berbew | 9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe
Size

92KB
MD5

f56414850b8490d67a59f6ba5405bbb0
SHA1

aceccd06428fc6893c214317416c5768cb27a5a0
SHA256

9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9
SHA512

395c8dfcf00404622e3d35bbea4e502673a3b0cbac72c1a87286f30ce33ff2cad3c52903c26bcebb481dfa5a88fc845f7eede893a7c1127d8d70e7a475ec0fbf
SSDEEP

1536:/IXA/oxc75rCGk9xSN/bN2TtNraKRweabUUumGN3imnunGP+C:1Sc75raK/bQpaZdVGVbe4+C

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dccagcgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfffnn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caknol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dlgldibq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdjhndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cppkph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbfabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhdcji32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebmgcohn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djhphncm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcadac32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbfdjdp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlgldibq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkqbaecc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhdcji32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dookgcij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dliijipn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkqbaecc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dookgcij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejkima32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caknol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cppkph32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dccagcgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnoomqbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djhphncm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dliijipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecqqpgli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efcfga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfffnn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cghggc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekelld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnndlod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccngld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbfabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnoomqbg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 33 IoCs

pid	Process
2136	Caknol32.exe
2732	Cghggc32.exe
2656	Cjfccn32.exe
2912	Cppkph32.exe
2452	Ccngld32.exe
2932	Dgjclbdi.exe
592	Djhphncm.exe
584	Dlgldibq.exe
2924	Dcadac32.exe
2952	Dfoqmo32.exe
1232	Dliijipn.exe
1856	Dccagcgk.exe
2756	Dbfabp32.exe
396	Dlkepi32.exe
2056	Dfdjhndl.exe
1716	Dhbfdjdp.exe
2060	Dkqbaecc.exe
2120	Dnoomqbg.exe
2876	Dfffnn32.exe
1168	Dhdcji32.exe
2768	Dookgcij.exe
1544	Ebmgcohn.exe
1732	Ehgppi32.exe
784	Ekelld32.exe
1564	Ebodiofk.exe
2708	Ecqqpgli.exe
2092	Ejkima32.exe
2684	Efaibbij.exe
2652	Eojnkg32.exe
3016	Efcfga32.exe
2424	Emnndlod.exe
2772	Echfaf32.exe
2964	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
2132	9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe
2132	9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe
2136	Caknol32.exe
2136	Caknol32.exe
2732	Cghggc32.exe
2732	Cghggc32.exe
2656	Cjfccn32.exe
2656	Cjfccn32.exe
2912	Cppkph32.exe
2912	Cppkph32.exe
2452	Ccngld32.exe
2452	Ccngld32.exe
2932	Dgjclbdi.exe
2932	Dgjclbdi.exe
592	Djhphncm.exe
592	Djhphncm.exe
584	Dlgldibq.exe
584	Dlgldibq.exe
2924	Dcadac32.exe
2924	Dcadac32.exe
2952	Dfoqmo32.exe
2952	Dfoqmo32.exe
1232	Dliijipn.exe
1232	Dliijipn.exe
1856	Dccagcgk.exe
1856	Dccagcgk.exe
2756	Dbfabp32.exe
2756	Dbfabp32.exe
396	Dlkepi32.exe
396	Dlkepi32.exe
2056	Dfdjhndl.exe
2056	Dfdjhndl.exe
1716	Dhbfdjdp.exe
1716	Dhbfdjdp.exe
2060	Dkqbaecc.exe
2060	Dkqbaecc.exe
2120	Dnoomqbg.exe
2120	Dnoomqbg.exe
2876	Dfffnn32.exe
2876	Dfffnn32.exe
1168	Dhdcji32.exe
1168	Dhdcji32.exe
2768	Dookgcij.exe
2768	Dookgcij.exe
1544	Ebmgcohn.exe
1544	Ebmgcohn.exe
1732	Ehgppi32.exe
1732	Ehgppi32.exe
784	Ekelld32.exe
784	Ekelld32.exe
1564	Ebodiofk.exe
1564	Ebodiofk.exe
2708	Ecqqpgli.exe
2708	Ecqqpgli.exe
2092	Ejkima32.exe
2092	Ejkima32.exe
2684	Efaibbij.exe
2684	Efaibbij.exe
2652	Eojnkg32.exe
2652	Eojnkg32.exe
3016	Efcfga32.exe
3016	Efcfga32.exe
2424	Emnndlod.exe
2424	Emnndlod.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ebodiofk.exe	Ekelld32.exe
File opened for modification	C:\Windows\SysWOW64\Ebodiofk.exe	Ekelld32.exe
File created	C:\Windows\SysWOW64\Qbgpffch.dll	Ccngld32.exe
File created	C:\Windows\SysWOW64\Mcfidhng.dll	Dcadac32.exe
File opened for modification	C:\Windows\SysWOW64\Dfffnn32.exe	Dnoomqbg.exe
File created	C:\Windows\SysWOW64\Efcfga32.exe	Eojnkg32.exe
File created	C:\Windows\SysWOW64\Fdilpjih.dll	Eojnkg32.exe
File created	C:\Windows\SysWOW64\Inegme32.dll	Efcfga32.exe
File created	C:\Windows\SysWOW64\Opfdll32.dll	9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe
File created	C:\Windows\SysWOW64\Mhkdik32.dll	Cjfccn32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqbaecc.exe	Dhbfdjdp.exe
File created	C:\Windows\SysWOW64\Dnoomqbg.exe	Dkqbaecc.exe
File created	C:\Windows\SysWOW64\Dhdcji32.exe	Dfffnn32.exe
File created	C:\Windows\SysWOW64\Ehgppi32.exe	Ebmgcohn.exe
File created	C:\Windows\SysWOW64\Olfeho32.dll	Ehgppi32.exe
File opened for modification	C:\Windows\SysWOW64\Ecqqpgli.exe	Ebodiofk.exe
File created	C:\Windows\SysWOW64\Cjfccn32.exe	Cghggc32.exe
File created	C:\Windows\SysWOW64\Fahgfoih.dll	Cghggc32.exe
File created	C:\Windows\SysWOW64\Echfaf32.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Dcadac32.exe	Dlgldibq.exe
File created	C:\Windows\SysWOW64\Dfffnn32.exe	Dnoomqbg.exe
File created	C:\Windows\SysWOW64\Clialdph.dll	Dookgcij.exe
File created	C:\Windows\SysWOW64\Dinhacjp.dll	Ebodiofk.exe
File created	C:\Windows\SysWOW64\Lbadbn32.dll	Ejkima32.exe
File opened for modification	C:\Windows\SysWOW64\Cghggc32.exe	Caknol32.exe
File created	C:\Windows\SysWOW64\Dlgldibq.exe	Djhphncm.exe
File created	C:\Windows\SysWOW64\Mfacfkje.dll	Djhphncm.exe
File opened for modification	C:\Windows\SysWOW64\Dcadac32.exe	Dlgldibq.exe
File created	C:\Windows\SysWOW64\Dfoqmo32.exe	Dcadac32.exe
File opened for modification	C:\Windows\SysWOW64\Dlkepi32.exe	Dbfabp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhdcji32.exe	Dfffnn32.exe
File created	C:\Windows\SysWOW64\Dookgcij.exe	Dhdcji32.exe
File created	C:\Windows\SysWOW64\Mnghjbjl.dll	Caknol32.exe
File opened for modification	C:\Windows\SysWOW64\Dlgldibq.exe	Djhphncm.exe
File created	C:\Windows\SysWOW64\Eojnkg32.exe	Efaibbij.exe
File created	C:\Windows\SysWOW64\Dkqbaecc.exe	Dhbfdjdp.exe
File created	C:\Windows\SysWOW64\Lkmkpl32.dll	Efaibbij.exe
File created	C:\Windows\SysWOW64\Cppkph32.exe	Cjfccn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhbfdjdp.exe	Dfdjhndl.exe
File opened for modification	C:\Windows\SysWOW64\Dccagcgk.exe	Dliijipn.exe
File opened for modification	C:\Windows\SysWOW64\Dfdjhndl.exe	Dlkepi32.exe
File created	C:\Windows\SysWOW64\Njmggi32.dll	Ekelld32.exe
File created	C:\Windows\SysWOW64\Efaibbij.exe	Ejkima32.exe
File opened for modification	C:\Windows\SysWOW64\Dfoqmo32.exe	Dcadac32.exe
File created	C:\Windows\SysWOW64\Dccagcgk.exe	Dliijipn.exe
File created	C:\Windows\SysWOW64\Oghiae32.dll	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Djhphncm.exe	Dgjclbdi.exe
File opened for modification	C:\Windows\SysWOW64\Dliijipn.exe	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Jaegglem.dll	Dgjclbdi.exe
File created	C:\Windows\SysWOW64\Dliijipn.exe	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Ckgkkllh.dll	Dhbfdjdp.exe
File opened for modification	C:\Windows\SysWOW64\Ebmgcohn.exe	Dookgcij.exe
File created	C:\Windows\SysWOW64\Ecqqpgli.exe	Ebodiofk.exe
File opened for modification	C:\Windows\SysWOW64\Dgjclbdi.exe	Ccngld32.exe
File opened for modification	C:\Windows\SysWOW64\Djhphncm.exe	Dgjclbdi.exe
File created	C:\Windows\SysWOW64\Ajfaqa32.dll	Dbfabp32.exe
File opened for modification	C:\Windows\SysWOW64\Dnoomqbg.exe	Dkqbaecc.exe
File created	C:\Windows\SysWOW64\Mmnclh32.dll	Dkqbaecc.exe
File created	C:\Windows\SysWOW64\Ebmgcohn.exe	Dookgcij.exe
File opened for modification	C:\Windows\SysWOW64\Ehgppi32.exe	Ebmgcohn.exe
File opened for modification	C:\Windows\SysWOW64\Efaibbij.exe	Ejkima32.exe
File created	C:\Windows\SysWOW64\Iifjjk32.dll	Dliijipn.exe
File opened for modification	C:\Windows\SysWOW64\Dbfabp32.exe	Dccagcgk.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Echfaf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2960	2964	WerFault.exe	60

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlkepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjfccn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cppkph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbfabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcadac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqbaecc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emnndlod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cghggc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecqqpgli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfffnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekelld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efcfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caknol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfoqmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnoomqbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dookgcij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejkima32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efaibbij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgjclbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlgldibq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbfdjdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehgppi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echfaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccngld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dliijipn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebmgcohn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebodiofk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eojnkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djhphncm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dccagcgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdjhndl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkqbaecc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnoomqbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncphpjl.dll"	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfeho32.dll"	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmggi32.dll"	Ekelld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfacfkje.dll"	Djhphncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Echfaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbfabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlgldibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cppkph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccngld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inegme32.dll"	Efcfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahgfoih.dll"	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjomppp.dll"	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmkpl32.dll"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emnndlod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caknol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjfho32.dll"	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghiae32.dll"	Dfdjhndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnclh32.dll"	Dkqbaecc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjfccn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccngld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caknol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgkkllh.dll"	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgne32.dll"	Emnndlod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dccagcgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkdik32.dll"	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbfabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaegglem.dll"	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll"	Dccagcgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clialdph.dll"	Dookgcij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efcfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnghjbjl.dll"	Caknol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfaqa32.dll"	Dbfabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll"	Dhdcji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilpjih.dll"	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efcfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cppkph32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2136	2132	9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe	28
PID 2132 wrote to memory of 2136	2132	9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe	28
PID 2132 wrote to memory of 2136	2132	9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe	28
PID 2132 wrote to memory of 2136	2132	9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe	28
PID 2136 wrote to memory of 2732	2136	Caknol32.exe	29
PID 2136 wrote to memory of 2732	2136	Caknol32.exe	29
PID 2136 wrote to memory of 2732	2136	Caknol32.exe	29
PID 2136 wrote to memory of 2732	2136	Caknol32.exe	29
PID 2732 wrote to memory of 2656	2732	Cghggc32.exe	30
PID 2732 wrote to memory of 2656	2732	Cghggc32.exe	30
PID 2732 wrote to memory of 2656	2732	Cghggc32.exe	30
PID 2732 wrote to memory of 2656	2732	Cghggc32.exe	30
PID 2656 wrote to memory of 2912	2656	Cjfccn32.exe	31
PID 2656 wrote to memory of 2912	2656	Cjfccn32.exe	31
PID 2656 wrote to memory of 2912	2656	Cjfccn32.exe	31
PID 2656 wrote to memory of 2912	2656	Cjfccn32.exe	31
PID 2912 wrote to memory of 2452	2912	Cppkph32.exe	32
PID 2912 wrote to memory of 2452	2912	Cppkph32.exe	32
PID 2912 wrote to memory of 2452	2912	Cppkph32.exe	32
PID 2912 wrote to memory of 2452	2912	Cppkph32.exe	32
PID 2452 wrote to memory of 2932	2452	Ccngld32.exe	33
PID 2452 wrote to memory of 2932	2452	Ccngld32.exe	33
PID 2452 wrote to memory of 2932	2452	Ccngld32.exe	33
PID 2452 wrote to memory of 2932	2452	Ccngld32.exe	33
PID 2932 wrote to memory of 592	2932	Dgjclbdi.exe	34
PID 2932 wrote to memory of 592	2932	Dgjclbdi.exe	34
PID 2932 wrote to memory of 592	2932	Dgjclbdi.exe	34
PID 2932 wrote to memory of 592	2932	Dgjclbdi.exe	34
PID 592 wrote to memory of 584	592	Djhphncm.exe	35
PID 592 wrote to memory of 584	592	Djhphncm.exe	35
PID 592 wrote to memory of 584	592	Djhphncm.exe	35
PID 592 wrote to memory of 584	592	Djhphncm.exe	35
PID 584 wrote to memory of 2924	584	Dlgldibq.exe	36
PID 584 wrote to memory of 2924	584	Dlgldibq.exe	36
PID 584 wrote to memory of 2924	584	Dlgldibq.exe	36
PID 584 wrote to memory of 2924	584	Dlgldibq.exe	36
PID 2924 wrote to memory of 2952	2924	Dcadac32.exe	37
PID 2924 wrote to memory of 2952	2924	Dcadac32.exe	37
PID 2924 wrote to memory of 2952	2924	Dcadac32.exe	37
PID 2924 wrote to memory of 2952	2924	Dcadac32.exe	37
PID 2952 wrote to memory of 1232	2952	Dfoqmo32.exe	38
PID 2952 wrote to memory of 1232	2952	Dfoqmo32.exe	38
PID 2952 wrote to memory of 1232	2952	Dfoqmo32.exe	38
PID 2952 wrote to memory of 1232	2952	Dfoqmo32.exe	38
PID 1232 wrote to memory of 1856	1232	Dliijipn.exe	39
PID 1232 wrote to memory of 1856	1232	Dliijipn.exe	39
PID 1232 wrote to memory of 1856	1232	Dliijipn.exe	39
PID 1232 wrote to memory of 1856	1232	Dliijipn.exe	39
PID 1856 wrote to memory of 2756	1856	Dccagcgk.exe	40
PID 1856 wrote to memory of 2756	1856	Dccagcgk.exe	40
PID 1856 wrote to memory of 2756	1856	Dccagcgk.exe	40
PID 1856 wrote to memory of 2756	1856	Dccagcgk.exe	40
PID 2756 wrote to memory of 396	2756	Dbfabp32.exe	41
PID 2756 wrote to memory of 396	2756	Dbfabp32.exe	41
PID 2756 wrote to memory of 396	2756	Dbfabp32.exe	41
PID 2756 wrote to memory of 396	2756	Dbfabp32.exe	41
PID 396 wrote to memory of 2056	396	Dlkepi32.exe	42
PID 396 wrote to memory of 2056	396	Dlkepi32.exe	42
PID 396 wrote to memory of 2056	396	Dlkepi32.exe	42
PID 396 wrote to memory of 2056	396	Dlkepi32.exe	42
PID 2056 wrote to memory of 1716	2056	Dfdjhndl.exe	43
PID 2056 wrote to memory of 1716	2056	Dfdjhndl.exe	43
PID 2056 wrote to memory of 1716	2056	Dfdjhndl.exe	43
PID 2056 wrote to memory of 1716	2056	Dfdjhndl.exe	43

C:\Users\Admin\AppData\Local\Temp\9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe
"C:\Users\Admin\AppData\Local\Temp\9ca357bd3d61bb48ebe2712004b83c5c7cbbf223dd7840e1e062b944b44d9ab9N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\Caknol32.exe
  C:\Windows\system32\Caknol32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\Cghggc32.exe
    C:\Windows\system32\Cghggc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\Cjfccn32.exe
      C:\Windows\system32\Cjfccn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\Cppkph32.exe
        
        C:\Windows\system32\Cppkph32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Windows\SysWOW64\Ccngld32.exe
        
        C:\Windows\system32\Ccngld32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Dgjclbdi.exe
        
        C:\Windows\system32\Dgjclbdi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Djhphncm.exe
        
        C:\Windows\system32\Djhphncm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Dlgldibq.exe
        
        C:\Windows\system32\Dlgldibq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\SysWOW64\Dcadac32.exe
        
        C:\Windows\system32\Dcadac32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Dfoqmo32.exe
        
        C:\Windows\system32\Dfoqmo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Dliijipn.exe
        
        C:\Windows\system32\Dliijipn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Dccagcgk.exe
        
        C:\Windows\system32\Dccagcgk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Dbfabp32.exe
        
        C:\Windows\system32\Dbfabp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Dlkepi32.exe
        
        C:\Windows\system32\Dlkepi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Dfdjhndl.exe
        
        C:\Windows\system32\Dfdjhndl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Dhbfdjdp.exe
        
        C:\Windows\system32\Dhbfdjdp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Dkqbaecc.exe
        
        C:\Windows\system32\Dkqbaecc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Dnoomqbg.exe
        
        C:\Windows\system32\Dnoomqbg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Dfffnn32.exe
        
        C:\Windows\system32\Dfffnn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Dhdcji32.exe
        
        C:\Windows\system32\Dhdcji32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Dookgcij.exe
        
        C:\Windows\system32\Dookgcij.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Ebmgcohn.exe
        
        C:\Windows\system32\Ebmgcohn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Ehgppi32.exe
        
        C:\Windows\system32\Ehgppi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Ekelld32.exe
        
        C:\Windows\system32\Ekelld32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Ebodiofk.exe
        
        C:\Windows\system32\Ebodiofk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Ecqqpgli.exe
        
        C:\Windows\system32\Ecqqpgli.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Ejkima32.exe
        
        C:\Windows\system32\Ejkima32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Efaibbij.exe
        
        C:\Windows\system32\Efaibbij.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Eojnkg32.exe
        
        C:\Windows\system32\Eojnkg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Efcfga32.exe
        
        C:\Windows\system32\Efcfga32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Emnndlod.exe
        
        C:\Windows\system32\Emnndlod.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Echfaf32.exe
        
        C:\Windows\system32\Echfaf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 140
        35⤵
        Program crash
        
        PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akigbbni.dll

Filesize
7KB

MD5
5ce53b57a551ca8d3df8d64133041100

SHA1
40cf48754060160f54794708d86b065e8e98d55c

SHA256
6d17bf2d0f349ce8c36c2cc3e2b1918c0c207599e35bcb83d7822db18af1b0b6

SHA512
f1d10da294723e7e2ff5d6c7a42a6cda9e1c12c543628154d3592300da7a0a5a93c60133a61a9b52a5dfc9a2786524b34e2abd2655f116eef7f42c9aad1ba41c

Download Submit
C:\Windows\SysWOW64\Ccngld32.exe

Filesize
92KB

MD5
014f5fda1f338a6f093a93d8b34cb617

SHA1
9d070bb2cfad4d27e1dac93ea1c6a02d24e93fdf

SHA256
85c489c3148b1289e91ce7643f11cad4b35ca918f03045f4a8da40252e8e5590

SHA512
566f12978e0efdb7f11ab05ac5e521e8fa1bbea873656ccc2ab7bb51519743eee8d20cc0000b6a9f2fcdb3bc5c36ebf07c830c3afd334efd0a0a71030c4a6779

Download Submit
C:\Windows\SysWOW64\Cghggc32.exe

Filesize
92KB

MD5
bc089d43c17740cc9f8578559c11831c

SHA1
d24c9959854ec24e84c0f42a6586cd792a9f5fc8

SHA256
37f6adcfd9d74d08533e866727ea1abec4c4abb5cf5fb0793076fe46c91ff183

SHA512
8f70db12c559aaf311d0ef4c92621b964d8999657cec36c1a60e01118d4bf8f9852ede558f81cb4f6bdcbf5c018ca22462f6f3a5cde7f8c32ca2d6efda3144f6

Download Submit
C:\Windows\SysWOW64\Cppkph32.exe

Filesize
92KB

MD5
9bcabaa9d163549ca7abe5626f726294

SHA1
b5cb295091025445a6b9e4248dca4160c53f6faf

SHA256
551079f2923c891aed5c5b35a40ab1f918b8a55bf2f82fd7db9ddeb03c870b7a

SHA512
7e8bddd1d808bf526d66b7742d3addc8deb60cd2c8d867c268fb0df09499742cb9db1efcecc95ab967d769d1c1668fcd038b1402f0a8e91d94af9cfc75bcc45d

Download Submit
C:\Windows\SysWOW64\Dbfabp32.exe

Filesize
92KB

MD5
ba67145854f660fb969dee6cbc9c25a0

SHA1
2f67c79e030c7a312ed76f4549cc9b9b850500cd

SHA256
dcf9ccbb625d7f3bd167ba2e93683dd998bf03d3f400321bdc35d9b0c20d928a

SHA512
a58d5a3faa0dc23e0043722a3b0bd2b0f52a6174350aed7d51dc8736dc21578d05faacf46b47935440e01b6ab468d61d45d95ec3d8c2bbdd54458c9133f3a4d4

Download Submit
C:\Windows\SysWOW64\Dcadac32.exe

Filesize
92KB

MD5
64c586d2c003a3be7164fa461472cbed

SHA1
35a573d69a58702d49e4b66a4dd1cd147c013856

SHA256
e1848a77e9ca7aeb7fcadbd584709cc418a72ae1d071e91ba3cc903f67077b03

SHA512
759a93c7d482a92980348ebe5369637eb1b7a2855bf2a314996ca34c5baa677263c8c863ac4256b6c273694427ecf2defe7da156c78dbe7d82bab68ba0636eb9

Download Submit
C:\Windows\SysWOW64\Dfdjhndl.exe

Filesize
92KB

MD5
51d5b019c3d5564763f5bdd92c538004

SHA1
08a614ab0e9042f64663f7dc751ae7e38069c5b7

SHA256
37ceb58d2b517c809103e5d035879be4592c1a3b2cfa6f4e4f3f1b524e36afd4

SHA512
1a29c952e382e3767baf15f8e74624611add4ebdaa71efae70518873622a5b0c6e7f004c3409f8a8b3fc1b950f69999be5d2144897c01455a3cb27e24dbca395

Download Submit
C:\Windows\SysWOW64\Dfffnn32.exe

Filesize
92KB

MD5
8e20f3c4cd9dd9cc7dc4147d68b426be

SHA1
a1b8445f0663aa225d17edd2f4a1a788a171f6eb

SHA256
c83a043841ae6686bef36d96b7d02fa0cea593559d5da8f7073a91a4ebe7b8ce

SHA512
222d7855d5284d366b49b798e221a95e0655bba65ecc00f8f15efe6285895d8b8d168cb2df3660da7ebddcd7da47a0664f208c41c616464481aa8f68719941f5

Download Submit
C:\Windows\SysWOW64\Dgjclbdi.exe

Filesize
92KB

MD5
2cd2f809eb2f10913e9be876ed666ba1

SHA1
21d5fe3c03ac41da5b7ee66ffb8d6f73c56bb971

SHA256
3789dd59c04cc68a97b254aedfec08c150709befa71349ae2cf5bacc2225af6c

SHA512
aaab4cd6c0dcd43836fbd8ae49e08e496e578dfe75e64554834b6cef3da692d805d522a073484f6010e9be30357a1ae51843d0ced38a1a757e9b022a57a54dec

Download Submit
C:\Windows\SysWOW64\Dhdcji32.exe

Filesize
92KB

MD5
ef9253aea09f9b27195fee66dffd2913

SHA1
f822f948cf8b04138d8deb83e67ad8a59facd4bd

SHA256
46fc982cf9264c6397a60890300cebcf1940e0a9c56197ecd921fbf8b7f1ce34

SHA512
e9c33768e991898f7480d52f4d643c7856a53401fe9ece3e69fe6fc4028fccfea425778e1a77f3850ced1747d115e8aa44cd3814387d128a827b89b083e90542

Download Submit
C:\Windows\SysWOW64\Djhphncm.exe

Filesize
92KB

MD5
15f273b87f29b74d6a9b3150bbf3085c

SHA1
6f373ab61f323f44c2c0b32f2c7842ee53ccf002

SHA256
ea8acbf16518333c1a1cfba1c575ff55fa293ac5d1a6f2aba36c54982475faab

SHA512
16893795f3b326a7e01043d709155a55d6e2c2803efd1765bc94767ddd37115730cb36c04190add27c988b543f9812dba0340722b4b11e7703b4e17e3d079948

Download Submit
C:\Windows\SysWOW64\Dkqbaecc.exe

Filesize
92KB

MD5
2b273deaf0eb897e503c6c3d9bc5738e

SHA1
769175c20eb4209115670951ccb1fcd71554612e

SHA256
32a68b2a4958fc0bc382cd654cd373b58db9ece2d9072d77ef1b98791571c17e

SHA512
106bf44e6dbaf730819e5bde9716e46e729fe4eca4217651e17ecf961787577247b77120445335336fb48ef6d8ba7a37ae2a04835ef90a997bfcd516e8454128

Download Submit
C:\Windows\SysWOW64\Dlgldibq.exe

Filesize
92KB

MD5
554966195da35718dfe004d3e6e9c338

SHA1
440850e2f6101235dde0e15a17669c2ce5a26f06

SHA256
8496feab990a64eedfcf9fd4762ec7933e4c090de1442263dfadec1833c0b674

SHA512
d3534c7db7d727557e0391e3f98eee4d26f1e565d0614d8ffe9c712bb4d19ab7e7e40bf52e1224ccfe6d4e006eefe1f729fd14481b86373f442bdefa76040a80

Download Submit
C:\Windows\SysWOW64\Dnoomqbg.exe

Filesize
92KB

MD5
42c9e2df203afb9834363617d1b06bbe

SHA1
22554fb9efb1cd1f54bac2c805e2479614d19230

SHA256
ba446b5ab8ff5cdfa6bd8e11961e8dd4fec1b50516b38f1c31d4af3bd3a3aa7e

SHA512
8856e9f0dfbd2b0c4b5796e1e2f272b4491c63612d419f1f33abba5470ad47f32636151135f6abcdb89eda9996184b0671a631f5eb8c98c86982f5d8c64939e7

Download Submit
C:\Windows\SysWOW64\Dookgcij.exe

Filesize
92KB

MD5
2836df5a610042b164060375fd85668e

SHA1
7dd2eb788c081956eecbae6451624dba7c0cd4a7

SHA256
43faafb509cd8f4637592317f59a64040e3892a5eed2a25df173dfb4b64e11e5

SHA512
bb7809c1e448e83032add4ee6943b0f3c02ff04217c0dc2b998ddc2abb7aa9e8d03b4218c3f90c1b551445fc94bba3018ed7d9fb956b6ee20d214b1b365bcdea

Download Submit
C:\Windows\SysWOW64\Ebmgcohn.exe

Filesize
92KB

MD5
261b09ca3719284ed70b2e8dd3234d28

SHA1
55468359de91770ee83aaae85e62f17a8d389246

SHA256
9833511af9dc8840c27cdfe6576465d65823e2a744aa11850cf118c076eea112

SHA512
367f3e607c61a09cff49057ca7f85a8f5f88279b1106f31b8831c347488c5bca08d80d4e08af8088e9685adb4fea39ca08b7d08b9c9d562eab6a587ec7964d66

Download Submit
C:\Windows\SysWOW64\Ebodiofk.exe

Filesize
92KB

MD5
7c34917bffbb8de3d6a91ea37f6e9dbb

SHA1
bb019ca9cd0a0ef33398761c976f10eeccc51fd5

SHA256
bd62b10ab58b8344c9c6afca74d09f75218f7a57c977eabcb68ce9dadcbd0002

SHA512
42ac5149f3a8807d8819293dea4e5199c6c79cb03e91f285e66553e723cfc306bc7e99a8a423e0878b7bc0350b8b225f7acfec122d95c5c8acdc4fa46d2dcdb2

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
92KB

MD5
333b8c81cfc9592faf011f83d0ce940d

SHA1
d38d18509d931eddbc94015a697873b1ad905d7e

SHA256
b813d24b6c3aaf1519609f4a0e6579c49e6b8c4395bdbdb568993da925e41af6

SHA512
3581833f4a6f6dd922bcd80a0fcefedcda700af5d776f9bc37e014388b229669ccaeaea3b73b8b769e802653653424ff449a55408e58e5c068d8cb540476a117

Download Submit
C:\Windows\SysWOW64\Ecqqpgli.exe

Filesize
92KB

MD5
b1740722f670f1b7bcf429828c3f1c51

SHA1
6cf773e5dc6d3f0c920a258a7f46c2ef84586123

SHA256
ad947a5a65a255536adbd1c79413ac8e22a8a933b2afd49d954be2d87614d9c9

SHA512
8c485a1f871e42aef0169424a86722befea73c42e605a6bbaa51cd2c87fd08f81c04f472ba9aad97ea2ac06fa7251444e8198fc20aee3c36ce7613099c08e411

Download Submit
C:\Windows\SysWOW64\Efaibbij.exe

Filesize
92KB

MD5
a33320e04a03ec75038af24462a76fe4

SHA1
cb423ce2fbe708503b68f238e8983056ec56e08a

SHA256
e6f271e0f7aadcc5205ce185f1d5206893c65d7ddc7089e3b874b60e8a19a6be

SHA512
a06ce327b33959d9fd52a9d49032c49c2bcf5370a7669a9471ad42a2c877a0c428aa6930281e924c580d9da6a75fa99564095a2cf51b2884a3121fb77624b5ac

Download Submit
C:\Windows\SysWOW64\Efcfga32.exe

Filesize
92KB

MD5
05fd97f39129bc70a0523f39578410f1

SHA1
31ccd6bab12f21259cd501d7af7ff04b3d9cac54

SHA256
9f2ac220b7b0a359e782ca8f2e40e411442dc22f4767db1b1298c99907cbb8e1

SHA512
ad0ba2f11baeff84fd2155ce46564bff74e96118dfe77557f00b39b8b90c0ad3005a2ba77b0b32df85904df2830cf0f40ca1d5d1810e08e83684570eb2d497ae

Download Submit
C:\Windows\SysWOW64\Ehgppi32.exe

Filesize
92KB

MD5
d05f618434af6e219fcef2b01ba7e8e7

SHA1
4fa8cb16a08dcb948572f4c4480f96cc82a6a495

SHA256
47c931715fe13e37617fb501f9bba05d4be83be9b39416212dd8b4be9ac473d9

SHA512
c9f4f01ac0466bdab564dd7e00980427e741bcbda05f39292216aeb4261a979b42ec8e7f7a912b33daee539f2b88416a568b6b85d648807938f063a3b8297b4a

Download Submit
C:\Windows\SysWOW64\Ejkima32.exe

Filesize
92KB

MD5
feb02e9325cfbd06060fddecfdd1aab6

SHA1
45f457770f17f5f4befb8aa8e3950cafe569b813

SHA256
a5302bd5c88b293388abea2b421783f1b2180c2ba948d6d8afec161b0a95df33

SHA512
7445cfad9ee80cfc3374f18d652cd2ab1d236f096683110629f438d3791519abf05561dbeeb89796940f63ca262aa1d3b02294875e4e9cae15b5b529705e375b

Download Submit
C:\Windows\SysWOW64\Ekelld32.exe

Filesize
92KB

MD5
4f26a9c8c4c6f2b9502bd3b356d896c6

SHA1
af2c67043d84b257e01c7d4587d21969d2deb3d0

SHA256
49f554f18c289c2ad7ae1a34cc846dbda06014c6bb2f106673568edb681d8def

SHA512
89ea44b95c8107c32cc7d749ef5e98c51ea8627541fec939d70d54e05069192ec6ac18280aec767600e11d0cefcd39d5fb4f789cd2405d357e3a31bbc959b791

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
92KB

MD5
db4e74922040f59dec85536f249e54ea

SHA1
69e79db85856f11e3bf7698f39e1494c816767eb

SHA256
16d6358d0a5652b3ab65b827e7aa938ff2a3d640a83ef7233805d38af28e937b

SHA512
3d12930c7148ca8754c307ac8c48f9c21cf67a39ae3f1a6efb3e18f4fa06b89288bfaf7ba427e7dc9e22a5a1572f9dbac1537d3c51ba95d6b715ac8ffab7ace0

Download Submit
C:\Windows\SysWOW64\Eojnkg32.exe

Filesize
92KB

MD5
b1ffe1a44eb53b2d6aee27c36f0b9ebb

SHA1
f6008d6dd0b9bf516e6316097f464d49107d58e1

SHA256
0cdc54e955ee4531dd103a641e0532f72bcf480327db165ee73570e2cb377d53

SHA512
d562856cd786fec8225923a63a3fc33614aa21347f8332cc009da354f08ff2422c0ae7b93f97a2d018698e24dd5d0be41f4d1f24cfe370a2fefe73c108c6f04b

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
92KB

MD5
fc79d37035279c853135ebecbc0e935d

SHA1
7a98072be68ef956bd39a33b9b134477af0e003a

SHA256
20460aee6c45d8b2b08deafb728ced4b2a06663cd7fcfca88eff17914712e83c

SHA512
a8ffb6ecba69aa19af1a9e95e1b0ab3bbcadc45dc7ba0fc1c838aab40f9d594dccdb46bcb43623e42f9e452c89222eb14e9ba35f6c03a712102053e5d62a8ca6

Download Submit
\Windows\SysWOW64\Caknol32.exe

Filesize
92KB

MD5
a3be097c35d2f3a1e7838bb23822323f

SHA1
dd0e9d95d299a6466372c061932604041445dff0

SHA256
86785cdc660df1a77b778618305c53eaf0259a08207043012d8e563c70e21265

SHA512
3b7a288d57c1896764595c62b57463a8960e56c489ea94b9aecfca84bd9633961cfdd6552b9fbf17e76f5ad24adf671eb9646a924870f095d78eb90c37943e7b

Download Submit
\Windows\SysWOW64\Cjfccn32.exe

Filesize
92KB

MD5
8e8ae4718a0b82271c33426995da2794

SHA1
4cd8f5599c60b555617699a1a20c007c8bfb1c7f

SHA256
8ccf46ba755b1ab329684e81fcca85fe19e35b5a15942930229e8a03d6e5516e

SHA512
0f42bc8e9eadac04eb3cfa5cdda3ed8aed70b40745257ad91b74db987fa49a3cc99cc91c5db3176037492ea7b952d43037a12639cc6b6a360db1e78b1ce3a64e

Download Submit
\Windows\SysWOW64\Dccagcgk.exe

Filesize
92KB

MD5
2d8b85a5e4e725188ddeb6adbc52e59d

SHA1
226d44a771ee07142fb724076711329984a0350b

SHA256
69c528e3aff63a01fcde4a88f5eadd17d4ac16fa439d038ce4448b510b23b48b

SHA512
ff52287bdde17332155eb900fe614d0b279162a2f44a1c28e73146e39ff701a58d262af7476920941352b672c1bdc0c47156e995e6a323dc817f058ba183878f

Download Submit
\Windows\SysWOW64\Dfoqmo32.exe

Filesize
92KB

MD5
8e7b3272e4101697940606221ec7c56f

SHA1
3f1069778f60ce407c0f54155472522c194ab388

SHA256
01aa78eb4f5753c8321f5b93345925f1b3cb8d1443db2cc02485e75794f80dcf

SHA512
ba0dc1595fbd31d3a7ef6c49597b22412abcb1e6bdfbb8379a7b63245b92871dfe4a5ecfbddb8f4642fad302722652041cf33603bfd5d2ac3ad6cc1a6bbde1f6

Download Submit
\Windows\SysWOW64\Dhbfdjdp.exe

Filesize
92KB

MD5
d28c68cb1cdbf8226d9cd6c419aa4730

SHA1
adf8a7261fb9028384dfab49d1a8c36c7333b52b

SHA256
28cf60058660327a402cd43fcb2d53e11ccdeaf1550030fec482d091e73cfad7

SHA512
edfd1f4b896e817a099cebc70a089e04c92d54a24611baa96fbc499f19d8b4954d8a5dd057636fe4728c6be38b8ed491ab449f38daeec37dd48a287c28b1119a

Download Submit
\Windows\SysWOW64\Dliijipn.exe

Filesize
92KB

MD5
a58742fa0d15974099df6bb79a86a55f

SHA1
f73aafacdd6d0e52b80c29a216ac1df569055b97

SHA256
57a30d1bbcab9704fef31468a9624aee84d57854fdc2be3ddfcc7f763f06cc0f

SHA512
dc0c5643752966b517668a5e5be7d0504e3503772c5dbf9f5db91973bc08ac2b17793ba406b6537e4148d8f3b2b13516bb813a62c540668c200cec2f2de2b792

Download Submit
\Windows\SysWOW64\Dlkepi32.exe

Filesize
92KB

MD5
9f789e1454f2329174055a52723f74f7

SHA1
37297ad893d81af4cf9840f2c208be613f1ae1ce

SHA256
ed89a41d87bb392dfcd77ef72c94f08b70df66c5d96813d7f4adbea131f6e968

SHA512
d168b93afcae14209a9cdaf029d65da92d8114270f0e55140e77d3fcae9e1b32db6dda023b3df456608247beefff711d8bfceee9a4898a81d9be2abdb7364bbc

Download Submit
memory/396-185-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-409-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-193-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/584-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/584-113-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/592-105-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/592-416-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/784-293-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/784-398-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/784-302-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/784-303-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1168-261-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1168-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1168-405-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1168-257-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1232-408-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1232-158-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1544-282-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/1544-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1544-273-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1564-314-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/1564-309-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/1564-397-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1564-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-404-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-211-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-219-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1732-292-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/1732-283-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1732-399-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1856-407-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1856-166-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2056-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2060-403-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2060-231-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2060-222-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2092-330-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2092-334-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2092-335-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2120-402-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2120-240-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2120-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2132-358-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2132-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2132-347-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2132-13-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2132-12-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2136-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2136-357-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2424-374-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2424-379-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2452-392-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2452-74-0x0000000000480000-0x00000000004B6000-memory.dmp

Filesize
216KB

Download
memory/2652-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2656-50-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2656-380-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2684-414-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2684-336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2684-342-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2684-346-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2708-323-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2708-396-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2708-324-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2732-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2732-35-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2732-373-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-415-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-172-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2768-269-0x0000000001FC0000-0x0000000001FF6000-memory.dmp

Filesize
216KB

Download
memory/2768-272-0x0000000001FC0000-0x0000000001FF6000-memory.dmp

Filesize
216KB

Download
memory/2768-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2768-411-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-381-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2876-401-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2876-247-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2912-390-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2912-61-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2924-131-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2924-410-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2932-87-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2932-393-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-140-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2952-413-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2964-391-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3016-395-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3016-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3016-368-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads