308	4076	Bcoenmao.exe	85
PID 4076 wrote to memory of 3308	4076	Bcoenmao.exe	85
PID 4076 wrote to memory of 3308	4076	Bcoenmao.exe	85
PID 3308 wrote to memory of 1904	3308	Cfmajipb.exe	86
PID 3308 wrote to memory of 1904	3308	Cfmajipb.exe	86
PID 3308 wrote to memory of 1904	3308	Cfmajipb.exe	86
PID 1904 wrote to memory of 3824	1904	Cmgjgcgo.exe	87
PID 1904 wrote to memory of 3824	1904	Cmgjgcgo.exe	87
PID 1904 wrote to memory of 3824	1904	Cmgjgcgo.exe	87
PID 3824 wrote to memory of 1028	3824	Cdabcm32.exe	88
PID 3824 wrote to memory of 1028	3824	Cdabcm32.exe	88
PID 3824 wrote to memory of 1028	3824	Cdabcm32.exe	88
PID 1028 wrote to memory of 2500	1028	Cnffqf32.exe	89
PID 1028 wrote to memory of 2500	1028	Cnffqf32.exe	89
PID 1028 wrote to memory of 2500	1028	Cnffqf32.exe	89
PID 2500 wrote to memory of 1412	2500	Caebma32.exe	90
PID 2500 wrote to memory of 1412	2500	Caebma32.exe	90
PID 2500 wrote to memory of 1412	2500	Caebma32.exe	90
PID 1412 wrote to memory of 2568	1412	Chokikeb.exe	91
PID 1412 wrote to memory of 2568	1412	Chokikeb.exe	91
PID 1412 wrote to memory of 2568	1412	Chokikeb.exe	91
PID 2568 wrote to memory of 4464	2568	Cjmgfgdf.exe	92
PID 2568 wrote to memory of 4464	2568	Cjmgfgdf.exe	92
PID 2568 wrote to memory of 4464	2568	Cjmgfgdf.exe	92
PID 4464 wrote to memory of 4036	4464	Cmlcbbcj.exe	93
PID 4464 wrote to memory of 4036	4464	Cmlcbbcj.exe	93
PID 4464 wrote to memory of 4036	4464	Cmlcbbcj.exe	93
PID 4036 wrote to memory of 1976	4036	Cdfkolkf.exe	94
PID 4036 wrote to memory of 1976	4036	Cdfkolkf.exe	94
PID 4036 wrote to memory of 1976	4036	Cdfkolkf.exe	94
PID 1976 wrote to memory of 2320	1976	Cjpckf32.exe	95
PID 1976 wrote to memory of 2320	1976	Cjpckf32.exe	95
PID 1976 wrote to memory of 2320	1976	Cjpckf32.exe	95
PID 2320 wrote to memory of 4400	2320	Cnkplejl.exe	96
PID 2320 wrote to memory of 4400	2320	Cnkplejl.exe	96
PID 2320 wrote to memory of 4400	2320	Cnkplejl.exe	96
PID 4400 wrote to memory of 2004	4400	Ceehho32.exe	97
PID 4400 wrote to memory of 2004	4400	Ceehho32.exe	97
PID 4400 wrote to memory of 2004	4400	Ceehho32.exe	97
PID 2004 wrote to memory of 3164	2004	Chcddk32.exe	98
PID 2004 wrote to memory of 3164	2004	Chcddk32.exe	98
PID 2004 wrote to memory of 3164	2004	Chcddk32.exe	98
PID 3164 wrote to memory of 2988	3164	Cjbpaf32.exe	100
PID 3164 wrote to memory of 2988	3164	Cjbpaf32.exe	100
PID 3164 wrote to memory of 2988	3164	Cjbpaf32.exe	100
PID 2988 wrote to memory of 1088	2988	Cmqmma32.exe	101
PID 2988 wrote to memory of 1088	2988	Cmqmma32.exe	101
PID 2988 wrote to memory of 1088	2988	Cmqmma32.exe	101
PID 1088 wrote to memory of 2964	1088	Dhfajjoj.exe	102
PID 1088 wrote to memory of 2964	1088	Dhfajjoj.exe	102
PID 1088 wrote to memory of 2964	1088	Dhfajjoj.exe	102
PID 2964 wrote to memory of 4576	2964	Dmcibama.exe	104
PID 2964 wrote to memory of 4576	2964	Dmcibama.exe	104
PID 2964 wrote to memory of 4576	2964	Dmcibama.exe	104
PID 4576 wrote to memory of 1580	4576	Dejacond.exe	105
PID 4576 wrote to memory of 1580	4576	Dejacond.exe	105
PID 4576 wrote to memory of 1580	4576	Dejacond.exe	105
PID 1580 wrote to memory of 2656	1580	Dfknkg32.exe	107
PID 1580 wrote to memory of 2656	1580	Dfknkg32.exe	107
PID 1580 wrote to memory of 2656	1580	Dfknkg32.exe	107
PID 2656 wrote to memory of 3960	2656	Dmefhako.exe	108

C:\Users\Admin\AppData\Local\Temp\d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe
"C:\Users\Admin\AppData\Local\Temp\d49ceea6f58ea3f0d4275bfd7f7e31c063ea5f3c8d547e238fba5927b7daad19.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\SysWOW64\Bcoenmao.exe
  C:\Windows\system32\Bcoenmao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SysWOW64\Cfmajipb.exe
    C:\Windows\system32\Cfmajipb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\SysWOW64\Cmgjgcgo.exe
      C:\Windows\system32\Cmgjgcgo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 404
        33⤵
        Program crash
        
        PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2952 -ip 2952
1⤵
PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
96KB

MD5
e06fc8148465b3a531ee7ca1caca31f0

SHA1
69c8e4ca76922f1426351f172f549cf87f8b4ad8

SHA256
02ab8365b74dee54921a25a7cc06a0f5610d2a9655192499fff8a02fec83d2d2

SHA512
ab75f05f17046472ffb11a402d880171a70ba8dd778e17735ccb3eaa8edf7b6a04bb5fceb26dd7b714be1e668e3fd987ee3d570298c7f3ab9925e762007be208

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
96KB

MD5
00fb1b1a608cfe91ba3edbb59a731093

SHA1
48ff8072b439120f6f3e97e9b31f4bc69fae9d99

SHA256
08cc4b04ab1f7964db9903cc114802123deff9dde7908686487952cd98d7ce17

SHA512
c2c2fc58ac00e71a1afd66aa57e8b6f0dc1edbfcec26da545745937ba2afdd008b5f69f82501af5a22969137d83ac73d1709cacdd6c0d2dacbbf4a8f5a016bf3

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
96KB

MD5
19fbfaa5866e67ab7c96e8b92ffae6b5

SHA1
3e7fa2cff595c3292ebb7b7413e69d7305039675

SHA256
328219287cebf73668ae1886e51d41e96c562a15c458d79c471d7c4b382cb910

SHA512
d6c314c476e599ce1b9a4927993b1cb56529739e537a48fbcd75a650710c73804c69e4e8ffc11228240a71e5725bccd44e39c4c1e83bfc04352543bcfcd3b859

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
96KB

MD5
0fe1317c35627f61c2f305cd8f3039c1

SHA1
f042e0283b1d727b60f667a0a1158332936574d2

SHA256
b85a5e229a5c881465fd20f1b7c362b1b5e22858d855eb8dda07e1855c26e0c3

SHA512
f8fe005a63e91a2a81368c92ab0b57a00ed85bfdd22f954b2d4eb3977c299e31bd59125fc0ccbd246911b0991b724284d81d9428c88a2a589cc54e692a470880

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
96KB

MD5
e9806902fdf88bdad7e2a1e83964066b

SHA1
a4c6764b5cbbe1938d8434dc70f53662f2c14bfe

SHA256
7a3ec5d3e954f639bb2c58dfc99b756e0ae5c4ae3463235b8905471fdf8a6dde

SHA512
978d9c149a6f9989580b62e501161d088edbebe6033a719d326e0d6bfdd683e9a016f9a865d37d3fddc1d64911b5a292fd3a8d825262f08ac679c3179a024084

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
96KB

MD5
00691724d60c63b4bee80068637448bc

SHA1
a5fdde9d5cb0d8fca68f835c9ada69b0659bdb5d

SHA256
54885b39278c87e4af0bbe84e411105007e818ea4f9d8d5181670372cf1da02b

SHA512
3024f85bf35d4342c41359aba4e5e4507600c170abf5e2182f43152a5bdf6615480255fa27ed10de39bf517b96d4cc4a68cc9abed8148a344aa3a4d47d3986f2

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
394b1b5613497f0bf0ebb613f1adefe0

SHA1
07161f8a24f64b836edac837656d903a2a7c35c0

SHA256
6ccb8ec105ec8c8526530a58f778198f033db6749be1de27ed59a6d449c419e3

SHA512
67d2da79d79d11e684d73fe35c8c667dcb0a9bcbc67054fa7944365de532fa9e7123f1923920f08f16f7e98c4baaf7bae10ef72f612ac123d1db804fe1bc0324

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
cbeede33613061efca9137e3f50ffbef

SHA1
3b29fc9a0a364c93ef75cb86e6f697ad82d101fe

SHA256
dbe8374c27864c85c2abef86415ebf233223e1ed0610b1f9a8d3cd0e9ce3a9e9

SHA512
dd5fdab1f8d8a285c90435d10d4e2a3716317680a7974219a67e3c66a7566ca23d60f02fcc9c7088e3be10b0a26b18acb442b173805a8bbecc3bcea895c78706

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
96KB

MD5
e49bb076a7ea528d4050a368e2eac4e5

SHA1
85017b33f32082b76084ee4e6768a9573b32bc09

SHA256
644888a0b3b8cb70a4d02edafc23b2a796975c65107dea6561106f580913a394

SHA512
f4767648c620afdd02ee418ed66970656a94da2ac8dda810bb140f6e4988ad510c6f6b0499657ff6693c4df5e6e5e2be9c771ace7350f46478f8a20a221797e5

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
96KB

MD5
5b326f8188f460c1035c2d2e4c5e0f99

SHA1
3414f8a61df738a70abf6c3cfb030a6e3d1b106e

SHA256
f06850fab0dadb79687614d0d667f26a3d7f688c88a020a64c69ac8b28a31789

SHA512
dd998ede15d567e7312ee6aa8d2f7decdc683f18215d7e5016b76399c13ea3a85d6efe5b60a8de7d95027d9cace4a45c27c85335831f3b091ecacea8b69af869

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
96KB

MD5
95cfab28d2fd693f7d3efdc9f2a05ba3

SHA1
7b15411d1b1f76ecb6f8563b81363ea9f62295d9

SHA256
544d9d17352c628214956c32dfa0e3c588db6d94e438d23baee27c07b2b326a9

SHA512
79a6f35c3ab178add7290801508ecf365ddded263f3309f20553f8c5363898a5b029fd1c00547d048912f65511d55e27a5af183510c418ec75fde2057feb4afa

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
96KB

MD5
747b6f978c648995e34c1c89644ac3ed

SHA1
622a606ad3275ba8653c76e29b38b60519ef5954

SHA256
e5020197590765c7bf550ccda637e18a7d0a3970350a5af8a68941f7bb92f792

SHA512
93bb16159dff27f1ee91423bdc3de4a9115a5cba010a6f60232705110f9f95b976fe4e5ce8ea3b68d48aa9fcf27fd0434b54d663ed7e191e61a54329d95bc3dd

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
e1e9bd03d08796ab9023a065d12fdd41

SHA1
ff791b1516f36959ae6470541870db3cb6a56852

SHA256
097bc298408f213097fde21a3e20d8c525ddb35f00f7ed335904d169845ce7c8

SHA512
c2500c132ab8d0e453cecaf3da4583468ac9b9040907f8582af6b5a15bafa26843ebfa39f25ef8f4f840ea904fafe07dc264b3668c331842b47cdb78b73fa0c4

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
96KB

MD5
af7fc54aa5495a0589cf11ff12c3d6bb

SHA1
7a003d074ebd690b1e600ad344b0ba95254c746c

SHA256
40a74f3f3dda06098177afa287994efaeda6a4fac0e3997a041d081ddac8fb6a

SHA512
078d8e962a2486924625f1254aa402c06810bac1c744923c94afe3be51a74816fa61d003977b4ed2143ada6e080b8eaa74191fc55109191aa5afedcefab413b3

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
96KB

MD5
d7c00e1b52786ad2f0339d3c66732c19

SHA1
4323e3290a40d1c5831ce93f9ef87e649d3d8059

SHA256
14a804e96be4cc7b64d42a39e4ef6ba549c02baf18d3596f50005713f4712fcc

SHA512
66edd2b4ab6ab571077d2e754a4d10e8d28810917ad21538ba7bffa288d601e9be406f03b89034891935c4af63942c5ded0c55abbb00b2da2d75614f3fd64ab5

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
5f63e353ab61ab94e54f80873caf62fc

SHA1
77e357b979ecf6ec56549547ff01bd9c2ba5d757

SHA256
cfd8e4115ae40ec519a774aefe103b8c5f37542f0876ea1870352f57bd61000b

SHA512
de9b640e7e931bfee5d8a1038f453d5bdbd90e09f1446160c9b746371ff81dca72eecd247441467b881ee5525460183df41bb3a711fe3cb31e018a838c8c0ad4

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
c5127e9ca58cea7f250c421f1a920464

SHA1
4ab067d40ffe20cf4881c8e7cb060291cc9e9eaa

SHA256
c3f429c6deecd7cc8ccb75c4c1ff6360325495677aedeca8ba1cf0bad416bed7

SHA512
0869518ed4f08cd4af6ce979e73e9d7c79f90e4dcf100dfc403aed3e829840935f2b9d25dbea59a1479f72c12487ec447199258f69d48e4a6f4b99bf993a0ac4

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
96KB

MD5
bf04baa55314d3019e449466a1367f82

SHA1
dc7aa028d2051161e7b1e864b5ff8f8ebc75cae6

SHA256
a666bb2221cb00abcd704345c5f884d523a17f52f84a70101020fd73fbac2242

SHA512
ef69917e540bf9cdcfefd31f59c56ebd3ec8d761d8a5fdebba50790b53124b28b3334fd4399349acdce80ef012c6badc591d7005ff065fa6a951ffe15792ab00

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
d3fb886e76f381089250bdff9ed5c3bd

SHA1
312f959aa3ef1a437956f50509013e89eb9e6a50

SHA256
524da834840b0dda90f30c9387b06cb09e4cb7403bab3c465cf581073fecb265

SHA512
f9afef170b40857192f847c6246fd8fc2d6ae797ac15ec299cb26bcc457854abf7a70b2e79c937bf8d410008a3274aa4c87a5c0a99801403106d92626d948a12

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
0ac336f855e5b4abae50cbe66708174e

SHA1
a68a8c04a9a22fb24edeed3cd7cc46064673eeee

SHA256
554e87ce4862b847ad58a103c870e2d58e67830e6ebf65f71ed5ab39519dc002

SHA512
0549da33d6e33273bc62bf6ce4d6c09f6d1d7e2edb2e817d23eeca3f2c1c67d22cc47f0a8521de2760d132e8b3a6b3606aca0906ceddba8baa247dc767628f46

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
96KB

MD5
5e0b555945b2ba99a3b22ca293cf2ef8

SHA1
b7c570b24edc3cc6f52b70ccfc009194e58b7d09

SHA256
7f01ad7c5168f9c706f5474729959ae314279068c8f33355e5964edd9179550b

SHA512
196b5e85b4c8976c19c3e8932a2d88e2e621a37a9e80311beae707aee4c7760443f202c9d08bd50d046a657ca5755b8f70000ebc7465a03b2fb35b5a2a0c016f

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
96KB

MD5
febf44fcffa3c327a1eaf9578a9b5364

SHA1
42409be61c3ef89341694a0f1ab0621f865dfeba

SHA256
cb39f91df47f6504b152b6d001aaa5bc88b61d099b83c708c1e694e33bb4b752

SHA512
8e10b8c90df083579588ff219990e648c5b381969e9d497e8ccee4431eb88c5117beb95457bb511643a40437e81cb8b6b17c889d63954393f722f32e2d78f4ff

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
9579c77a764439a0d7cc253bcd997c2f

SHA1
c827a9667152e10bbdebd6fb8bd7a2d8fc2b88a8

SHA256
b4d29d6e325b60ea9ef81ff9aafc3dfb2db8881f670b2d283d435b346dee0960

SHA512
f53bf49a6d5eb24f7abef8bf429c3920c0c661be212e6cd9bf66603bc4c1c0655c4cebb47c88e85df57774f0d5f28c6ed5a624527dd80bf3940eebe4b34c1a9e

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
7ccb8da6ff332eefe90d251b8fd31535

SHA1
b71d7ecde628e4ffc1de2a99891b75785a3b12b2

SHA256
fe8c660ff186364a6de570084e0de4c7d2ed04fa41939d7a34ddefcc9f6df977

SHA512
2793f4a617eba80cfc96167cdc12b90a4a99cd4bc70473e2768ba69ed987f13d3f64cf08d05266aba5ad497fa6c04891030f3b6fe8eede3dac9d2461135faef8

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
d0b7998bd100874a9315e86227bd62c5

SHA1
d4e04772eb6bd700d57aaa644003d7f4cce0a4c1

SHA256
c20bf16e56ff6b7e75a693dfb444185f84003d10a90ea05d7456edbfe10c4c5c

SHA512
a4d65837211de8d3e0c1964511f3c155d70016e07b14342fccebb841eb02b034621daa089aa977efe2ebe38f1b99c57bab182155920da6c5ccf757df75b979dd

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
96KB

MD5
ec1bcc9193cf1692bae66bff1a44f511

SHA1
70fe84b36124d5f5645db5b6b02d01cd3398f90f

SHA256
7e20104a576ef19c92578eb52e7a7dc5de17ed2ad50860aa072debc226db9850

SHA512
92a347a991fd57b02975a72aa16872f91aece2fcb8cd673c79827fd3d0959fdf7ca164624203f38d5fcf5e45a7c3505ef2b72a9f0edf4aa3b23c871fa305093f

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
82c590cfab2ae79a51185f62c24637c8

SHA1
be0dbccaab04380132bbb98ff290639bdb4790ca

SHA256
bd9841e34a49375bd7492f0b7ba9e1320d829277fb61e7d9116e840d695c1907

SHA512
6d841d89f83824ff4cadaa2af74f10ff352ef1639aacb2ecbb7a6e22ca2b568701f908e84441cac3adf216fadc3e6cf1091eecb00913a788153eed67fa2a2523

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
1d9b93cdda6cf49500d9c084e8a63391

SHA1
3302f7d659eadd0ef19e043b7c3e93ed7ddf26e5

SHA256
9753a5fa6112d03f92421e61cb9e8bd75a8e0116d06da7077ad16bbd6b60ea77

SHA512
bf5851fba207a4a1e95de3e4deac1992b46d267c9f6dacc613d037a1dc4fcc0d902bf1de5a5e3fc04cde490fd0a999088f9274816c89b72318de0875b858da80

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
96KB

MD5
e3924bc4bad6d17054ffecff0226eb90

SHA1
141a01c8ab900eb4f70e9fb4281bb12fa3a9fdd5

SHA256
5046da897662e90aa52f4470ccd288ad2a1b434aff59c07e130da59468a5510f

SHA512
e37c00ae4f6304141ace6042e9756044328b0a203f385025fdb5197fdce2a891220021af991bb523407d4b1acbc0cbf9cef0c06b4d146ccfb9f832038a7459bc

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
d23cdbb3e3548b900f55474ba67860b1

SHA1
2e18b525c1570fec2999609473d055b491b428a8

SHA256
023911f3a9bc8bf03d61f38b271cd205ead8d056e40e6c5aa1f7c19e823d89a6

SHA512
9466385f089df277fadf5404f74aa2ab43f3b337feea1f318180e47085fddd8bbb134a0b8a150e11b60310d3061c3f12c06271bb7faa542fd115ea8e6e8e8744

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
ffdf7ac41ae368b224ad1f586443077f

SHA1
cea9a5f48b47717a00e4a24b969fd0bcbb7ba075

SHA256
708c3c49d1883e4f5fd8129db0ae4f1b98f69469ed8047048b7522be6a444e9e

SHA512
ed8d3ba1e73c7fbb65500f436675eaaf0714a804e82443d0f4f79c0f56bb4dcf20c241c2247187e5ec0a8b29b128d459b0f964216dad4010345a7d9a08270685

Download Submit
memory/1028-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3808-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3808-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3808-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads