berbew | 1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dba

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2024, 00:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe
Size

93KB
MD5

d2692882a57df453090c94a843724810
SHA1

75c7e3ee351359e22377507f1e1c6c962b3a2672
SHA256

1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dba
SHA512

539d11429717fd4f098e67030e4f91fb68002c50be250cf75b6dae785394f30b3630f2c151e0684c9686cadb9ffafcd03acc76fcf5e975ae4cc21a5c96dea42f
SSDEEP

1536:Sw0W3g8GYWPiACm+Ee/AjIZN1DaYfMZRWuLsV+1j:oh8GYUiP6jILgYfc0DV+1j

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 34 IoCs

pid	Process
676	Banllbdn.exe
716	Bfkedibe.exe
2364	Bmemac32.exe
4936	Chjaol32.exe
4596	Cmgjgcgo.exe
868	Cdabcm32.exe
1144	Cfpnph32.exe
2316	Cmiflbel.exe
1164	Cdcoim32.exe
4676	Cjmgfgdf.exe
1564	Cagobalc.exe
1132	Cjpckf32.exe
1176	Ceehho32.exe
4556	Cffdpghg.exe
4156	Cmqmma32.exe
3636	Dhfajjoj.exe
2092	Dopigd32.exe
3472	Dejacond.exe
4944	Djgjlelk.exe
2848	Dmefhako.exe
3408	Dfnjafap.exe
1472	Dkifae32.exe
4684	Dmgbnq32.exe
4456	Deokon32.exe
1448	Dhmgki32.exe
4680	Dkkcge32.exe
3756	Dogogcpo.exe
316	Dmjocp32.exe
1280	Daekdooc.exe
4804	Dddhpjof.exe
1000	Dhocqigp.exe
3340	Dgbdlf32.exe
4460	Doilmc32.exe
3044	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1576	3044	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 676	3700	1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe	83
PID 3700 wrote to memory of 676	3700	1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe	83
PID 3700 wrote to memory of 676	3700	1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe	83
PID 676 wrote to memory of 716	676	Banllbdn.exe	84
PID 676 wrote to memory of 716	676	Banllbdn.exe	84
PID 676 wrote to memory of 716	676	Banllbdn.exe	84
PID 716 wrote to memory of 2364	716	Bfkedibe.exe	85
PID 716 wrote to memory of 2364	716	Bfkedibe.exe	85
PID 716 wrote to memory of 2364	716	Bfkedibe.exe	85
PID 2364 wrote to memory of 4936	2364	Bmemac32.exe	86
PID 2364 wrote to memory of 4936	2364	Bmemac32.exe	86
PID 2364 wrote to memory of 4936	2364	Bmemac32.exe	86
PID 4936 wrote to memory of 4596	4936	Chjaol32.exe	87
PID 4936 wrote to memory of 4596	4936	Chjaol32.exe	87
PID 4936 wrote to memory of 4596	4936	Chjaol32.exe	87
PID 4596 wrote to memory of 868	4596	Cmgjgcgo.exe	88
PID 4596 wrote to memory of 868	4596	Cmgjgcgo.exe	88
PID 4596 wrote to memory of 868	4596	Cmgjgcgo.exe	88
PID 868 wrote to memory of 1144	868	Cdabcm32.exe	89
PID 868 wrote to memory of 1144	868	Cdabcm32.exe	89
PID 868 wrote to memory of 1144	868	Cdabcm32.exe	89
PID 1144 wrote to memory of 2316	1144	Cfpnph32.exe	90
PID 1144 wrote to memory of 2316	1144	Cfpnph32.exe	90
PID 1144 wrote to memory of 2316	1144	Cfpnph32.exe	90
PID 2316 wrote to memory of 1164	2316	Cmiflbel.exe	91
PID 2316 wrote to memory of 1164	2316	Cmiflbel.exe	91
PID 2316 wrote to memory of 1164	2316	Cmiflbel.exe	91
PID 1164 wrote to memory of 4676	1164	Cdcoim32.exe	92
PID 1164 wrote to memory of 4676	1164	Cdcoim32.exe	92
PID 1164 wrote to memory of 4676	1164	Cdcoim32.exe	92
PID 4676 wrote to memory of 1564	4676	Cjmgfgdf.exe	93
PID 4676 wrote to memory of 1564	4676	Cjmgfgdf.exe	93
PID 4676 wrote to memory of 1564	4676	Cjmgfgdf.exe	93
PID 1564 wrote to memory of 1132	1564	Cagobalc.exe	94
PID 1564 wrote to memory of 1132	1564	Cagobalc.exe	94
PID 1564 wrote to memory of 1132	1564	Cagobalc.exe	94
PID 1132 wrote to memory of 1176	1132	Cjpckf32.exe	95
PID 1132 wrote to memory of 1176	1132	Cjpckf32.exe	95
PID 1132 wrote to memory of 1176	1132	Cjpckf32.exe	95
PID 1176 wrote to memory of 4556	1176	Ceehho32.exe	96
PID 1176 wrote to memory of 4556	1176	Ceehho32.exe	96
PID 1176 wrote to memory of 4556	1176	Ceehho32.exe	96
PID 4556 wrote to memory of 4156	4556	Cffdpghg.exe	97
PID 4556 wrote to memory of 4156	4556	Cffdpghg.exe	97
PID 4556 wrote to memory of 4156	4556	Cffdpghg.exe	97
PID 4156 wrote to memory of 3636	4156	Cmqmma32.exe	98
PID 4156 wrote to memory of 3636	4156	Cmqmma32.exe	98
PID 4156 wrote to memory of 3636	4156	Cmqmma32.exe	98
PID 3636 wrote to memory of 2092	3636	Dhfajjoj.exe	99
PID 3636 wrote to memory of 2092	3636	Dhfajjoj.exe	99
PID 3636 wrote to memory of 2092	3636	Dhfajjoj.exe	99
PID 2092 wrote to memory of 3472	2092	Dopigd32.exe	100
PID 2092 wrote to memory of 3472	2092	Dopigd32.exe	100
PID 2092 wrote to memory of 3472	2092	Dopigd32.exe	100
PID 3472 wrote to memory of 4944	3472	Dejacond.exe	101
PID 3472 wrote to memory of 4944	3472	Dejacond.exe	101
PID 3472 wrote to memory of 4944	3472	Dejacond.exe	101
PID 4944 wrote to memory of 2848	4944	Djgjlelk.exe	102
PID 4944 wrote to memory of 2848	4944	Djgjlelk.exe	102
PID 4944 wrote to memory of 2848	4944	Djgjlelk.exe	102
PID 2848 wrote to memory of 3408	2848	Dmefhako.exe	103
PID 2848 wrote to memory of 3408	2848	Dmefhako.exe	103
PID 2848 wrote to memory of 3408	2848	Dmefhako.exe	103
PID 3408 wrote to memory of 1472	3408	Dfnjafap.exe	104

C:\Users\Admin\AppData\Local\Temp\1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe
"C:\Users\Admin\AppData\Local\Temp\1981475f27e22f1dc23f745cdd211e7c7f804f7a754fd404a646849c44924dbaN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\SysWOW64\Banllbdn.exe
  C:\Windows\system32\Banllbdn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\SysWOW64\Bfkedibe.exe
    C:\Windows\system32\Bfkedibe.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:716
  - - C:\Windows\SysWOW64\Bmemac32.exe
      C:\Windows\system32\Bmemac32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
      - C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 396
        36⤵
        Program crash
        
        PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3044 -ip 3044
1⤵
PID:444

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

0.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.159.190.20.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

212.20.149.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.20.149.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

0.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

0.159.190.20.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

212.20.149.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

212.20.149.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Banllbdn.exe

Filesize
93KB

MD5
669c63c1690ffe05f78ea4de8f13635e

SHA1
2d26048090757b7725fb4000c3570d6e7d8b60b3

SHA256
6e0006573cd2decb5f80538ada554e8b376c404dcd6fcbe7f2e5dcf84b97a018

SHA512
64dcd17e3be594480342f158885fbcd16cf4bbed0b77c275e8710f07e5158aa4375334b682d40672111806bbfae2739cafd6c469557c1d5f9bb15fcb633a0532

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
93KB

MD5
3b4dc0856024f224d05f997c98dc0a1f

SHA1
b6386ad7af92b69bc17b28de6d33d8eb00751df0

SHA256
d3547b6c257db684f88b87a9507fbd6514233823215099bc8ec531cd0e94e858

SHA512
dde81b27ae21912b1f777e44c34a21bc0c47d817b21cbd0f331f13ddf6e34a767cc3a2cbc83a93e0d5c2166e288ccfcfa90f197f17c0cd4680e82d361a270c9d

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
93KB

MD5
4fb70e21a185169307ddd7c3933cf944

SHA1
a6fda858fbd79001e03121c9a86b54199478e456

SHA256
165cd996dfa8007268abb49337863ad3a2de46f3df606c1a4d2ceb12efccbb00

SHA512
e92066ccb37af36562ed63f2f4473ceafd76742bdd7ca7d8dbe02a65782d5cacd55ab6325e882fb1f7641c1f91dd233643055702af405a53ca35f96a5bddd1a0

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
93KB

MD5
399e014b611855bd8da40683604ab34c

SHA1
6a28d7dbff2cb2590c5bc9b6753cf87a10b08692

SHA256
17fe2d03e24daef7c7fc6c44e3a59f4cc9dd295cc68963043816f8a2ab4c4db4

SHA512
53cfa8e6ff13ea5f481d5222c6d415d21820107038024efc672c42af874eecbfeb2d293d5f738556238cd50acc4be80418900741fbbd8a2707a5e6bc771fc061

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
93KB

MD5
ae4b8f0590a8a17ed7f91d94aef3e9f9

SHA1
248ca9cb080e6fa4b61f29c558b39c0ad91a3dc8

SHA256
5f473df85c97fa7b8bc346752f5c7cfabea0a028e05133b45f333a9fbdfed823

SHA512
bedd6b0875dd1313aac175e38aedc34b1c8779f65d3f15abd4a9d6d6408ab7a78ab1c1c36f28b645b369f13dcc11eaf9b5c9fc4562fb233fe98f7c8ce72ef635

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
93KB

MD5
4d98dda68508214af0e283e9f3460d7e

SHA1
57f72b5aa4ad9c9de67361938a95459289d07538

SHA256
25a5d501eacb185530f7ba0a2a7452444a0a84ad885881ccfe29c0406039c477

SHA512
7dfd093f00d51baf2413b54d15ea5ec3e0a836066bd180f1458a72ca56e80f913fdf5a25d10b7222a2ba2304df61b0f24b6dd9791aa6a268fcd6c25d05f31579

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
93KB

MD5
fe1bf0ef736d70cdb71f3e5e2c89f408

SHA1
aa433f9846d8110e83039abed377667de97584cb

SHA256
3263eb997e50277d3c9a1cd40619ee3d372c984e6c03e9a816455167d0a0c07f

SHA512
9606d40955aec91bd3373ffeb3dbd9ba1467912bedcfb838048bb50cdf00f97072277384c726b5eb999785602fab3afcf188b09f62b6b5ecf31dc766f401af9e

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
93KB

MD5
3b06e899dad05d74a081693c84e83d04

SHA1
0a9fa3d26cfa383131e1af1fdd8cc86f5fd04f61

SHA256
aa9cbc16566224a1bf3e0df982f9e0716fcb489670f9125e993353f580c3c584

SHA512
818d5719f69b9146aa1129d2f6e005e2f9f78881ad82202c9bf1382f84fbee54798976b1b33189a0a147addf3b47b1623443ec7ef08843a86913d87a5dcbf1df

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
93KB

MD5
180186df3c5aef737c7a7139af25ac90

SHA1
4c8257a6754189d602552d3b5d73b49f9d51b5b5

SHA256
f2422d1059b4fea7e77ef2da067ef789c7e693902b284711b615f320233dc607

SHA512
0749c2b1a417854e260efa9e25dfb6a370ec478bbab6c75d089869c7541f0a7ed17900232f5aba8ad79a73fb2130154f44d544736b8f21009fb9dd7fbf82eedf

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
93KB

MD5
5d5d2b5d1c2d81abccad928b4742501c

SHA1
dc2118801d84d84d9f8859930b79736dbad1af4b

SHA256
e0c1d32fba4230783157d74fb6e5d72ee587367b582da7dc6f70490e65f80d33

SHA512
8f591d5e475e2025aa687feb2ed1b3f2f6993a43366b0b132cdc78e9f405ce6316dfaf0cbaedd011f596f426bed5ecf27360335fb9a3e47433fd8fd498cbf200

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
93KB

MD5
91d240f071753178c703a0967db0e92c

SHA1
0d53ee50e948c856e679b780145b5e3c165ca54f

SHA256
3cb766065c333bf7ae66e164c47e607534dc0968f2dd38d5ce9dd8f6f66e08bd

SHA512
a86e1bd17cc4346b675bb4a0dfa2206018677deb2d71998747e353a1ef65da22e15feb57f582b11a167fa57ee378254ca06b96a2da4f108af485890de45f6071

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
93KB

MD5
4e9e1c0d5937cc765475b9d03bdc7eb5

SHA1
2efb35d6588bc828c179709a0b79680ff7c16337

SHA256
72c9767b2b9d415782fd6b737041b48ca31c38efc2e96584973caaee9c0af79c

SHA512
b92faad40d7a0f36724bfec52efb087edc30b31c7d6b81966d5d526382f694f323828a3e1a02df8cb07eb77cdd584c813c4573cd06e17d0d3e40f932dc0752e9

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
93KB

MD5
c2f2d42b69d078085434d6f4a811c82d

SHA1
9924aac2f50db384b53d10b8e91ee509d7e99f14

SHA256
86a7be7c8d29a2f8ad6e34697f2b448944c5b41f9901388840d6b853af9c257c

SHA512
21acf2162b1b799c62f327450a857e0018de034c24cdb023101a64ebcef67ecf6e48bc0610411803d9ea0a05b701e91bbfd89526233691fa5453c15799660c0e

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
93KB

MD5
796fd4b857a055b880418e72830f7d9e

SHA1
aa98aa9d62d50d18b40fb5ea4820ff1d727ee15a

SHA256
654401f7e1c25fdb552631ce3c48965e818c641f2c89869eebb08e457ede7b24

SHA512
e64c87805cf65262ebc8f1a241d5497ebcb247052fa5e923835aaa524bab9bebcfdc99649d4707fcd842bd38719f0ed41d17dead32e4d60e0c356ee61fe10528

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
93KB

MD5
d934c630d2d84c38395b863fd514fadc

SHA1
207538179f940630c3b68071961d469bda54bbdc

SHA256
a64c0d19bd3702884845f5169cbefdb9c0444f640d1429c0df4ab808cc8df6f4

SHA512
54544b5a53be2f7505dfeec904204c0077ad478ef3cc05a944bf5662635cc81e05090fde84ce254cfae209dfd9bfdb9fa392b0871ebfaa3d8e5a7207af5363e9

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
93KB

MD5
b58d9c5b4e32342fd29990c9f618fec8

SHA1
63900ef76654b2977cc4ab4118369cd89dd7a81b

SHA256
61aa31e94efea5cda8ab507969c9e42f010dc80e3fbd11fdc79f7871326d98dd

SHA512
cf7e43818e9303ea2a6ad6934c150f2536367c58177521042e808b13b9826579e7eab250c8b950c2653563654e80914c261bc80934a87aff46d969291ae1f55e

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
93KB

MD5
84cf66c79860f4ebd873ec407a94463e

SHA1
95bfca831c305c53dd6c9e78f7a69b363a163d99

SHA256
ff30dc691db4ad03681bd16177bd333e2096445bf06f7ed94e7a531137843152

SHA512
943271e601edf719f488f5ddb8f8b2e9acfca0ae2a6c4c642dce2e3b8aff0ede911c70f81f3a3610c4aa5830f19caf1f68a8e0760ed745c6204cd195b33826be

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
93KB

MD5
88eff82264bf15365b9bf9d1f939849e

SHA1
139716e5e5998703cd7cd201f821466c85853595

SHA256
719ec3420fe7d0fc3189f4300f9fd32b9a4995af3562e3d8fa46406ea26fd1be

SHA512
f387153fa94f889b50bfdb015514813b0f0c20e0088b4d29fbda17485872ea4740f58a1544218225be7763e9cbe0d38ccef1e52f0fc66e1b625e04b01a3a639a

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
93KB

MD5
d3c8374f4196ceb83ce87118fb2b66de

SHA1
d786f866a60b0b73fe78c7ad13efcd05f2e433c4

SHA256
34d925a9283b5dc0e61baa238e6cf6c4d9bc3413470d621925f84383c317e482

SHA512
4b4463dd19b72f2817ab11e5064b4bb3a2b59cc1f4d0bddff1b0fcd32201722dbcc48ba588a81b45cfb3568d8a24a8657afb00e1db1c18692951aa429297c221

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
93KB

MD5
6f7fa82244bea797596127bc60a5d2bf

SHA1
11cd1ce64a649a1516e8891df45ca8de2f5cc10b

SHA256
cb591f80420a63ff0d7c156d2aec048ed9638952a0ab63a4f5b2605be7c0cfd7

SHA512
b1cee45f61ee0346d8bb5fdf316e5f4012568533cd4374ba409c6f293878bbb4b2bbc57b2e970e07fcf90f837ca5f913dec18d77984f0d96a4bdaad380d4ce50

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
93KB

MD5
d1c43d37eb97c3141bc49be3ceadf2b3

SHA1
33eba82864baa4e65e77babf97b9ce3b0502632f

SHA256
7242903bd5a01013f606d2d16bfc99bf099f3e5fef88d205f9c73d10aa49034f

SHA512
ce8b1ab018cb09a0db51ec854cf1cfa61db4cbaee18370effbb5898497d7fbdca672f2f11870d340345669220343f548049a26a16fde950bee1c1cd768ae0370

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
93KB

MD5
052bc8f7498a1f254e32b8c15a47c97e

SHA1
e8d0aca1ec05902f9e5b8f201c275b55f0d82846

SHA256
c2b036c00e965d624124045198fe6e4df42e7ca60338e30a56870fc4193029d7

SHA512
747bd3a17375e00913a696c95a0f7b8e42534d7adc4a924fa4bb458c51c96cf3d0a553ccda90d84e1515f255927b7bcbc14114eb94f8db9d16b7b65a83a42722

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
93KB

MD5
17ced8d07f22d3ee5ff4b785d5496233

SHA1
ae737a7bf96e853b830bcc7dc9918c8b519d4f28

SHA256
0158098876bcf1f38950934cb5182b3d14debb6d078d30d09060e3a089cc8dba

SHA512
3bdee79cd50d8a3f7bb1555ff3bf364fd26798496a13a2f09f0c835a385b2cad1f3a6d08e35f4fe7417952bfb4b7fe54f98a83d9340809ec16d04c5ebb46c78d

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
93KB

MD5
674f19750d3f46f1f16ea3e9fe688487

SHA1
b4ea1d6a45101a783c6ae1fcb986ce4fb04574d1

SHA256
7e6b0ba4423c0fb0c09f1a358dbe2eda3cd615d3773adaddcf917e0993815a91

SHA512
f5897d74c7a2986e1ac6e0c6584d5eab631d6192f23726d2b5c2c7e1ea2b7fd97896fc58b094ebda3f5182744cea5d03114119b6f9c0365d8b39ba22df2b3cb1

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
93KB

MD5
3a910e7ced14ed604d516ccc10debcc3

SHA1
c6bdd73d07f73df5978aefe1e3390245d1936cb1

SHA256
6949ed3bb4dbbc140958ea9ea6dfc268e74255f7cb7406c6b769dd11ef790a00

SHA512
f5809b4669f4a324da05eba94c1b00ebbaf30a95e0a0e4a420ebe6a7e87171060aede79feea3c34db8151d6cba8de64f15c5e9d7a19ff4bc330cb3f6eb1a8c83

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
93KB

MD5
7dc8532d636f8e71330146575e904cee

SHA1
b5d7e7723209bf154ae234bd469128731fd3763e

SHA256
8c2b457fd51181293cfd4ec95697d9622dcf14040e6a872420915e52977546a4

SHA512
78b91711f3a8c3ecaf308c17a07bf3a48fcd5c50326345bb7a612053a6360fa6b0a920724dfbcbf7eb1f71b5a1a0538190ad39ffbba08b9becc60e339691dd28

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
93KB

MD5
f626670500a73605da866575948fb165

SHA1
a8fb989133a8e9c1fc2f1b5bf9a20d627b065972

SHA256
133ac1e1a3155265fb144afd4b91cb7c275cc8f280b5c6b43ac06e0fcb64198f

SHA512
f2acaf99fe2493cd53b125a063a98990cd1dee49b23c308b5376939593291973863bf9ad45677946706955e16827e76d668e6eee134333a477cc8dbde446751a

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
93KB

MD5
d3ff05c2143bb6496e5f47ee4fe89f63

SHA1
da8def3ce13548993de22ffac7d44fc2ad7fff58

SHA256
12bcce68beab32cb2da397ecc7758460b5342d6ddbb368265b2cfeaecc3b4e3c

SHA512
1048b5e75bcd98870a537fd79f604eb024bde087cbc54f52d646724360e21c9cf5a71e7b06625bca08bf067ba092e895e102a623d8070b9480b1a0671c8f86a3

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
93KB

MD5
b58fcde2eb2dd770d0b7dca0baa19c67

SHA1
64ee32417bcb2d9cc1db218ade1901eeef3538c2

SHA256
ff7feb3439c01eb18b0c414ec6f15c1f9bb77c6ccbe8a52b8e5905a72e126465

SHA512
b90bd3da190a479ce3ed86b8ed0b75fa08d5e3c16d0947179eef602619ba97e7ff76117f675058597bb98c65ea33f365eb0dc413d60b0235bc994ee6c9adc296

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
93KB

MD5
6b965bf951928e05efb4559de2b38578

SHA1
ac5b52f1063a68fde20e346418496dcb32667559

SHA256
db674ecf73ce594ea80bc0894473e51f6e8fb3bd36a01186d550b5268453c15b

SHA512
348ed530a87f8ba8c2d02bab5b2e67e236f449b47e8ac4dfa05ea3ccb92d94d772fbfeeceefe3fe7b75c411c07e7c4ecf357e52bb52df9a9dc18aa075175a2e1

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
93KB

MD5
c35a52b193832a875e6d4f8949e0654d

SHA1
df3a315979f7281786d92a7ae40668116977319f

SHA256
ebb67d68b21cadec27d9a2f3a6f565fdb8e2ea2f1c55ca210fc0fab467946fcf

SHA512
375ee59d837b7631d71305f9dc25cf1ac90543b364cc6a0e5e466b27d6a40472a489b4d349e5be643446babaedc238516bb71851ce8a905d46025d0596572e90

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
93KB

MD5
6695e340a1d026601475735f0a0ec894

SHA1
fec7da18591542d8d2d54a1bec369274050d3e11

SHA256
8a604d8b273f7a8b7db4ecfcdfca91079491a6cb17183ab7d5971a4d04f82232

SHA512
a0c538f4b56e3d5c34522fe3d6bee53e4ff4059f10a2cf5c65574efb383cbd6580df4ff0e53df7c98693e36bbb8281190a056486f5ab12c0bec589537ef0c1d4

Download Submit
memory/316-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/676-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/676-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3756-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.