berbew | 09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
Size

96KB
MD5

44edccfc51222920ad8298db95035120
SHA1

7f840368c5af8c1ab069550cd28f5374d34ee881
SHA256

09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73
SHA512

98239ed86c8ef0f90e3d3e42734452da299466b00e31c74e6184ec875a2d8d1d1a7c3003d798514518799024fb7f022649095835847eb83ad43faf8c854c4b30
SSDEEP

1536:pNPZqi26ObHnpZkzKb2jWl5X3Ne+Ql2eueQu5fy62LIzsBMu/HCmiDcg3MZRP3cH:3Zq7Fre+KPuetaIza6miEo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhnmij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckoilb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekelld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coelaaoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceodnl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dglpbbbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhpiojfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dolnad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkcofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baakhm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpnojioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqijej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckoilb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cghggc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dndlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhpiojfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpkbdiqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnaocmmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddaphkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpkbdiqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjdfmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dolnad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceodnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clilkfnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dglpbbbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejkima32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emkaol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddaphkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emkaol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baakhm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaocmmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egllae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejkima32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpnojioo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coelaaoi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dndlim32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emnndlod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqijej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clilkfnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkcofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edkcojga.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 32 IoCs

pid	Process
2780	Baakhm32.exe
2724	Coelaaoi.exe
2904	Ceodnl32.exe
2880	Clilkfnb.exe
1656	Cddaphkn.exe
2768	Ckoilb32.exe
1492	Cpkbdiqb.exe
2544	Cjdfmo32.exe
2236	Cpnojioo.exe
1856	Cghggc32.exe
2924	Cnaocmmi.exe
2144	Dgjclbdi.exe
2320	Dndlim32.exe
2804	Dglpbbbg.exe
632	Dhnmij32.exe
2188	Djmicm32.exe
1500	Dhpiojfb.exe
896	Dolnad32.exe
1976	Dbkknojp.exe
1760	Dkcofe32.exe
1980	Ebmgcohn.exe
2020	Edkcojga.exe
900	Ekelld32.exe
1528	Ebodiofk.exe
976	Egllae32.exe
2752	Ejkima32.exe
2616	Eqdajkkb.exe
2856	Emkaol32.exe
2664	Eqgnokip.exe
3020	Emnndlod.exe
768	Eqijej32.exe
2220	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
1700	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
1700	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
2780	Baakhm32.exe
2780	Baakhm32.exe
2724	Coelaaoi.exe
2724	Coelaaoi.exe
2904	Ceodnl32.exe
2904	Ceodnl32.exe
2880	Clilkfnb.exe
2880	Clilkfnb.exe
1656	Cddaphkn.exe
1656	Cddaphkn.exe
2768	Ckoilb32.exe
2768	Ckoilb32.exe
1492	Cpkbdiqb.exe
1492	Cpkbdiqb.exe
2544	Cjdfmo32.exe
2544	Cjdfmo32.exe
2236	Cpnojioo.exe
2236	Cpnojioo.exe
1856	Cghggc32.exe
1856	Cghggc32.exe
2924	Cnaocmmi.exe
2924	Cnaocmmi.exe
2144	Dgjclbdi.exe
2144	Dgjclbdi.exe
2320	Dndlim32.exe
2320	Dndlim32.exe
2804	Dglpbbbg.exe
2804	Dglpbbbg.exe
632	Dhnmij32.exe
632	Dhnmij32.exe
2188	Djmicm32.exe
2188	Djmicm32.exe
1500	Dhpiojfb.exe
1500	Dhpiojfb.exe
896	Dolnad32.exe
896	Dolnad32.exe
1976	Dbkknojp.exe
1976	Dbkknojp.exe
1760	Dkcofe32.exe
1760	Dkcofe32.exe
1980	Ebmgcohn.exe
1980	Ebmgcohn.exe
2020	Edkcojga.exe
2020	Edkcojga.exe
900	Ekelld32.exe
900	Ekelld32.exe
1528	Ebodiofk.exe
1528	Ebodiofk.exe
976	Egllae32.exe
976	Egllae32.exe
2752	Ejkima32.exe
2752	Ejkima32.exe
2616	Eqdajkkb.exe
2616	Eqdajkkb.exe
2856	Emkaol32.exe
2856	Emkaol32.exe
2664	Eqgnokip.exe
2664	Eqgnokip.exe
3020	Emnndlod.exe
3020	Emnndlod.exe
768	Eqijej32.exe
768	Eqijej32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dndlim32.exe	Dgjclbdi.exe
File created	C:\Windows\SysWOW64\Odifab32.dll	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Cgllco32.dll	Eqdajkkb.exe
File created	C:\Windows\SysWOW64\Inegme32.dll	Eqgnokip.exe
File opened for modification	C:\Windows\SysWOW64\Baakhm32.exe	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
File created	C:\Windows\SysWOW64\Ckoilb32.exe	Cddaphkn.exe
File opened for modification	C:\Windows\SysWOW64\Dglpbbbg.exe	Dndlim32.exe
File opened for modification	C:\Windows\SysWOW64\Dhnmij32.exe	Dglpbbbg.exe
File created	C:\Windows\SysWOW64\Fileil32.dll	Dglpbbbg.exe
File opened for modification	C:\Windows\SysWOW64\Dolnad32.exe	Dhpiojfb.exe
File opened for modification	C:\Windows\SysWOW64\Edkcojga.exe	Ebmgcohn.exe
File opened for modification	C:\Windows\SysWOW64\Ebodiofk.exe	Ekelld32.exe
File created	C:\Windows\SysWOW64\Eekkdc32.dll	Baakhm32.exe
File opened for modification	C:\Windows\SysWOW64\Clilkfnb.exe	Ceodnl32.exe
File created	C:\Windows\SysWOW64\Kcbabf32.dll	Ebodiofk.exe
File created	C:\Windows\SysWOW64\Mmjale32.dll	Egllae32.exe
File created	C:\Windows\SysWOW64\Dglpbbbg.exe	Dndlim32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkknojp.exe	Dolnad32.exe
File opened for modification	C:\Windows\SysWOW64\Ebmgcohn.exe	Dkcofe32.exe
File opened for modification	C:\Windows\SysWOW64\Cghggc32.exe	Cpnojioo.exe
File opened for modification	C:\Windows\SysWOW64\Cnaocmmi.exe	Cghggc32.exe
File opened for modification	C:\Windows\SysWOW64\Djmicm32.exe	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Dhpiojfb.exe	Djmicm32.exe
File created	C:\Windows\SysWOW64\Ekelld32.exe	Edkcojga.exe
File opened for modification	C:\Windows\SysWOW64\Ekelld32.exe	Edkcojga.exe
File created	C:\Windows\SysWOW64\Ejkima32.exe	Egllae32.exe
File created	C:\Windows\SysWOW64\Eqijej32.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Ceodnl32.exe	Coelaaoi.exe
File opened for modification	C:\Windows\SysWOW64\Dndlim32.exe	Dgjclbdi.exe
File created	C:\Windows\SysWOW64\Dbkknojp.exe	Dolnad32.exe
File opened for modification	C:\Windows\SysWOW64\Eqdajkkb.exe	Ejkima32.exe
File opened for modification	C:\Windows\SysWOW64\Eqgnokip.exe	Emkaol32.exe
File created	C:\Windows\SysWOW64\Cpkbdiqb.exe	Ckoilb32.exe
File created	C:\Windows\SysWOW64\Mnghjbjl.dll	Cpnojioo.exe
File created	C:\Windows\SysWOW64\Clilkfnb.exe	Ceodnl32.exe
File created	C:\Windows\SysWOW64\Mpdcoomf.dll	Cddaphkn.exe
File opened for modification	C:\Windows\SysWOW64\Cpnojioo.exe	Cjdfmo32.exe
File created	C:\Windows\SysWOW64\Kijbioba.dll	Dndlim32.exe
File created	C:\Windows\SysWOW64\Galmmc32.dll	Dhpiojfb.exe
File created	C:\Windows\SysWOW64\Emnndlod.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Khjjpi32.dll	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
File opened for modification	C:\Windows\SysWOW64\Coelaaoi.exe	Baakhm32.exe
File created	C:\Windows\SysWOW64\Gdidec32.dll	Ckoilb32.exe
File created	C:\Windows\SysWOW64\Cnaocmmi.exe	Cghggc32.exe
File created	C:\Windows\SysWOW64\Dhnmij32.exe	Dglpbbbg.exe
File opened for modification	C:\Windows\SysWOW64\Dhpiojfb.exe	Djmicm32.exe
File created	C:\Windows\SysWOW64\Emkaol32.exe	Eqdajkkb.exe
File created	C:\Windows\SysWOW64\Jaqddb32.dll	Emkaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cddaphkn.exe	Clilkfnb.exe
File created	C:\Windows\SysWOW64\Nanbpedg.dll	Clilkfnb.exe
File opened for modification	C:\Windows\SysWOW64\Eqijej32.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Mghohc32.dll	Cpkbdiqb.exe
File created	C:\Windows\SysWOW64\Elgkkpon.dll	Cjdfmo32.exe
File created	C:\Windows\SysWOW64\Lklohbmo.dll	Cghggc32.exe
File created	C:\Windows\SysWOW64\Eqgnokip.exe	Emkaol32.exe
File opened for modification	C:\Windows\SysWOW64\Emnndlod.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Coelaaoi.exe	Baakhm32.exe
File opened for modification	C:\Windows\SysWOW64\Ceodnl32.exe	Coelaaoi.exe
File created	C:\Windows\SysWOW64\Gjpmgg32.dll	Dgjclbdi.exe
File opened for modification	C:\Windows\SysWOW64\Dkcofe32.exe	Dbkknojp.exe
File opened for modification	C:\Windows\SysWOW64\Cjdfmo32.exe	Cpkbdiqb.exe
File opened for modification	C:\Windows\SysWOW64\Dgjclbdi.exe	Cnaocmmi.exe
File created	C:\Windows\SysWOW64\Mecbia32.dll	Ceodnl32.exe
File created	C:\Windows\SysWOW64\Cbcodmih.dll	Dbkknojp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2408	2220	WerFault.exe	61

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coelaaoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cghggc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceodnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emkaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmicm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqgnokip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpkbdiqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpnojioo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkcofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebmgcohn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejkima32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqdajkkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baakhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clilkfnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkknojp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edkcojga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekelld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjdfmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dglpbbbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dolnad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egllae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckoilb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaocmmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgjclbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhpiojfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebodiofk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqijej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddaphkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emnndlod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dndlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhnmij32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpnojioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnaocmmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfeho32.dll"	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edkcojga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coelaaoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clilkfnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dglpbbbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbabf32.dll"	Ebodiofk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqijej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clilkfnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cddaphkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgkkpon.dll"	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpmgg32.dll"	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djmicm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjjpi32.dll"	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebmgcohn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll"	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baakhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nanbpedg.dll"	Clilkfnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cddaphkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnghjbjl.dll"	Cpnojioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dglpbbbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkcofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecbia32.dll"	Ceodnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceodnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejkima32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekkdc32.dll"	Baakhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhokkp32.dll"	Coelaaoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpnojioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpkbdiqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dndlim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djmicm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll"	Eqdajkkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emnndlod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceodnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckoilb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpkbdiqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaklqfem.dll"	Djmicm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhpiojfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhpiojfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inegme32.dll"	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbgpffch.dll"	Cnaocmmi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2780	1700	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe	30
PID 1700 wrote to memory of 2780	1700	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe	30
PID 1700 wrote to memory of 2780	1700	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe	30
PID 1700 wrote to memory of 2780	1700	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe	30
PID 2780 wrote to memory of 2724	2780	Baakhm32.exe	31
PID 2780 wrote to memory of 2724	2780	Baakhm32.exe	31
PID 2780 wrote to memory of 2724	2780	Baakhm32.exe	31
PID 2780 wrote to memory of 2724	2780	Baakhm32.exe	31
PID 2724 wrote to memory of 2904	2724	Coelaaoi.exe	32
PID 2724 wrote to memory of 2904	2724	Coelaaoi.exe	32
PID 2724 wrote to memory of 2904	2724	Coelaaoi.exe	32
PID 2724 wrote to memory of 2904	2724	Coelaaoi.exe	32
PID 2904 wrote to memory of 2880	2904	Ceodnl32.exe	33
PID 2904 wrote to memory of 2880	2904	Ceodnl32.exe	33
PID 2904 wrote to memory of 2880	2904	Ceodnl32.exe	33
PID 2904 wrote to memory of 2880	2904	Ceodnl32.exe	33
PID 2880 wrote to memory of 1656	2880	Clilkfnb.exe	34
PID 2880 wrote to memory of 1656	2880	Clilkfnb.exe	34
PID 2880 wrote to memory of 1656	2880	Clilkfnb.exe	34
PID 2880 wrote to memory of 1656	2880	Clilkfnb.exe	34
PID 1656 wrote to memory of 2768	1656	Cddaphkn.exe	35
PID 1656 wrote to memory of 2768	1656	Cddaphkn.exe	35
PID 1656 wrote to memory of 2768	1656	Cddaphkn.exe	35
PID 1656 wrote to memory of 2768	1656	Cddaphkn.exe	35
PID 2768 wrote to memory of 1492	2768	Ckoilb32.exe	36
PID 2768 wrote to memory of 1492	2768	Ckoilb32.exe	36
PID 2768 wrote to memory of 1492	2768	Ckoilb32.exe	36
PID 2768 wrote to memory of 1492	2768	Ckoilb32.exe	36
PID 1492 wrote to memory of 2544	1492	Cpkbdiqb.exe	37
PID 1492 wrote to memory of 2544	1492	Cpkbdiqb.exe	37
PID 1492 wrote to memory of 2544	1492	Cpkbdiqb.exe	37
PID 1492 wrote to memory of 2544	1492	Cpkbdiqb.exe	37
PID 2544 wrote to memory of 2236	2544	Cjdfmo32.exe	38
PID 2544 wrote to memory of 2236	2544	Cjdfmo32.exe	38
PID 2544 wrote to memory of 2236	2544	Cjdfmo32.exe	38
PID 2544 wrote to memory of 2236	2544	Cjdfmo32.exe	38
PID 2236 wrote to memory of 1856	2236	Cpnojioo.exe	39
PID 2236 wrote to memory of 1856	2236	Cpnojioo.exe	39
PID 2236 wrote to memory of 1856	2236	Cpnojioo.exe	39
PID 2236 wrote to memory of 1856	2236	Cpnojioo.exe	39
PID 1856 wrote to memory of 2924	1856	Cghggc32.exe	40
PID 1856 wrote to memory of 2924	1856	Cghggc32.exe	40
PID 1856 wrote to memory of 2924	1856	Cghggc32.exe	40
PID 1856 wrote to memory of 2924	1856	Cghggc32.exe	40
PID 2924 wrote to memory of 2144	2924	Cnaocmmi.exe	41
PID 2924 wrote to memory of 2144	2924	Cnaocmmi.exe	41
PID 2924 wrote to memory of 2144	2924	Cnaocmmi.exe	41
PID 2924 wrote to memory of 2144	2924	Cnaocmmi.exe	41
PID 2144 wrote to memory of 2320	2144	Dgjclbdi.exe	42
PID 2144 wrote to memory of 2320	2144	Dgjclbdi.exe	42
PID 2144 wrote to memory of 2320	2144	Dgjclbdi.exe	42
PID 2144 wrote to memory of 2320	2144	Dgjclbdi.exe	42
PID 2320 wrote to memory of 2804	2320	Dndlim32.exe	43
PID 2320 wrote to memory of 2804	2320	Dndlim32.exe	43
PID 2320 wrote to memory of 2804	2320	Dndlim32.exe	43
PID 2320 wrote to memory of 2804	2320	Dndlim32.exe	43
PID 2804 wrote to memory of 632	2804	Dglpbbbg.exe	44
PID 2804 wrote to memory of 632	2804	Dglpbbbg.exe	44
PID 2804 wrote to memory of 632	2804	Dglpbbbg.exe	44
PID 2804 wrote to memory of 632	2804	Dglpbbbg.exe	44
PID 632 wrote to memory of 2188	632	Dhnmij32.exe	45
PID 632 wrote to memory of 2188	632	Dhnmij32.exe	45
PID 632 wrote to memory of 2188	632	Dhnmij32.exe	45
PID 632 wrote to memory of 2188	632	Dhnmij32.exe	45

C:\Users\Admin\AppData\Local\Temp\09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
"C:\Users\Admin\AppData\Local\Temp\09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\Baakhm32.exe
  C:\Windows\system32\Baakhm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\Coelaaoi.exe
    C:\Windows\system32\Coelaaoi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\Ceodnl32.exe
      C:\Windows\system32\Ceodnl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\Clilkfnb.exe
        
        C:\Windows\system32\Clilkfnb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\SysWOW64\Cddaphkn.exe
        
        C:\Windows\system32\Cddaphkn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ckoilb32.exe
        
        C:\Windows\system32\Ckoilb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Cpkbdiqb.exe
        
        C:\Windows\system32\Cpkbdiqb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Cjdfmo32.exe
        
        C:\Windows\system32\Cjdfmo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Cpnojioo.exe
        
        C:\Windows\system32\Cpnojioo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Cghggc32.exe
        
        C:\Windows\system32\Cghggc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Cnaocmmi.exe
        
        C:\Windows\system32\Cnaocmmi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Dgjclbdi.exe
        
        C:\Windows\system32\Dgjclbdi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Dndlim32.exe
        
        C:\Windows\system32\Dndlim32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Dglpbbbg.exe
        
        C:\Windows\system32\Dglpbbbg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Dhnmij32.exe
        
        C:\Windows\system32\Dhnmij32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Djmicm32.exe
        
        C:\Windows\system32\Djmicm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Dhpiojfb.exe
        
        C:\Windows\system32\Dhpiojfb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Dolnad32.exe
        
        C:\Windows\system32\Dolnad32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Dbkknojp.exe
        
        C:\Windows\system32\Dbkknojp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Dkcofe32.exe
        
        C:\Windows\system32\Dkcofe32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Ebmgcohn.exe
        
        C:\Windows\system32\Ebmgcohn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Edkcojga.exe
        
        C:\Windows\system32\Edkcojga.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Ekelld32.exe
        
        C:\Windows\system32\Ekelld32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Ebodiofk.exe
        
        C:\Windows\system32\Ebodiofk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Egllae32.exe
        
        C:\Windows\system32\Egllae32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Ejkima32.exe
        
        C:\Windows\system32\Ejkima32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Eqdajkkb.exe
        
        C:\Windows\system32\Eqdajkkb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Emkaol32.exe
        
        C:\Windows\system32\Emkaol32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Eqgnokip.exe
        
        C:\Windows\system32\Eqgnokip.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Emnndlod.exe
        
        C:\Windows\system32\Emnndlod.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Eqijej32.exe
        
        C:\Windows\system32\Eqijej32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 140
        34⤵
        Program crash
        
        PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cddaphkn.exe

Filesize
96KB

MD5
81d9c82c755cb2eaabc1f9f09a1bbb7c

SHA1
2f3b2aacbdffb38c48f6ede144d6f56b4e932c3d

SHA256
d364588cab71d5fc6f8b93fc176d70ace8f3fd27077e628e848a1b586a927790

SHA512
7731dc1964f4c5b88d6a590a2ebed6c89dfaedebe18b50253fd073677c94e2259e29ffa03e2718eef3d72d43d9df58587300dbb5ec9e1bbf2a9f8c3dfc18f04a

Download Submit
C:\Windows\SysWOW64\Ceodnl32.exe

Filesize
96KB

MD5
f379d164ca22d8dcb72112d68a5d1b7d

SHA1
5802ba5fd10b3e57f6b979ee84e79d64b5a8f84e

SHA256
dd455c46e2e3c0a047780b54269e81301a41347d89076047a2f36cdaa1d68ba9

SHA512
92142c5ce646c7a4cbd5d2c3e825d98f2fd5e8fc924489c778eac8d1bf1b69ffbee8e045c16b78466a8d0bfe7ff1fe6d19874c39844e9b58999f794bcc3662b1

Download Submit
C:\Windows\SysWOW64\Dbkknojp.exe

Filesize
96KB

MD5
f429c4b967b762fd41f0396373cfd4ba

SHA1
e1e8e8d4d50b587a21c3a86950fd1929973703a2

SHA256
689c9a09947f1baba96697620d5b6dc168426097788f9eb58305149f57e6e0e6

SHA512
2276f8478b371fef712a7546781263047a24d93e8d67f5917fc99da6955da22d26eeb9044eaa215b0030569fe33acb11e0cf9313505da92680b2bad43d119865

Download Submit
C:\Windows\SysWOW64\Dhpiojfb.exe

Filesize
96KB

MD5
c312bd666b41e05c89db515f40ed8066

SHA1
ce0d0d529874a8fdc2315584669671fbe5bf806c

SHA256
7c2fcbc1f6cb17cc8dd84ef045d46eb3dd294b25ec072b8e81086e0f284d8059

SHA512
6ecebd26c5f40362d859a1c3213a2af467f067946524112132b95a16ff22c6f75d6f1ea864933cc6b9478d696df6a6603693ac9405f82b13e63287052b4ea480

Download Submit
C:\Windows\SysWOW64\Dkcofe32.exe

Filesize
96KB

MD5
d72d21fb896114243f015327d95f197b

SHA1
bc0eaa4d8aaf98e9291a7fbc5d843e0637d24b4b

SHA256
030303c719e3bb43b9758dc0084c692c415acd14c4787692f695bb77c0c59283

SHA512
dbfe2a1a3a7eb3cd3a86013098e7f5464a20a1df5690dff3401c123eb890dd34c041fca2cc7876ad87e5beedcd3d2a938892edd306089143ef2c6a8c1055b734

Download Submit
C:\Windows\SysWOW64\Dolnad32.exe

Filesize
96KB

MD5
2ad24c8648c8896ce7a1ecefb112e00e

SHA1
94020a346a4ac79f3993baef0e2490c6a7a4e1ab

SHA256
feaf2d882de5fdc833ccff0e2acae15ba0c61d898c2de76d43c0cbbcc4d2a411

SHA512
5967b822f1ae93a099b204a1c3e3d55b548cd45f1888f6dc8e01b59d0166626146ae599378cc1bf23f099314283a3793f83a23d4df23eb548c1a1f45e4404fb6

Download Submit
C:\Windows\SysWOW64\Ebmgcohn.exe

Filesize
96KB

MD5
5490bf89144ab468a0e349d5400c1613

SHA1
3fdd61e59ff11b245e3a89fb738e00db989c32ae

SHA256
43158e927fd804f0beda0bf4adab23960a97689e9932387173799556928bd97a

SHA512
2b202b3a3fd43406e0efcb5d832869d07f4c7b8f339e1087e5883c624a2e8a3736ccce6b5ad2d0dbcea996e7e0101cef223df99593f16c553356115a8664dbec

Download Submit
C:\Windows\SysWOW64\Ebodiofk.exe

Filesize
96KB

MD5
1ec130a5448c8bee64539eda165c1781

SHA1
0789cead8fa7181ea07ca331c4dddd3dd55c4a5f

SHA256
a078055e5b334c0cf7cd65b6cfab60f192cf29ee4f53fa3fe5ee27920fed5498

SHA512
1a0e584d547f91f572e48d8c6224dd68259ddf546500b376d4b9d140f720bd49ddabd0793c7739dac5bf65503cb4f071ddd9c1b6da4e997af79cba56a159e45a

Download Submit
C:\Windows\SysWOW64\Edkcojga.exe

Filesize
96KB

MD5
93c8792b8e3b029405e86f6e105c3849

SHA1
8b169d73e6e88910e2fd2f35ab407cfd60d84b74

SHA256
2fd2105b24425e13cbd8010cd1181111f3654eadfff753176090f8076dbb4a68

SHA512
71a30c77d03926857edd9420c5b5daca2d1e0c642ef7f6903c41c654b41eddc14ff3e680df5237b580542ba22542dd1e6c356381fed314cf4a4bbc3381ba003b

Download Submit
C:\Windows\SysWOW64\Egllae32.exe

Filesize
96KB

MD5
9bed304ab68bac730c24b6157635a34e

SHA1
ba697210faef51195dd48f44a59977c97b042bb1

SHA256
ad10ec9e0efc749e1cb2934a01e9efbc231951b5aac217a93a78b1da6f1c4142

SHA512
b8ec6d50c05425ac05f855b8e4f431c36ff31a74ce29d15761aafb06feffe5ca14d45f2db8e42b652d7881d0335afcc04da2b07d8a6a6ab876642766e451216a

Download Submit
C:\Windows\SysWOW64\Ejkima32.exe

Filesize
96KB

MD5
3efc07fb371f963b5b714a239b13784d

SHA1
dfdca12509abcca85428520e0cbcae84c866411d

SHA256
f1b7564dc22f5cddba2b8fd4d5141b40a7c485bf95de74fc6d1a799c5d02f724

SHA512
e27bb50bb5aec3c9dd98b2e39c8b0e1eaf7199f6517a62c2f0e1b03b0f22f4f28a39f270a6ccac67952b48761e773a8726a532eea2374514d9406b03f7023997

Download Submit
C:\Windows\SysWOW64\Ekelld32.exe

Filesize
96KB

MD5
f3ca8a22600f6ea769c46607eeaab820

SHA1
e522cc14b34df38763d28478ad91c0dc7d35c2f8

SHA256
c9861d78d9dff361ba57c03c85144819f866913b62358e1ad63dc540200b0252

SHA512
5e0bb224d93a841dd97f05cb5b4b128075e79bfbcbd3e0e1f83c0896e8d752a6961993d63c002e75e96c28431b44142d61ddda768640684324e283f20661e7d0

Download Submit
C:\Windows\SysWOW64\Emkaol32.exe

Filesize
96KB

MD5
9b2fd8bc30f89ef4773572a6bea309f0

SHA1
41a43fc639ba83890161701f4034b9dde2c43c56

SHA256
67a98d59b0a6451117942d258b73768ab85b91a1f6926dd773b1b132a5861cff

SHA512
c43d30b9e5e7764d33d9f016161423e87e36d6846cfc9d59ee831679c80a43ae351e42e7dc7d0ae9157063116d79b8c0e961e6ce13b684068b1043197ebe694f

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
96KB

MD5
b03391089eee48be4664316a3603e0ce

SHA1
196067c0b51959657ece36ac483c20275c5b47b1

SHA256
6f1c989f51da2edde81e41009aa146eb929ea869686284628b73e68edc8572d9

SHA512
56f314c146731ea5a147fd973e8e1cb9b2233b004ae89aa5ab7078562118de904c523af62c7cbe609d34dbb7ec49a7d945142a66c151a54edb90afe441fa376f

Download Submit
C:\Windows\SysWOW64\Eqdajkkb.exe

Filesize
96KB

MD5
7b58489f8b092163f910f20e455da358

SHA1
608872f4b01c25c6c1dd0f8de3158ed43008bb8f

SHA256
e7f94720e81ee1cef250aa4f539deaef058e101066b380264cd69aa4c65a6899

SHA512
3f771b5756345c68a0051c1bf77d9f816a3de419d4fb769400a18da36c606818ab9a26f5f7d9bfaa98e8c37ed2e31d642fd279f0849afa609c46f16d38044141

Download Submit
C:\Windows\SysWOW64\Eqgnokip.exe

Filesize
96KB

MD5
0b20b1d237dd5118904c417b4d44ea60

SHA1
2ea2d7c612fa1a42d3238a864e8b5ee42429e308

SHA256
808c553f5e85f37d9a1f049157129658a8dd21e550c3dbe9d29def98a1fa129d

SHA512
4b531608e4b1ea144d7bb605960dd57ad70fea04a7d4946c400cf3992535f36426c9ea000e12be28aece096c61a3bac17a0cfaaf5a870c2241c46ca89e49b229

Download Submit
C:\Windows\SysWOW64\Eqijej32.exe

Filesize
96KB

MD5
f7e60f2214798d230fdd5a40a10b9b19

SHA1
09d39715bc538e4774eb6ad542cb424c1d6a028d

SHA256
8d1146d70016ccf654e1c48a8e550bd3b512839190f9a837523537a543eae4c8

SHA512
36daa95f6b8d26afdbd0d9f9d962e2bfb9ea3012a3e2a47dc460e1d31a01169308297b7c6b4b122f5b48bb0d78075b4d2e7e674cbcc189a90858ceb3b5f0e974

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
96KB

MD5
dc5cec8eea42072a5b2a6282e5c68b2b

SHA1
01487baab9fd280324c696726a3f0e9fe36f91c9

SHA256
8095f33c68190456c4f3041f212547b4c9a53920136616e3721edefd0d78b79f

SHA512
66a665283692d9f9aa26283e17b75d2a04808b28ad2dfe0461876bcc5a4a1b48318c80fa53d211a0bcb907a585e027163b0bb62ce099289d43e8c16bd47b6785

Download Submit
\Windows\SysWOW64\Baakhm32.exe

Filesize
96KB

MD5
fabf79e27e9ac2809b897ae7b6ec55f7

SHA1
5c661e9202509b37eb46af8ddb82869f1d6c9219

SHA256
266b6fd74b5b7444728ed847695b9ef00c46f60ca3a4fcbccbc0f083f08725ab

SHA512
1015c687ceeb5c00755cde85e3b5b8abb478668daea29462eef2849cd7dbfcd0cad542357dd7f438adcd4dd32133731cac70894fdf3f9610f4fe4462ce072790

Download Submit
\Windows\SysWOW64\Cghggc32.exe

Filesize
96KB

MD5
6efc775b5bfd3f39fc5764c06103152a

SHA1
d1a8e1a472e20ab2cc3b2d14f0ef09b24da79d25

SHA256
6b9b92c8dfd2d6f43bedb26a366790edbf8754a5883187dd87b1bb2f9bcc4a1e

SHA512
38dfe967569cba891b6966ddd5780c33825d0717f6900f2fc2817df8655377f65d365b9b4adee1b9cc5afffad2147c2a84923b4695cd0903d937299edc4cde6c

Download Submit
\Windows\SysWOW64\Cjdfmo32.exe

Filesize
96KB

MD5
60852a1eda45df260d57e8522f8dbd66

SHA1
a50c5b30bb2856756d5f273386d2252bda72e8cc

SHA256
e6f471a8cd866b29581845b635cef704a36c4a000c28ab024b1a319e035dc729

SHA512
7a4015673625d10b1fd0821eff012ad18ef0e796a4cfadd6bcc9b4c159aca1f392a69362616c6c7b460ff509a617a676a3e7dee7572aa42d98571e1d050fcf50

Download Submit
\Windows\SysWOW64\Ckoilb32.exe

Filesize
96KB

MD5
2ea82d167c8ad34dd93c60f2bab03fbf

SHA1
aeb670f7e440127711fc541ce84177d8a0e446ba

SHA256
e6fe64b1db40ccdb634042387eb2e5ce3a4a5cb2552404f2404b5d14ed6b6f5b

SHA512
ef5f8c086c454a17bc2bd1682d947e97b093708cecbe32306c92d5db058e8b183c94c10b8982cedd981afd22bf78787cf18f8025494ef36473215f24787eb145

Download Submit
\Windows\SysWOW64\Clilkfnb.exe

Filesize
96KB

MD5
e4629162df77a8f964e3a81c83b35bf8

SHA1
7cb43172150dc62771afe625ab04cb70170702eb

SHA256
c1dcbc746a54b7995909c791bcfff748084221a72ed45a92f1956ae0e840abd6

SHA512
6a4a60b52633e26e2bf57d19f99c5b255f0b42b17091f52fd316671f246e6d96d58d9e3d83420802a3865106ad11257da2efdde8e226fd94ca7bc49634f60693

Download Submit
\Windows\SysWOW64\Cnaocmmi.exe

Filesize
96KB

MD5
72e3f089993b37476d54d832e865206d

SHA1
1f3e9ebaf31424de98b4783e4fac8f2bab0cc69b

SHA256
334c08d70ee2c3ca90ac510a802dee89379d240c45c6803fd888042f8c1eec5a

SHA512
5bb75de0b6170867318751fa15d731a2009f37bdedfcfcbb2ad136f49ba6e2709d4cb11e223ce49749c0e1b21afc12c62edb7bc72452e52738192d6e1737f0b4

Download Submit
\Windows\SysWOW64\Coelaaoi.exe

Filesize
96KB

MD5
63bd893de704226b1ca6b9e85d0e8b8c

SHA1
3ba90c72e6b0c2572bcf612c0b5c0b068c740e34

SHA256
846f985b7a537f032560acd465412eb16f789f835838dc66db02720cceb744f9

SHA512
b431f0999a5bcce99f2723b710f60473aaa4ae842bbf76e313ff9de6a2622628cb7da613a41c9c548de0958542812bd1c53e5c96dcf076cc64fbc1a0b129da24

Download Submit
\Windows\SysWOW64\Cpkbdiqb.exe

Filesize
96KB

MD5
112ab3cef5b516cd4720651d574f435d

SHA1
f4f9e47f584dbc510cee3afb81eaf5d6e3540c29

SHA256
4ba30fe295cab7d1f7ef30c3dd6d53d774f26e55a8b93304c22b0491747ce529

SHA512
93a82d1407ca0a6f4a1232dc4e0640e4d7b1adc375845018a4572d90b4472ceea2462f0dc97a9c107d3fd5005cd9b2df8dfb95576750275f319191e979fe3bc5

Download Submit
\Windows\SysWOW64\Cpnojioo.exe

Filesize
96KB

MD5
cf57bb1349c43ea7d0a33030027d7ebc

SHA1
18df2378cdf57b458b0e20a6427d450aa54e589c

SHA256
9a0563cfbbe51b3b1e229bd7ecb7e269a50959c17f410f054373d9381303cf43

SHA512
96a33ed12f956e70e039bc676f40fa6da31befea57d901577375f0bab5897d6ea052987c286351db0aa7957f31c88cab03ab608415c3866e1bf86edfb9e2e930

Download Submit
\Windows\SysWOW64\Dgjclbdi.exe

Filesize
96KB

MD5
1894483bab4b844544e248269b313921

SHA1
15c42acc63a36fdf698e075f49c00664fe7befcc

SHA256
7d275a182f44b61b77213dec0e4c6d8f0716d5f8b5cdff158e500fa784e38ff4

SHA512
863cb49bf7e4f87c205198b6b502edfc5b5da7b83041c8303f1610233136d9e93afbb11cf8355ead3518066f557aaa1c941dae3e7f372fc559e4fa3d212715ba

Download Submit
\Windows\SysWOW64\Dglpbbbg.exe

Filesize
96KB

MD5
cff35930f207722bc0fcadf91c2e55f8

SHA1
7bdc265f4ed4091a5047560798667813c4714872

SHA256
1d5a4a00bab5003f2c75cd5e2308b4967660c44e5eee66b0926b46dd481690a6

SHA512
32d9a358e488eb102ffdad58321a069a4a8e28ac2af7332bc8893b3175a00118c27319863e10742ba096822751d9656d19926ea59653e314f1548043078e4393

Download Submit
\Windows\SysWOW64\Dhnmij32.exe

Filesize
96KB

MD5
ddca2bfdc48c650c808391a233e36aad

SHA1
4b42dc1bd8a4bd63e461552b638cca42d91fa9e9

SHA256
339c05809e9fdefdf991ef1331821b8634694847203cd29e20b78f38124f383f

SHA512
275f7c3b4d0fc15016ab7389bc4f232ccad0d5701c8434021a6a7f6f8aeb8fbf2de681ff17b055ee9fab3ada31160b4d9b77e766498f3ba50bf674724255e923

Download Submit
\Windows\SysWOW64\Djmicm32.exe

Filesize
96KB

MD5
a70bfbf37b1645c29866f1e86dd21b8f

SHA1
24ba576b1fd4fd71e50a310d898ef619e50b27e1

SHA256
720bac4d0b2ad1242b5e1385f9ef3ced14b7bcb2152b4318c5f187041a46ee87

SHA512
7cad63dd51913cab760b959beef52ef5f80fad8116bc21b257d44df9f447b4c5fe37b4fd96673d4195366a8456919fb1a9848c469fb75b1a7d690e260e9942da

Download Submit
\Windows\SysWOW64\Dndlim32.exe

Filesize
96KB

MD5
3073c9fde90c4d9940a916d63098e6d5

SHA1
98db4e4534492c8de27fc4dd0cab1c3c506cf260

SHA256
5d99968deb019ba98ba97221e5eca7ea1bf219f686571bbd6310063fd6d0a882

SHA512
dc2148d9244c99e3c07acf614c899bd914784c1a448d4c4a6a6ee241850048401885b0dfa8a4a5c3c911914c3088196a7f36cced3741a179c33ce87271469643

Download Submit
memory/632-212-0x0000000001F60000-0x0000000001F93000-memory.dmp

Filesize
204KB

Download
memory/632-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-380-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/768-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-240-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/896-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/900-289-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/900-290-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/900-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/900-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-315-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/976-314-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1492-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-108-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1492-102-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1492-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-300-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1656-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-75-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1656-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-353-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1700-12-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1700-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-357-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1700-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-249-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1980-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-224-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2220-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-333-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2616-332-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2616-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-376-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2724-34-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2724-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-40-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2752-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-321-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2752-322-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2768-92-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2768-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-20-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2780-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-344-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2856-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-343-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2880-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-66-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2904-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-155-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2924-161-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/3020-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-367-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/3020-368-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads