berbew | 58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f

Analysis

max time kernel
96s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f.exe
Size

64KB
MD5

dda6140df84df0fcafd10531dad68816
SHA1

d7944058ac70eb42ceac1523792c96a43553762c
SHA256

58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f
SHA512

38191c43e959c9f247e95695c95037dd7534cc83f0776a188397f780454eb42def637502cc19144416c9f397706b36db6ffa70e8b4c7e4db43fd24d9f0d5153e
SSDEEP

1536:w0/zCtw5DHjQD1qA6+Z0K8C0XHLp/ZuYDPU:9zyw5DHMZz6RXHLp/ZuY7U

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 35 IoCs

pid	Process
2400	Chagok32.exe
3140	Cjpckf32.exe
3032	Cmnpgb32.exe
1612	Cajlhqjp.exe
3128	Ceehho32.exe
3960	Chcddk32.exe
1592	Cjbpaf32.exe
3412	Cnnlaehj.exe
4288	Calhnpgn.exe
2260	Ddjejl32.exe
2032	Dhfajjoj.exe
4480	Djdmffnn.exe
2512	Dopigd32.exe
5008	Dmcibama.exe
3304	Dejacond.exe
1264	Ddmaok32.exe
2228	Dfknkg32.exe
4472	Djgjlelk.exe
3028	Dmefhako.exe
3772	Delnin32.exe
1580	Ddonekbl.exe
3348	Dfnjafap.exe
1596	Dkifae32.exe
1492	Dmgbnq32.exe
1116	Daconoae.exe
3532	Ddakjkqi.exe
3848	Dhmgki32.exe
3272	Dkkcge32.exe
3472	Dogogcpo.exe
4668	Daekdooc.exe
2956	Deagdn32.exe
3640	Dhocqigp.exe
528	Dgbdlf32.exe
4532	Doilmc32.exe
4508	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe

Program crash 1 IoCs

pid	pid_target	Process
916	4508	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2400	1792	58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f.exe	82
PID 1792 wrote to memory of 2400	1792	58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f.exe	82
PID 1792 wrote to memory of 2400	1792	58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f.exe	82
PID 2400 wrote to memory of 3140	2400	Chagok32.exe	83
PID 2400 wrote to memory of 3140	2400	Chagok32.exe	83
PID 2400 wrote to memory of 3140	2400	Chagok32.exe	83
PID 3140 wrote to memory of 3032	3140	Cjpckf32.exe	84
PID 3140 wrote to memory of 3032	3140	Cjpckf32.exe	84
PID 3140 wrote to memory of 3032	3140	Cjpckf32.exe	84
PID 3032 wrote to memory of 1612	3032	Cmnpgb32.exe	85
PID 3032 wrote to memory of 1612	3032	Cmnpgb32.exe	85
PID 3032 wrote to memory of 1612	3032	Cmnpgb32.exe	85
PID 1612 wrote to memory of 3128	1612	Cajlhqjp.exe	86
PID 1612 wrote to memory of 3128	1612	Cajlhqjp.exe	86
PID 1612 wrote to memory of 3128	1612	Cajlhqjp.exe	86
PID 3128 wrote to memory of 3960	3128	Ceehho32.exe	87
PID 3128 wrote to memory of 3960	3128	Ceehho32.exe	87
PID 3128 wrote to memory of 3960	3128	Ceehho32.exe	87
PID 3960 wrote to memory of 1592	3960	Chcddk32.exe	88
PID 3960 wrote to memory of 1592	3960	Chcddk32.exe	88
PID 3960 wrote to memory of 1592	3960	Chcddk32.exe	88
PID 1592 wrote to memory of 3412	1592	Cjbpaf32.exe	89
PID 1592 wrote to memory of 3412	1592	Cjbpaf32.exe	89
PID 1592 wrote to memory of 3412	1592	Cjbpaf32.exe	89
PID 3412 wrote to memory of 4288	3412	Cnnlaehj.exe	90
PID 3412 wrote to memory of 4288	3412	Cnnlaehj.exe	90
PID 3412 wrote to memory of 4288	3412	Cnnlaehj.exe	90
PID 4288 wrote to memory of 2260	4288	Calhnpgn.exe	91
PID 4288 wrote to memory of 2260	4288	Calhnpgn.exe	91
PID 4288 wrote to memory of 2260	4288	Calhnpgn.exe	91
PID 2260 wrote to memory of 2032	2260	Ddjejl32.exe	92
PID 2260 wrote to memory of 2032	2260	Ddjejl32.exe	92
PID 2260 wrote to memory of 2032	2260	Ddjejl32.exe	92
PID 2032 wrote to memory of 4480	2032	Dhfajjoj.exe	93
PID 2032 wrote to memory of 4480	2032	Dhfajjoj.exe	93
PID 2032 wrote to memory of 4480	2032	Dhfajjoj.exe	93
PID 4480 wrote to memory of 2512	4480	Djdmffnn.exe	94
PID 4480 wrote to memory of 2512	4480	Djdmffnn.exe	94
PID 4480 wrote to memory of 2512	4480	Djdmffnn.exe	94
PID 2512 wrote to memory of 5008	2512	Dopigd32.exe	95
PID 2512 wrote to memory of 5008	2512	Dopigd32.exe	95
PID 2512 wrote to memory of 5008	2512	Dopigd32.exe	95
PID 5008 wrote to memory of 3304	5008	Dmcibama.exe	96
PID 5008 wrote to memory of 3304	5008	Dmcibama.exe	96
PID 5008 wrote to memory of 3304	5008	Dmcibama.exe	96
PID 3304 wrote to memory of 1264	3304	Dejacond.exe	97
PID 3304 wrote to memory of 1264	3304	Dejacond.exe	97
PID 3304 wrote to memory of 1264	3304	Dejacond.exe	97
PID 1264 wrote to memory of 2228	1264	Ddmaok32.exe	98
PID 1264 wrote to memory of 2228	1264	Ddmaok32.exe	98
PID 1264 wrote to memory of 2228	1264	Ddmaok32.exe	98
PID 2228 wrote to memory of 4472	2228	Dfknkg32.exe	99
PID 2228 wrote to memory of 4472	2228	Dfknkg32.exe	99
PID 2228 wrote to memory of 4472	2228	Dfknkg32.exe	99
PID 4472 wrote to memory of 3028	4472	Djgjlelk.exe	100
PID 4472 wrote to memory of 3028	4472	Djgjlelk.exe	100
PID 4472 wrote to memory of 3028	4472	Djgjlelk.exe	100
PID 3028 wrote to memory of 3772	3028	Dmefhako.exe	101
PID 3028 wrote to memory of 3772	3028	Dmefhako.exe	101
PID 3028 wrote to memory of 3772	3028	Dmefhako.exe	101
PID 3772 wrote to memory of 1580	3772	Delnin32.exe	102
PID 3772 wrote to memory of 1580	3772	Delnin32.exe	102
PID 3772 wrote to memory of 1580	3772	Delnin32.exe	102
PID 1580 wrote to memory of 3348	1580	Ddonekbl.exe	103

C:\Users\Admin\AppData\Local\Temp\58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f.exe
"C:\Users\Admin\AppData\Local\Temp\58c049ecab3581a3c7f1e5976d8c598dedca75f09e742b6329feb46489be056f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\Chagok32.exe
  C:\Windows\system32\Chagok32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\Cjpckf32.exe
    C:\Windows\system32\Cjpckf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\SysWOW64\Cmnpgb32.exe
      C:\Windows\system32\Cmnpgb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 396
        37⤵
        Program crash
        
        PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4508 -ip 4508
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
64KB

MD5
81dcbbee4cfdcb292f61bbf9b80a2ec6

SHA1
918483a9a7350d4776a109553b232a6fd939dce9

SHA256
c205a909374640d0fbca6e271f61159fc592ac4a22222970dd9e2f780be49874

SHA512
b058ed5b1c8c00e5ae2332759efd3e36f7c43d6b7006b8a2350caffa73187645e7e8fed52c0438de6ae92843c5a2e8cc0b12193c2a1b7fc7d803849e04d52cd5

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
64KB

MD5
6bf669470b68291bcc11d037b09ef34b

SHA1
596bc927a68bd1010f55755917914b78dfa90607

SHA256
951e6019d918a6d764899a2b98c7e2f6f08ea74df1de12dee27f31599faa2113

SHA512
6eddd75f73078d2e50819e4b4e10bdd8c57f5897d80f21c28ba3c4706fca8481a5ba706d7790564c77d1abc43dda637c791be3ceaa01a11748d916897825e485

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
64KB

MD5
192ed0f1b0a99b6ef8a03e08d0646439

SHA1
3f2106cfdc2585ed77b90b8beb725ccc1988aa65

SHA256
634719cf746f1635cdcc1b289b022a425c9f0a7b379642eb30263781b77a96f3

SHA512
83179b63189bd8bea6f9cdc9732b58a8e8cb9368a580cbc58d5e3ad4240ae990e5d0de5176af7ec58965b146843f9d51162596df8bb02ebca06e271488d4614b

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
64KB

MD5
d3786ebae4cc17c0bdf1c2a27b85271c

SHA1
387d14a9fd9f50b627f32b90d562c11d3f5eb7e5

SHA256
b18d794830c1f6c83af68d42b09f406cd060ec9056e6a29f8fc43e9e731e6b18

SHA512
a44463fdec81ffe668a17d5b702eeb283dd66c8b54f661e8da4b51cf647ee403c0cac0e0ea4359f81435f032abef493bac071f4584bce81faa15b1808a02651b

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
64KB

MD5
45da3c558175dc38d1c5bb98d574060c

SHA1
d4e243402d29746b437ea4e2c65e278f79c98dda

SHA256
1b3480193f0c75f1c8a24c4c83ff598411023d2421e96ac3c0cea2e899622cab

SHA512
0aa478c75fc8804337717b2ff3afe0e0a4f60fb360eeef8c5f064a103df7b72b66cd269f85f21e4a8d384fc9dab328fe8bb57a74e8d656595a4d73d381caad50

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
64KB

MD5
6c4300bd985deed452de618d9aca5687

SHA1
349a5e5a53e860fa5a817bb0d5c7a6c49d52bab4

SHA256
200f2cac07dacae8865b1fdc2695fa2ec60d81162bcd2ecf32c0bce87fe6590d

SHA512
106f4467bcd7729ac774071451f85bf00da88b4b77b816b20b946958edc771382658b23af0a5caf22574459517d94ed2fec135e536fe082ae6d721748d7aec30

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
64KB

MD5
0f85a458b681a0f016eeb0f6882a3c2f

SHA1
b3a92be2ac3025af4e37e9dcd1f6b5445becc9e0

SHA256
1ee8031a0988f8d9f087938111b892cf93797814e955c8d4785076924d88bbf4

SHA512
f3d191d6d57500930d0600c2d7e3d098717f83b75c57b49d891bc064de2073d209bfeee545bc59f5ce486bc1b4df4895d57d88444e4b8d733fa5ad0051d8747b

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
64KB

MD5
f8df0e725705d89353baee28586bdf8c

SHA1
d5f8466e2b2d5e7f6dd94f0ed16ca84908d8089c

SHA256
0fe9ba75c3387baa1db1b03afaff3acd6d16aa8d976005c967092a49ef4cb9e8

SHA512
4250d2c9acbe5c950758d4d7e044a610ab96761e008508903f27f3754d1265ca23feabad528cbcc75efa6384d2622a03070f44c25b0351489587e279a5152993

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
64KB

MD5
1f93a9d83054cb0e20a9fa4ba3addf2e

SHA1
0d4d6cbcff56cb59fc54c40167f4336903fb80f2

SHA256
b0dcedd32873b7377271b7c763f76c113cb938126f666e74c90bba1201a47f77

SHA512
b136694d6366b9034e6ff2fd6fe171ab183b09212940f5f7f2c71a6c9c3ca675c58960e23f4ce5713896e2d0e37b59773a9bf4ecd83535e79ce84b186a0f6e52

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
64KB

MD5
5b8300f393b48723b91f457348f1ddd3

SHA1
5646015248d02267e8fe48c07d3885690ae8025b

SHA256
33f5edd97c89fbbc95951d8f82237890beb518d15a5542ed218ded9577192b87

SHA512
52b19c6ddf1e93d5d647cc437c96037cae0bd0542af1ab13971e17c8882c00afc23be4fb7f09e7539aa8fb9ba829746204b183078428d421f817a1c3298138d3

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
64KB

MD5
e53e8ca12334382edb97f4e6f3fb9792

SHA1
c52e433d844980e6a99b0242ec80b9bb9f92f06c

SHA256
058bb2a388740a0ae6348a26d2fdbb56757bdac711ec8e34c320f8f9583ed2d3

SHA512
f4343153df3adf53a022f7dbf13055b023b97aabb6abd87eb194b13a4fb3679aed31ecb3b53325355f1aea6bde3898eabe62a617c8b3e20f68e57cb06b7ff69c

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
64KB

MD5
d7ad9ead3f4a7b7eb688727a8b26a118

SHA1
cd6b7dbd15b38a044938e4529ebb9ac7ec8e1ed1

SHA256
878fe43ff9b815a57e1e7b0188cb03ac180237a21faef9719f330f3ad28d46ae

SHA512
3e48e759eec634f9865adee8a6557f40100286367f9c5c403f6ce3fa845aad747abb79e4b4721df3185bbf65935a741b8b16b03b77e56265960c1aa1a053b003

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
60658d9a3ceab1a36fccb05c6f4c5d89

SHA1
db576d2a22902e9588f11dcc51c154025ba665e6

SHA256
88fd957cfd67db8290e73fa46337b3ac70241b491b302d5bf87529d3e1eb3600

SHA512
03462a152e61f5936acf16393e2b0e31d2c100b6e7052cf207dcb497ce41325346c13230837d4b241296d82a27716ba41184d469ca4c3aa2a664568d2655c6d8

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
64KB

MD5
762e7dc04a4c85bbda22256e2cc7ed19

SHA1
3726eec42cdb88f5be98ecacc8e2d08e417ee767

SHA256
276790c5e8b5ecf53905233dc7249a1ddc12f455078d3da572a9fa2c6d9ce707

SHA512
adc5ab1e83bfd2c1bd74d908df41dc84b75d0acbde70623681c1b1b0a4be054a42a868b1f7745d837470e05102037394621ecc548d580d1db5bac7594d3fb53f

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
64KB

MD5
6c58a463e8e8029e05baede832210b8d

SHA1
9f6f591350b94eb19d0a427c423fa1e2ac1c7554

SHA256
4b2be6d864fb5c7a7a2d4b97e85456783c55e2d7ddbf3282db3772decde28f10

SHA512
353c0eb6ed22386bade1c4b6412e0c4deb20c9e8d317093238dece1ae2e9dd089d2ddf8aa461fab7f44dad8f5cb7cff004332982a5066da60baf2b32c4babaff

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
64KB

MD5
44bc7248ea603de8c392fc1153f91882

SHA1
b39ba543270cf25e9497d5793079f4ccd62d9e55

SHA256
8e8ca7d79615afa281eb4bafbf398be0adfa137a49836d3a1ffb68cf9f92bab5

SHA512
d6006c454c747027af809a8a1e33fc45360fe15de1cbcd656d40f5217249dd7c813b19dd0f458dc857a53c8285713b542c0a20d3d7631f3385c4fd233a6c1a47

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
64KB

MD5
0bc2a2e24e43bd469427fbcd856fdeca

SHA1
2781f67bb9a34651d9991de1dc0662f91eacbd5e

SHA256
2a45e6b86df383b6838e8922bd187708469c442ef1a4affcabe68efe1fd93af7

SHA512
0374ab952a253c3710a964c49dda252ff0aaf1d96d085f031425d09a22f15cdbadd7f7e13d70673c5538aa7a29eb925f8bf3626dd14ff8824ba3b8d6fb879c26

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
64KB

MD5
07b1262771c4f156520c2f3286bae14d

SHA1
8d828544026749f2f975332f39137050489e4f54

SHA256
70115476d4d07d47aada950724c7cc8981208716b49d3f7d8cac755f2c69d399

SHA512
03c1aa03d69b26e15658d3bfac2e51e4f9a1ce74f5f23c1793da9a71080b242ef00824c98a0f4819787272b5356588a09ff7b9f20245c5d03e97e12b0f6d8080

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
64KB

MD5
558d612326d29d6f93382ce58a95a919

SHA1
f19d12f08e2c88538ad5cb52a5698d0615d4f3bb

SHA256
dd437aa1899abe95613bdb12f0ffc7e37b052df40927bf9f66a5e3ab38dfe5f3

SHA512
c84d25f516e0bcc43d40193aa320acc2b5d7556a74fd59467cf67d4bf55877916e54dade4315d40008ae4ffe0725dbdddaf51f3ebc5c63dfc785e1bd8bc19edf

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
64KB

MD5
8cc4629a07af2269537d8678c6516489

SHA1
1eeba34f42d8d33cace4bc88a20222023dd9aebb

SHA256
001bd2da9485d73693833b89203184c221beda3808b74a770ac6b48022237bf8

SHA512
0a41d37ff5aeb95ea254116363a5e80a9b141e1da70278efcfcc01b72187f55cbadca2e1c4393f20146083dc5c6d10dea9d0da938a41ff50e1d804bfa65458ba

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
183e6a31d42c4c3fbd2d6c448e3af040

SHA1
8e87e983616fea0ad04fe1fa13a0dfea006d824c

SHA256
c76821857de66c07301a670baf751c58bcb31674507f5a2d249fb71a3f502fcc

SHA512
55e5c32390af2df653e9937a6d61ac22a130aee6d9bf4abb84123bc7334c7228b152962b1af1580b1f6da7f8e67a422535e083c32bf7a3afb211a19174ac7633

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
64KB

MD5
e0346146bde61e6084181f763f0160e4

SHA1
f83c180c359e07057f5fd88cb7948c54609eb803

SHA256
408639072c34add3af85e7b256a7fd3d1234ca512078a9a7b3ae1812842b09e1

SHA512
8a9c54e87b8f19a657b9a98cb481ba77909fface751b8f06a80de55e36159e193b103badde7e5dba2c5c193bcb3a0cc9dffde5d8c536e4553a2528a1a04c95b2

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
64KB

MD5
e2c2334abf634c49e5bf80f9bda85b28

SHA1
baa4f5a3e78b6ec2a424b036441283868c0a7582

SHA256
3465c4a90f958dbafc1671626aa120c9c0fd5a08eb19dcad83f935fe4bde4af1

SHA512
b4aed9d6aa5dfebb31f810f42fc98fe50195e8fae04573ffa238c8028db849e41acf6fc66a1b326a12128af7c8df0c9ae07b3185651ab55b1647eecde8e12e3a

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
64KB

MD5
a30eb8e1367ea62701e7d43ed057eed4

SHA1
6a2d41ad4284059b88868e15b2be1ebd08c3fa6b

SHA256
f0fcb9783be7d4d341d4c06039f7a3085fdb3d7a5c12be7b84c717e7259d01c1

SHA512
2750c5589912e2e022dd353131b23a6a54642cf738726fb629cc00ebd93e7dcf152f7a6470823b88ed06675a1c15d987d853abee15a7cee7d4541cfc429a7503

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
64KB

MD5
08d8ba0dcf9bad13c6e7b4157c4e4aba

SHA1
694ea480865bedf2606716c940a09b447ca27089

SHA256
ee141d9ae2e77341ffe73f1b60cf8caa3ff61070f3b4fbf41c7733f11e3223b3

SHA512
05ba5f9ca4989dd537128e9646fcec31745dbb141d7f274d94777b6be01c8ec94d1245c7d5b01eae0e51bc09892c5741e164ac0dc9d77270f31c5f04f1bfde14

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
64KB

MD5
5bcf9614927747a3c3374b983e4a1b4e

SHA1
cb682e06d514c0ad150b1785b9f07dc61e09a2aa

SHA256
7ecf1097227929329e0e056bf32465914d7a7a29af9bdef499961785b945b5e1

SHA512
f101640d3aecd46f504312398dd121fa08b6d745e0f49402abcbed00de3d168b469a36588ea46ef01fb91b179ac5ceafcffa4d62367abc308fd1ee0b6f920476

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
64KB

MD5
9af85f345ca621675f5f31050e328e93

SHA1
aceac82228d539ee237f0eab935d61e321136410

SHA256
3a41564eceb69f5c5273b1fbb076e7846dd0ac3f394b1964db53fa11d589bca6

SHA512
0f9461249b44f0461f6b6d987757d0cc37ee0fa3a4d5890d7cad2eb7bd8be40a7d781646eb5e86725bd23f4a6b85d5c36bfe80fa618e14a2a29e7171c4abcfea

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
64KB

MD5
88040dcb05f22baf92620b67416c7a8a

SHA1
6bfae27c7e7d4c4f4dcba5e7a600dad7fd2f994b

SHA256
b9e1f6ef7602047ad180b74503a174f785f7107bdffd8371178115c823e83179

SHA512
d9977b53bec9cb5b22c3cd6a925006ed51bce13c6c0e287270f2982165a7f825fb6e32bfb0dfab052b80ddc72e8f0f51f9f77aae938fe38b39d6adf3dfbfae20

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
64KB

MD5
3c0622408b05afede9e060d49507ee4d

SHA1
a21c7c0809f28f1c53a1f7e9c0d56c739efff49f

SHA256
07a69f355b6332ac4aa24033e95aa3ddd128d18fdd7496e02d4012ff5111bb05

SHA512
2bdc4ac435f76200dd3e65a1d2a09d35ab3f4ea6ca85fec73f4427933b73510471607ab1beadd79e59254b43cc55e9348b1c0c9617fc5796d182805ddfa29223

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
22d55712964b076f564f66ad5fc51646

SHA1
d6688099734cfe91fd1922e51e9efbbc5c5ecaea

SHA256
5a80f4bd40cd26f8c43e81791b53ee0f6a6bdf71d5f65f3747eaefabe551f0f6

SHA512
d67a2b5f48f43b73659df5c9183ce3a978480953d87c2eae92241f39241416194f238a5e966b573e04a6bf9a8f8494542934aae26adc6657cb5755af878cf04f

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
64KB

MD5
f05e123fc21e06a5fbfe2b3be75d0e7a

SHA1
cbe591c59a01d2352c3e4f7ec5f126e600bf2ee3

SHA256
22ccf5254abb402d8a3f6afc5bebc344af23721c02a3b6f9f53598d4ff14826f

SHA512
6b6cbfd8458cdb67420bfe20a77a2ce853fd0b7547db2f1cc70aec0c676ebfc6a4d6bb4f15a5739d03a4c552b6617ab10252513198286c421eadaf2564a00cc9

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
64KB

MD5
c6271e0013a6d436d646ff6c0080c60c

SHA1
c36cefb6f3b72fb47ffaae7ea09498af4de7ac1a

SHA256
656d7106caf3d4b59b28aefec2e93d7ee9064caffafb91e69b11490473c2162a

SHA512
1da71980b4123bc1cd977eef5ac42cf01ab63421f41971cc3cb6bbcb6eade4246acbfa0d1853e807f26749edeb3296ff99e006acdefe48586a4dfad24100d327

Download Submit
memory/528-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1792-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads