berbew | 30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270c

Analysis

max time kernel
96s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270cN.exe
Size

64KB
MD5

b51ae1857e9b47d57453ed150b1cc580
SHA1

5c60eaf86a41bea6cfb6ce010d201c22ce501d27
SHA256

30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270c
SHA512

c4f77e23d8c8a410b88368572e24370d96ed85e5538fc8faf00ef57fd350540e741d108161e75691abb495d7a2c1845a04d24ae4a718851fe15a88f4ce6ca800
SSDEEP

1536:GBu/pPVrWSR6IOeVPx8Z9mMlLBsLnVLdGUHyNwW:GBuxtSSvO8x8Z9mMlLBsLnVUUHyNwW

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270cN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270cN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 34 IoCs

pid	Process
4740	Chokikeb.exe
3848	Cjmgfgdf.exe
3144	Cmlcbbcj.exe
1140	Cagobalc.exe
3400	Cdfkolkf.exe
2776	Cfdhkhjj.exe
2264	Cnkplejl.exe
4192	Cmnpgb32.exe
2516	Cdhhdlid.exe
4824	Chcddk32.exe
4908	Cjbpaf32.exe
220	Cmqmma32.exe
1528	Cegdnopg.exe
1084	Dhfajjoj.exe
552	Dfiafg32.exe
3480	Dopigd32.exe
3352	Dejacond.exe
4516	Ddmaok32.exe
468	Dfknkg32.exe
3668	Dobfld32.exe
4384	Daqbip32.exe
2644	Delnin32.exe
2736	Dhkjej32.exe
1464	Dkifae32.exe
1424	Dodbbdbb.exe
1800	Daconoae.exe
3916	Ddakjkqi.exe
8	Dfpgffpm.exe
1760	Dogogcpo.exe
3024	Daekdooc.exe
3912	Deagdn32.exe
2388	Dgbdlf32.exe
4368	Dknpmdfc.exe
4108	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270cN.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2128	4108	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 4740	4736	30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270cN.exe	83
PID 4736 wrote to memory of 4740	4736	30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270cN.exe	83
PID 4736 wrote to memory of 4740	4736	30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270cN.exe	83
PID 4740 wrote to memory of 3848	4740	Chokikeb.exe	84
PID 4740 wrote to memory of 3848	4740	Chokikeb.exe	84
PID 4740 wrote to memory of 3848	4740	Chokikeb.exe	84
PID 3848 wrote to memory of 3144	3848	Cjmgfgdf.exe	85
PID 3848 wrote to memory of 3144	3848	Cjmgfgdf.exe	85
PID 3848 wrote to memory of 3144	3848	Cjmgfgdf.exe	85
PID 3144 wrote to memory of 1140	3144	Cmlcbbcj.exe	86
PID 3144 wrote to memory of 1140	3144	Cmlcbbcj.exe	86
PID 3144 wrote to memory of 1140	3144	Cmlcbbcj.exe	86
PID 1140 wrote to memory of 3400	1140	Cagobalc.exe	87
PID 1140 wrote to memory of 3400	1140	Cagobalc.exe	87
PID 1140 wrote to memory of 3400	1140	Cagobalc.exe	87
PID 3400 wrote to memory of 2776	3400	Cdfkolkf.exe	88
PID 3400 wrote to memory of 2776	3400	Cdfkolkf.exe	88
PID 3400 wrote to memory of 2776	3400	Cdfkolkf.exe	88
PID 2776 wrote to memory of 2264	2776	Cfdhkhjj.exe	89
PID 2776 wrote to memory of 2264	2776	Cfdhkhjj.exe	89
PID 2776 wrote to memory of 2264	2776	Cfdhkhjj.exe	89
PID 2264 wrote to memory of 4192	2264	Cnkplejl.exe	90
PID 2264 wrote to memory of 4192	2264	Cnkplejl.exe	90
PID 2264 wrote to memory of 4192	2264	Cnkplejl.exe	90
PID 4192 wrote to memory of 2516	4192	Cmnpgb32.exe	91
PID 4192 wrote to memory of 2516	4192	Cmnpgb32.exe	91
PID 4192 wrote to memory of 2516	4192	Cmnpgb32.exe	91
PID 2516 wrote to memory of 4824	2516	Cdhhdlid.exe	92
PID 2516 wrote to memory of 4824	2516	Cdhhdlid.exe	92
PID 2516 wrote to memory of 4824	2516	Cdhhdlid.exe	92
PID 4824 wrote to memory of 4908	4824	Chcddk32.exe	93
PID 4824 wrote to memory of 4908	4824	Chcddk32.exe	93
PID 4824 wrote to memory of 4908	4824	Chcddk32.exe	93
PID 4908 wrote to memory of 220	4908	Cjbpaf32.exe	94
PID 4908 wrote to memory of 220	4908	Cjbpaf32.exe	94
PID 4908 wrote to memory of 220	4908	Cjbpaf32.exe	94
PID 220 wrote to memory of 1528	220	Cmqmma32.exe	95
PID 220 wrote to memory of 1528	220	Cmqmma32.exe	95
PID 220 wrote to memory of 1528	220	Cmqmma32.exe	95
PID 1528 wrote to memory of 1084	1528	Cegdnopg.exe	96
PID 1528 wrote to memory of 1084	1528	Cegdnopg.exe	96
PID 1528 wrote to memory of 1084	1528	Cegdnopg.exe	96
PID 1084 wrote to memory of 552	1084	Dhfajjoj.exe	97
PID 1084 wrote to memory of 552	1084	Dhfajjoj.exe	97
PID 1084 wrote to memory of 552	1084	Dhfajjoj.exe	97
PID 552 wrote to memory of 3480	552	Dfiafg32.exe	98
PID 552 wrote to memory of 3480	552	Dfiafg32.exe	98
PID 552 wrote to memory of 3480	552	Dfiafg32.exe	98
PID 3480 wrote to memory of 3352	3480	Dopigd32.exe	99
PID 3480 wrote to memory of 3352	3480	Dopigd32.exe	99
PID 3480 wrote to memory of 3352	3480	Dopigd32.exe	99
PID 3352 wrote to memory of 4516	3352	Dejacond.exe	100
PID 3352 wrote to memory of 4516	3352	Dejacond.exe	100
PID 3352 wrote to memory of 4516	3352	Dejacond.exe	100
PID 4516 wrote to memory of 468	4516	Ddmaok32.exe	101
PID 4516 wrote to memory of 468	4516	Ddmaok32.exe	101
PID 4516 wrote to memory of 468	4516	Ddmaok32.exe	101
PID 468 wrote to memory of 3668	468	Dfknkg32.exe	102
PID 468 wrote to memory of 3668	468	Dfknkg32.exe	102
PID 468 wrote to memory of 3668	468	Dfknkg32.exe	102
PID 3668 wrote to memory of 4384	3668	Dobfld32.exe	103
PID 3668 wrote to memory of 4384	3668	Dobfld32.exe	103
PID 3668 wrote to memory of 4384	3668	Dobfld32.exe	103
PID 4384 wrote to memory of 2644	4384	Daqbip32.exe	104

C:\Users\Admin\AppData\Local\Temp\30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270cN.exe
"C:\Users\Admin\AppData\Local\Temp\30a7b93a51f4061b7e3154028b512765a4fd636ded7e013d2ac91d346382270cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\Chokikeb.exe
  C:\Windows\system32\Chokikeb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\Cjmgfgdf.exe
    C:\Windows\system32\Cjmgfgdf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3848
  - - C:\Windows\SysWOW64\Cmlcbbcj.exe
      C:\Windows\system32\Cmlcbbcj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3144
    - - C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
      - C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 216
        36⤵
        Program crash
        
        PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4108 -ip 4108
1⤵
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
64KB

MD5
211e808322db2cf2374e2cb7e70ebd3a

SHA1
fc2cd14ebdbc4050c6bb045a8e3ca6fff8eee1b4

SHA256
6c123a8eea70d6d8bc50d5af17cce38bd9e9f1388727cb2dac917fad55cd5ce9

SHA512
b690302c14f1024d86b006c7f0617c191859f68f80703c4edd4506908defb2752552d90a4c99cde3bee298fce2b601d40d2bf2e760b441b3805c44a3d7c4734a

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
64KB

MD5
906819b85699783652faab29664e28af

SHA1
b0bf757e9126b55adf45858ba80e5ee8cc29febf

SHA256
498117339654a1abbb8462386e4dd0e07a2ed56d560cd8121e63efdbb7fdd00a

SHA512
a53ac84a4ef1a8750df9dc33e174ed9079b3785c293cc0ba4d40c8c7ad46f191a9c07acfd4b4aafc08431bc61b8e43ed743433c23d0ea6c1b785eaca16898e06

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
8e761c1e490983b9988ab59787f10d5a

SHA1
684f86caa3e045b0589a5cde5eff3d47657e7685

SHA256
44fff8c33d534f15bd462ead2988adde1781ad7cc6512037b17522923a93186f

SHA512
20185c1366dc05c22e63a016077a9f6cb1e108b0669166258a16a1a7b8dca7a06b697859c505f086106b8fdcc59b4ca1e2bc01b146fa71ffa15b7f60b1a2266b

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
64KB

MD5
475ba941dffd73240d4fd07c130b7cf0

SHA1
4df3fb08ea700c013c69525203b30efc3544ec4c

SHA256
0726e18e13fa0d0e6dfc63d2d9fe6c525bb0fd42f046d2162fa9918deb6a6022

SHA512
f63ca5ef44bca511a0aca571d1b49ad7273dbc3d7fa7b0b1b15fb290966f127cac05d9187e65123be9971583105bee9e2f958ccaa3a2646985fa1448288e0c53

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
64KB

MD5
900b8b5352d34842e48abf9958ff2b02

SHA1
fd70a5facbd869fe131f1d8be1c283c3545263fe

SHA256
b6c5a42280dffcf10e9c10ba8dd933c0cb70a41e322a84229c42a69d7d0b7475

SHA512
86880a311871af53113a3d99077175ef90c4f7040d620d4e22cfc4c84363b1232f3e8764b23ff348046dff0542e775cc2569f5a1d6555b8000d58aefe74c2d82

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
64KB

MD5
323d143a2efdd2c299c37c58beb73f6f

SHA1
a2e392c0b186f7344a7e127e5a1c7f9c24337b86

SHA256
c6e10020f3645dab24f9d385cd3394c136144753f7af390dd5c0fc50b9a1fd50

SHA512
4e44cef0fa221757ff45804086a258ecb055a6325341fb20a51583d61749f44a19d809baf61ba2fbf2a1763c8ee0ce1e0c723c9c32e2cb483835c5d9e3f05d4e

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
64KB

MD5
d5a59c95488ed9b470282ac45fcb208a

SHA1
f2eaf90af35f113b0e6c5366d223c0b279be95c7

SHA256
b5ac6f3295240df1e8075b319bb7c98a0683e375f4a0d315a7ca1ab7bb67cba7

SHA512
9abd96fded68347ed394a5c870d34dfb55cf7e8ddcee56e753e16d4e32ffcfdbbf5043756b4ece89a158afdef76ac040d84efa0e5fd4c8ae4cae96cd978150c0

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
64KB

MD5
8fa84f28e71f740f59962a0620665481

SHA1
839e2b552520b7ba452b6c474c23e1eb2e6c5f44

SHA256
dc779a0291a276dffe6b48e76375eac5d0eb9b070aec672a57ab55884320852a

SHA512
07b856158ac57180dfba9d36e3aa589df23a10e3e45433c11fa9d12727940f219e4d247f97fc50be0f6f9de92c0d534a29da13ab2abbaea1cdbfe743d4a544ba

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
64KB

MD5
c6ae61fd6437c2228d60b86113c6f436

SHA1
7a36ef5ee9744da5e5ea6ab8a8c34fdfb65afc2d

SHA256
55b7cf87953f3080f35dea7f93e7c10132d6069c4569f33ff9b56a83a1c72db7

SHA512
ddc8eba1132dac460a0c32aa4a5c96597578ba2e5b05ae032bf48834bc71164ffe14f2d200ee35edfb7deca675172bdb122a737171969511ab00da33ff02ca0c

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
64KB

MD5
f1980a0defc9f962e37caf9fc8a2bf02

SHA1
ca8fc714b6f1d2986e691077ef48cf7dec154436

SHA256
2178a7ee33dcaa47bcb3083164cd772d4791b37cc3070011808ac27f8dfa8d69

SHA512
f8f555ae9f3fd6f81c9bd45bd246e13a524b52fbfcc2e8a04cd05703febff218e8707ae95b073769e88ebbf09d287ff1020366e3ef5f3a083596dfa0684c80a2

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
64KB

MD5
07a9bf393c9b6e3b08c35be82da1d83d

SHA1
8133f354e44d5a46cb50e88c8f74743fdfdaf168

SHA256
9d848e7485ba1c0e5528808b0702ad2a2e5613fb34989db86aebd171ba09e31a

SHA512
dd87c78a4f5f9fbcc36d3690ff2244e7d855c5b797c4c8a3f8ac046ae1e62b54b4ab50623916e9b284dca9ed5255445b701dcd56e413054fb92f96cd413d46ee

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
64KB

MD5
a182d9d7e83d1cb6487965e75cc4fce6

SHA1
5aeafbfd1905ffbfd4f8e81253257b07a26d142f

SHA256
d3625d58708667940de75b1ab4aab5cde21876745e3ab24caada5d00db5afec3

SHA512
5013151dec36764c74750b18a98cafef4581e3296d81b32a8de66025fa5537726bb3760f1971c1858151b8ebeec0087cce8c0a13823849bb90c69458b14d4a8a

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
64KB

MD5
b8911ab52d1f3cb365e59a576726222e

SHA1
314183a539bc5d4e2ce7c7dc778c450ea0210bed

SHA256
5ccc18db35733acb6f4f2a2ab76b2ed83c66a8b1ee7a99d40a3a0318629190d2

SHA512
9a465ba55c95999a0b41a69038e4a43c9d6e305c766213179268f0ba86728a0378c3921cb744859dae2ba0d1174b9eabb3d57b58a018df3c2770a964373d592c

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
64KB

MD5
931f8cd923ec4a9268b33968b0b76de0

SHA1
e63da56e74e1c62f63d97464714c5f23f0ec3cd0

SHA256
72d1b6a86ff903fdc5057951ec2be21cd65a8841872823554144172fe9830bed

SHA512
1b28c4e17ed89e3e783474e59bd3b8cf9f3f182d0a6a67e61bc3996b4d6ce893cb33444aa506bd1badaa3fb1027d2975d0ebfa117394340d3a66fc89e35c3c33

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
64KB

MD5
bac2b6cdda0fb880b8e8a1f1e4e274aa

SHA1
db4ded73a085509173fe7bda04ee5d2de3bbcfd6

SHA256
d1698eb43c4a55cc3d38236abeef4074a0232346468c6e928a7e9fda60cb7b6f

SHA512
503f9cd53adc154b691b60b5ce48f5bcdd7a6e0296415577f271e93924a98c30e3cffe59bb6aeb10deee13e02d0f7e13f94da311a0b4d413f3a5c9506faf2b12

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
64KB

MD5
23af563d734409dcd8917ca792c20eb7

SHA1
0aab372896801dc3cf6d3ce17f4647781275e5fd

SHA256
19fb0b4d17df534e061d1acce2e67b521801c0aff6ff3446e1dcfd7d47128799

SHA512
7123e575768d79ff885b78aa8bc55f52670daf90d30b0a6a145146352f6e911fafdc365d18928e538762ddbd40e76b8d9652cd8a10764b7ca0fe05f34388b506

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
64KB

MD5
c36b06f0b40754fd194a81c8c8376254

SHA1
1a671888c6a04ef109995c24829f68cd0ae4b992

SHA256
1047b5f83f90e3623d0443e19838efdf8c0fec3e6675da839ec9456994c0a8fd

SHA512
027c5b9d25af24eb1d4729f0152edbc54fa061475ba912b2af2afa9a8314872cbfc35dfb1124120aab136b3da024882b645b64303d6d13ce52fa57be7e74b4b5

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
55434caa71da25ee8732fdd93ca1cb14

SHA1
a74b1f175322314f6f5272b8670c0731c250223c

SHA256
b5261dcad203c61b76f26b2899804b2c54fe3d1e5c132a20105382805d570d5d

SHA512
641ddc4abc689ef66b47a0fba3242c6ca2382d1e62fd0f99fc1cb5894777209700be99be203ee24d7b999f2e2185921a47bd90e193bb532a0b23ee866ab7e19a

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
64KB

MD5
555767f92c2734f2dac7cf36f51d27bc

SHA1
ff79f8fb99c12bb63cc84fbfa2603ccafd08a2b6

SHA256
e6e98c4897cf7c304811766ff58fe0564f4c73f95d1cac6d8e321b9d00151355

SHA512
e903396175bd88da21ffe5af971e7b93ae61b817a0429430ba0a434292da089f23a521004ac55526b509144f6caafd537afa5748eeb0b8731c88182d613442db

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
64KB

MD5
ea5f7efbd75d327f72ed4bf8ebb3cdd2

SHA1
8ff3176f33fdd659ba235507a2d44436caaa7a12

SHA256
1379e3d045ae8d1892a0b03739ddfd87a2f8375b30ec58f9e3fb2f66ccafc059

SHA512
7da744a80f98c66936623fbc679ac72f7021318bae4680c299feaa49bf3bddaf8ba5d0ba8e002e084f44220ab5d375fb87557a14524ee41e0add3eb0b17db06f

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
64KB

MD5
db24dc632124b470829ab43adce55367

SHA1
9d3052f10ed1b514802f7d24d5b8f807ad308c12

SHA256
7d118b4d8ca7675648a345623802b1b5a25ae3d5fe6f37c20ff1b776f9d67835

SHA512
16095d3c686f9e45dcc0ed5a488592f7d490670aea4ca2fa823380c715fb2f9efc2baa791f31d4c5f7885720b4d54df5de56e272e37ccb2dfae832297361362d

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
64KB

MD5
2a385fb38d97f794d6962601db936e92

SHA1
175aeac867601c77c6946623ee66f6d3ea864b28

SHA256
886e366869098cf948f4b78d6879e5d3610685c5acb8363204ccac7fcd8ac1c4

SHA512
4c3dea513cc6a9a1af7b1e76cf0258bbb1f4bb4305f535819d4a8bdbb8ca665cf27e90a1836bd8dcfdeabdc9e2255a09407274de12af85e942ee292aa3225017

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
64KB

MD5
f862c0cf59f0c821c50fb209d057a592

SHA1
b511ef637cf497ee966118b056b643ec6b8db337

SHA256
e2e5b23032dd9e973ab96e66d4655deb161ba6815643914049ffc50914730262

SHA512
6258c6a79e48806dc29045ca095a0a36ef3ae90f6ca16a8c7d39fcdd2092408abcc6f50fb0266593f16551d10b256994ca493e038884c2f63a249c416de498cd

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
64KB

MD5
6fd484a66a0a5c72b7d6a8a018bcc437

SHA1
2870f6dbb3c248cd96a0412cbf1d0d9381d778d6

SHA256
816cd6301ab87ac999a75971cc8202df60ff08b6bc3680f08fd16d9d8ae66982

SHA512
68c213af85b815a67569efbdd2f122ab9bf6143ee9f45f59afd4ad2a646c683067222cc5af6dc79ba5171733e7b257eb4b91f748204d866a60ab7ad2916fa0df

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
64KB

MD5
5c2f52f5c13da0589a18c9d93efc88b9

SHA1
6b8b3102e7a19325eae114c404b9f756a5807103

SHA256
d5e98c1f7e73a2e319ede92f6b0f0a70d837b993ae0c8ca3cc89b98dc1c15ab3

SHA512
97283ce78f4b441f706e910f6f18f9de60d2736e554b650886e1c8daeeeb05ada16ba97c3d8421a9420f9f96969533299a524c5d9c8c50e8d5aabdc7be4ee573

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
5e02955a4d867920c639b71c5faa6781

SHA1
2dfa0d197bbfcbaee62855dfb953793992f5036e

SHA256
5e52369551a9d698b61cfb33b2af76aac9e84c08a7912c25773836e4b21fc84d

SHA512
0e34bb8ea95fcfd4165faa40aaf30d5835a90a8dcc7e90dd7fc5a83eebe71e01979c85ff6a1f8bd2090ab9a2422a993628d2efd997cdf73b5428fdb2da2ddfa4

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
769d0b9f409540b8945bbb0232e73e4e

SHA1
4d4380c5f9542290f1ed2ba5e1f9b423a7f9b923

SHA256
8294965f3f34e709cfb3fed2e8eb7468f4169998bc27998b6ecd9af9b4e1503f

SHA512
371e997f85660f08f5a58dd108f129acbb98eaf1b0af6ed4fcb91bff2b5b798d047878bf66e52d5f7a46f137a6adc1ec1dfc4459c161b2128c1f6569e1eb69ef

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
64KB

MD5
4750b9020cda0e1492d9ba9fad256b4a

SHA1
25d325d64a2394aef9a2c3d35eeb46eb34d2248d

SHA256
9d490774a4df8233dd9d74e4ccdca00e35e912e3330b3b39952e7387f2b190f4

SHA512
a17a2d7a21f04f40289505d584bac21482663b6df9379f990fb5b41f28b48a4dd9524f59f68641567ac8a727ab336c38df5abaae85d8059c898d4642319998cc

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
64KB

MD5
702bf2a781168fabfaa106fd35748dfc

SHA1
6f66223198a71a9b8b0572c844f4d6a296d1aef4

SHA256
4033883e1678a37d449103aafe88cd19aa175d6eaf4b58da9c023e4c3263232b

SHA512
c6b311505ee7c2f13595687d611d007537ef1fcb2403c84b424d1faf4a695bb2db4d341d75e1286938c9977b5074531401e5a57473dd197644630e0c46e1850d

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
64KB

MD5
799a85d4daa7f74f3b60c2628358ece0

SHA1
ef8159c0b3fb810cc6a6ac959ac13632076f3ade

SHA256
696008c5ee447d8df02177e48d38126ef306807c665b3b99f5443842506211cc

SHA512
e27d55c408067b101569fd33edc5d4d63d2a12fd4f8f7b5164147f8b8fd815b78b1e9dd0e3cccca0217521d195d38a4b616a87c5d755e8c94535e2fb23f9453b

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
64KB

MD5
438182a4157e5d0ab8afe44349b03414

SHA1
d50b9933348f17fa0301795af01e9ac4b25ea286

SHA256
3bd6081399642076b3d22fa5f756d6d6cae31cb8a3edc8c586e9cf4c62738be3

SHA512
7ed1480ec9349f106bb622f476b06fbdb088065e5b4300a04fc4a022ca437037e80b1e1da932cacff504f6acf7001ea1a61fe559075ec6a85786d9580e60cf93

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
64KB

MD5
648cabc98e8964c409d7db6532080446

SHA1
a16920542ce113cc27fcd23f7e7af682af9aa4a5

SHA256
6648a5b506f9718c10a9fd50c9844917badd98e6dc6632339586a89056e07c56

SHA512
14d2bf3fc0fe0c2bdc326a4e358e91a2939359b5a7ff08908b914e2d0fdf4ce36badd039ee3184576db294ba2962130384ea90724866c815f973570b7f140fde

Download Submit
memory/8-283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/220-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/220-313-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/468-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/468-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/552-307-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/552-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1084-309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1084-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1140-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1140-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1424-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1424-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2264-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2264-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-319-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3352-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3352-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-327-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3480-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3480-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3668-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3668-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3848-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3848-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3912-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3912-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3916-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3916-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4108-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4108-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4192-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4192-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4384-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4384-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-301-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4736-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4736-337-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4824-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4824-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads