berbew | 434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257.exe
Size

64KB
MD5

9bd516f954b22d203bca3ca892b57ad3
SHA1

c6cdd7f00e88d6133ee4e3ae989fa27caaaedb91
SHA256

434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257
SHA512

43d9a9099a6870581abe922143b6b91ce151e8d7f39ecd7d17e28e9167552ec411e4f1c5e66e98ff2f820ea8d8e97ab8a88c1b906ad050b265f1a983490429db
SSDEEP

1536:a21zbY3/rKpYFJFQUBQr6GE90DinU8TW9NlLBsLnVLdGUHyNwG:BNHpYFJ+AQWGEqinpqrlLBsLnVUUHyNX

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 33 IoCs

pid	Process
4264	Cdfkolkf.exe
3508	Cfdhkhjj.exe
4032	Cjpckf32.exe
2444	Cmnpgb32.exe
4840	Cajlhqjp.exe
456	Cdhhdlid.exe
1592	Chcddk32.exe
3412	Cjbpaf32.exe
4288	Calhnpgn.exe
2260	Ddjejl32.exe
2032	Dhfajjoj.exe
4480	Dopigd32.exe
5000	Danecp32.exe
3100	Dejacond.exe
1496	Ddmaok32.exe
1248	Dhhnpjmh.exe
2892	Djgjlelk.exe
4472	Dobfld32.exe
3028	Daqbip32.exe
3772	Ddonekbl.exe
1580	Dhkjej32.exe
3348	Dkifae32.exe
1596	Dmgbnq32.exe
1492	Daconoae.exe
1116	Ddakjkqi.exe
3880	Dfpgffpm.exe
3436	Dkkcge32.exe
860	Dmjocp32.exe
3560	Daekdooc.exe
3096	Dddhpjof.exe
1564	Dgbdlf32.exe
3252	Dknpmdfc.exe
3952	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4940	3952	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 4264	2104	434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257.exe	82
PID 2104 wrote to memory of 4264	2104	434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257.exe	82
PID 2104 wrote to memory of 4264	2104	434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257.exe	82
PID 4264 wrote to memory of 3508	4264	Cdfkolkf.exe	83
PID 4264 wrote to memory of 3508	4264	Cdfkolkf.exe	83
PID 4264 wrote to memory of 3508	4264	Cdfkolkf.exe	83
PID 3508 wrote to memory of 4032	3508	Cfdhkhjj.exe	84
PID 3508 wrote to memory of 4032	3508	Cfdhkhjj.exe	84
PID 3508 wrote to memory of 4032	3508	Cfdhkhjj.exe	84
PID 4032 wrote to memory of 2444	4032	Cjpckf32.exe	85
PID 4032 wrote to memory of 2444	4032	Cjpckf32.exe	85
PID 4032 wrote to memory of 2444	4032	Cjpckf32.exe	85
PID 2444 wrote to memory of 4840	2444	Cmnpgb32.exe	86
PID 2444 wrote to memory of 4840	2444	Cmnpgb32.exe	86
PID 2444 wrote to memory of 4840	2444	Cmnpgb32.exe	86
PID 4840 wrote to memory of 456	4840	Cajlhqjp.exe	87
PID 4840 wrote to memory of 456	4840	Cajlhqjp.exe	87
PID 4840 wrote to memory of 456	4840	Cajlhqjp.exe	87
PID 456 wrote to memory of 1592	456	Cdhhdlid.exe	88
PID 456 wrote to memory of 1592	456	Cdhhdlid.exe	88
PID 456 wrote to memory of 1592	456	Cdhhdlid.exe	88
PID 1592 wrote to memory of 3412	1592	Chcddk32.exe	89
PID 1592 wrote to memory of 3412	1592	Chcddk32.exe	89
PID 1592 wrote to memory of 3412	1592	Chcddk32.exe	89
PID 3412 wrote to memory of 4288	3412	Cjbpaf32.exe	90
PID 3412 wrote to memory of 4288	3412	Cjbpaf32.exe	90
PID 3412 wrote to memory of 4288	3412	Cjbpaf32.exe	90
PID 4288 wrote to memory of 2260	4288	Calhnpgn.exe	91
PID 4288 wrote to memory of 2260	4288	Calhnpgn.exe	91
PID 4288 wrote to memory of 2260	4288	Calhnpgn.exe	91
PID 2260 wrote to memory of 2032	2260	Ddjejl32.exe	92
PID 2260 wrote to memory of 2032	2260	Ddjejl32.exe	92
PID 2260 wrote to memory of 2032	2260	Ddjejl32.exe	92
PID 2032 wrote to memory of 4480	2032	Dhfajjoj.exe	93
PID 2032 wrote to memory of 4480	2032	Dhfajjoj.exe	93
PID 2032 wrote to memory of 4480	2032	Dhfajjoj.exe	93
PID 4480 wrote to memory of 5000	4480	Dopigd32.exe	94
PID 4480 wrote to memory of 5000	4480	Dopigd32.exe	94
PID 4480 wrote to memory of 5000	4480	Dopigd32.exe	94
PID 5000 wrote to memory of 3100	5000	Danecp32.exe	95
PID 5000 wrote to memory of 3100	5000	Danecp32.exe	95
PID 5000 wrote to memory of 3100	5000	Danecp32.exe	95
PID 3100 wrote to memory of 1496	3100	Dejacond.exe	96
PID 3100 wrote to memory of 1496	3100	Dejacond.exe	96
PID 3100 wrote to memory of 1496	3100	Dejacond.exe	96
PID 1496 wrote to memory of 1248	1496	Ddmaok32.exe	97
PID 1496 wrote to memory of 1248	1496	Ddmaok32.exe	97
PID 1496 wrote to memory of 1248	1496	Ddmaok32.exe	97
PID 1248 wrote to memory of 2892	1248	Dhhnpjmh.exe	98
PID 1248 wrote to memory of 2892	1248	Dhhnpjmh.exe	98
PID 1248 wrote to memory of 2892	1248	Dhhnpjmh.exe	98
PID 2892 wrote to memory of 4472	2892	Djgjlelk.exe	99
PID 2892 wrote to memory of 4472	2892	Djgjlelk.exe	99
PID 2892 wrote to memory of 4472	2892	Djgjlelk.exe	99
PID 4472 wrote to memory of 3028	4472	Dobfld32.exe	100
PID 4472 wrote to memory of 3028	4472	Dobfld32.exe	100
PID 4472 wrote to memory of 3028	4472	Dobfld32.exe	100
PID 3028 wrote to memory of 3772	3028	Daqbip32.exe	101
PID 3028 wrote to memory of 3772	3028	Daqbip32.exe	101
PID 3028 wrote to memory of 3772	3028	Daqbip32.exe	101
PID 3772 wrote to memory of 1580	3772	Ddonekbl.exe	102
PID 3772 wrote to memory of 1580	3772	Ddonekbl.exe	102
PID 3772 wrote to memory of 1580	3772	Ddonekbl.exe	102
PID 1580 wrote to memory of 3348	1580	Dhkjej32.exe	103

C:\Users\Admin\AppData\Local\Temp\434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257.exe
"C:\Users\Admin\AppData\Local\Temp\434d4986391ec76439ac970ee2a7e9e4d6e7cb2f18ff414fa859a59383540257.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\Cdfkolkf.exe
  C:\Windows\system32\Cdfkolkf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\SysWOW64\Cfdhkhjj.exe
    C:\Windows\system32\Cfdhkhjj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\SysWOW64\Cjpckf32.exe
      C:\Windows\system32\Cjpckf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4032
    - - C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 404
        35⤵
        Program crash
        
        PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3952 -ip 3952
1⤵
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
64KB

MD5
c121fa3378255da3374ca5dfe27e557b

SHA1
39d2786555f4fa23435ac62c10cba82b6c9265dd

SHA256
f6870845a00cf21d05ce4e5c16b0a2d02b76cbaf712b61580044e54651cf4b16

SHA512
d0097f8fb058dd3851e1b2b40957328fe4a2c1003c1f26f5c04adf4dd21df376e931398dad922843d7116f3219361f8edb191e1ee19bbbf79d4ae48effa7fcfa

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
64KB

MD5
2d214a75a7bcc6e33d7f6a9b613086ba

SHA1
4806bfd80092f4403a4930089e2b538a40220863

SHA256
a7da01317afe074fc8ff1d6f77d83dce80a2c7fc1d33bf8128b45da355d3ba11

SHA512
e307c608ed7ff171d6b7c88a8b2bb6a385522b5e7ab211e2c9071d983ccdc93eb53cfcbd09d02b46528c6b2bb51e00306caadf1f2e050e21041c18a82aacdffe

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
64KB

MD5
8e6fcba340934b0f5d1ec18a6538eb4e

SHA1
733b085d820c59d51a81caa81487e28bcd770f5e

SHA256
a32e17edef3b5afe9fc1aba1596e1cdbc498acecf4696c30a8d0a04adf874fa7

SHA512
5a42e440a9e145bc8a308fa65ed28c5507a7cdd4ff6780bf25cec2d28a5932da5c3b082aefe7dcdbd1c111719b25d44cc007665d5f5b4125a5d6465cded76084

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
22d74a8b49743011667143c3c0299118

SHA1
5be3159e3513354e959c91f58d3bb02f355b7c84

SHA256
01f225d6d5044456da3132153755c5a9b48405364a69049e83fb1c7827e19153

SHA512
d7ba0b2205335fdf271668a5e3ee052a55b32210de0d8d3a3fa1ddd63bb587d33e9d750468da7ad48e92ee11bc2bdfc9e49d3b626af8a5af482fe9261e581160

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
64KB

MD5
43564384082d552538e254d4dbfad4ed

SHA1
06b010655a9a6105917567a1a7ef0f188aa5884a

SHA256
cc448068d1b93e25a28e0973219adb8b53197f874d4837da0a781cf48e7cb3c3

SHA512
71724dd319f7519db33a59f08e5a03e3674631e398bb98722ec42ceb82b6311cc0282d0785484ad9720543d0aaab4b7bf19699d52b90c54d7dc4007eb620fca9

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
64KB

MD5
801446031efc5ea8baef5a2265ae1268

SHA1
a2e7ed75ee33d50ce3ef70282fb26465a2a4b3a1

SHA256
73bfe75da1bb2a7f0826049daddf6084135b854f3d0e02762b2520b8b0c0a10d

SHA512
6b79c14df113eb110f4d1abe973c2d1f472ff85b5136538c0efb88f81aeb2f6950a6c381afb480f1af607aa356ff1fc26f5d0e28ea8180b169e23b4b25e0025a

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
64KB

MD5
06b57d27dede5d580324bb4c35a4baac

SHA1
1af4c5d54fcd8ac061f206e533daffc9d80c2c17

SHA256
dfbcbf1c47ef14dd2ba68ccfa5eb9320fc79fa467d474b95b5b88c5b47b1d5c6

SHA512
fa6a884ef43c4e1340dda6510524aa7524fbdf3f8d2866cfd72fdd4f3b3954840de81d9d9663bc4430ba2a1a13463836ef002ace5962fa1c7261d862671d6997

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
64KB

MD5
ad752ef32227fb8fa055a337d123362c

SHA1
058c8f6e7bb29ca1e06b669e5f60089f156d3698

SHA256
3741f744cbdb3407296e695289ecfb9980ef5883d0869fe44a4bf5780a663839

SHA512
2c925f60975f8d5a816edbc1b7968d3006be46da6e31e13a72dd8b1b18ba83a3482282204f77b6b4e4cb6cd7b229b1df9934e0815896429afa0a7dbb76ceac9d

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
64KB

MD5
3024d2fa25684ba38aef44bf94790074

SHA1
758a70a0f66e51b020beda13b172b4ed731578f9

SHA256
474e1827b2f5565f2cb04d676fe2cb08b041a6ac1a135b763ad24cb631b8baed

SHA512
7ba629b7a5075f9fe6f6223d289306e5ce8680722c652c9f336e21932a11908c0b317babb8032dcd37198920e64e0d64f9f09597337e4f6779ee099a607acbfa

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
64KB

MD5
040bc5481da8b09636370244ecea6268

SHA1
0b0657296c93fd61b8eeabd312544ed2076d99fa

SHA256
1ab2b691ef28820e44322396b6f92a7dce2977b616b09a8e162a300d439f04d3

SHA512
dfd98afab250e3c23ab98f6547a1adaddc8be7acc0a03c6a719af5d9aef9795c12d1a71a7d6b92cebaa9b6399d054d5f1a9e4155b9c249918d29872e0c86a3c4

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
64KB

MD5
7c39b7c345c245f5d117d6f3947f0796

SHA1
d39462cfeb8cb924c42c169add6454b588d6dfce

SHA256
8237cfa3421e0e1fb2e3360989f6d400a85a204ebb8bb857a1ebd0dbc0113e51

SHA512
17af0bd48ddef23b7685c444963047a7daeffdca033def45dce820b3de5832381b892eaa5d3ace05302aaf5382087c65fc5348ce1b48d62e6aa491ec67f8a116

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
64KB

MD5
a1b4fff2639e1d657e4dbfe4c42e716d

SHA1
dce308c26644b3533f98ab8db866cf1c7acfa4a3

SHA256
efd1eb137f5e13606cfb083b43cde05731158a9bfa74c8925e3246f2535f062c

SHA512
12b74e9d41e6f9cb24e5aaee68b957a3cc57aba691ef8ef746d49831360ad8a6061358e7bb3a5d19cb444d4de874f56f8c4df21743c0d690f67d0750ab01819e

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
64KB

MD5
48f37ac446185862d92ff8de18d612d3

SHA1
dafbf9a9aab4abd9d46165e43ce189aa1cc283cc

SHA256
257ead5d58cf604268365109d476008a1d1b3706467e3bee6175fa6d439d1282

SHA512
f10fe41d5fca7de15e4586ebaca5dfd2ff0814bc4f44099f8a32a4026a6d09a565e8990c09ee8b3f0c3104a06ba1bab485c7ee437c99c8d99653bfa72fae00f7

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
64KB

MD5
a7059b8f27f08556eca6ae5a3503d9c1

SHA1
2f4b3b88a8ead7c0e9fee3e041c2db0b74cee58a

SHA256
f62d03dbe81ef456fd07857ee95f848195cb45c92c3849e39d0ccc5721d51191

SHA512
f99310ebad7fa2cb060850f85f11c973540a2d59ed2430a8ad2aed4e5df477776f45456ef6825d7484befa0d9f651d5274a6ec128d0cade9725590a9e5468ee9

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
64KB

MD5
168ca475b7f6c817c2e720548c8c7e56

SHA1
b2c8add535b464445309300833c8185ba0e80b9b

SHA256
2dfc012c7223d05ff5448bbb15948136ee61ab9c506549a5045befd12d94131c

SHA512
50a9696aaec8ca972916fc06f936f3c7d264006ce994e6a419ae32e0c489b3f08e258254879d668991c774db59cac9441c0bbd340e2e58deb52689aac36c7ca5

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
64KB

MD5
8b33a53429e704f574e67fb321e32619

SHA1
fa2ce45c2c1a328da34b133394e9d2ff726053b0

SHA256
befd5e5cefc444f16cd1e488ad0f672be8088bc2c8c5de23b0e2da5790e4316c

SHA512
1df72653f46a18c45745eb7b3d98f8e384b50a4f69fbfbee51ced03241ad1dcac9351904c3215a25b8dbaf65f917bb7adb5c72c14ed8bc571984af58c70d4029

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
3ac5f66382f05f4a188b5e5826193338

SHA1
f8d35224c44f9a3dd7a4e03381aeac78758fdbd8

SHA256
83be8ef3acbd10c7c6189d904a15b978c86dd02e54836e7f1ad1f4a715a28c84

SHA512
bb918941061a61fd6ce99fca6af5898b4839806d1f16f8e5a2ee34195b6839274bc7a2bdbc51cf336ef2cae62071f986a7b2ea74ba681e38852e6d5a4790812b

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
64KB

MD5
024d40d950783d9ffdb99557560c39a5

SHA1
f6baca8df995e26548ba15ef1ceb92e900361c8f

SHA256
5b24e13f63822ef037c4d4b8f7c6e85577ea69effb655331cb53097b6bccd7e0

SHA512
2a91385cce1b0e4b072f8c8dc16ed532030c1ca2f3bc95b444c0d568ed245ce2a97bce09ce3cfa03e2c8b7b6c05e2791bf8bc5993c9963555b381d6c28143d4c

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
64KB

MD5
462dfdacd4c4a33adba9be6738606404

SHA1
eccbc2272b662a52c8715255a816c115ae8ccad5

SHA256
98a7ec8d05782ec4502ba604e43a0c43926d201a0c163c988c6cab6110800389

SHA512
4e30b9239a40e97e94a76698a49af80b8dd1d3111d87e4fee3a14aed4df38f25e98ee3944c1d0954addc483fa6cc4cec85450568bbf3cd54b563c560c3552742

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
64KB

MD5
55a7b0adb18a17d7b69212fb3d90076b

SHA1
f071275638410a34ad1db55e720aa86f3018a90e

SHA256
9a23c8e669c31ce7e47a89693c39b3bab0f7eab1bb65e5bb426a82fcabc1a779

SHA512
209fa918695da682561205fbffc54b2f1c6b8a3dbe2e1a5f5eb67af0c803cc3f568434dda7f06dcc61e5857bc55027562e773d44c905fd739c611c57e933507d

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
64KB

MD5
4769b910a53fa3bfa1df33f8d8cffeea

SHA1
a82d3cb9885fcd328cadf8c91ab47feb14871366

SHA256
cccd07d692c82d50ee928513dcd3454360f7b956348f45c489502bbb00307760

SHA512
4b915b637db8b12dfa4e1cf43aba1a799008078ae1e8826821e16c62ee9a33659974ed878e85d78d6ffd7c163bb794f417f4a9cbd855ae7762287ef0ebeb5e96

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
f5e61b26286807e6eca14c8dece7983b

SHA1
2a1ae03dfbd08713ab90c55ca45c2c4e8b53c0b1

SHA256
bb52492cb371bba0bbdfd1f14fefbbfdfa31693875a43243a05584f808094f11

SHA512
4ecf80237fcf3b5aafb293d3201e23c62448853f125c01ce78ceff80330e15824f845a94b9e3faa5721706bbbeadc32a4f24963c24192d59ad60d672bba6e5c8

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
64KB

MD5
18f431d614e66b48b329989d81b6b08e

SHA1
6500e9551ae0390cee59dfd23c024fb5a3bd275d

SHA256
7fe180fd7d7d569e3cd7e5e13a6b7296038cd7a29570285dd075882ffb64c588

SHA512
b6153dbc409b12d872b5cecc1410ca725f9be64c7c766d62ee8a5450c720e95c8b1d26b9e27ff5ecb19fda3e368fb060639defdc618234ebb2d7b7a27994d383

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
7489d21cd222dab79cf66b672ab4b0b8

SHA1
124a52506ed1bbbc48bc7fe8709e9474bb8f816f

SHA256
510d6ec06f262380c3cf899c2fb2bf9847a1df1627cfb458fbbfad5a1f0f36d5

SHA512
c736457357c70988c59894e5106ba4330208cdf819bae6d9b677685a1aeb419b99085914f535f29386bbcd7a80737b7eb59ffafade2e56ef0e0c9845b1dc15b0

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
64KB

MD5
4a8e135a20d5bf30b7013c0d3a6f2e3e

SHA1
07cc2f34ed190e1a76fd8bc243a7de9115d26637

SHA256
171dea812a9e616d7efc15d105f5825376f68f8a1bad076253ed9779799a84d9

SHA512
0c508de603f595b64b4ed4054ebb78b86eb45f64e8b0f8a25273fa1ea225a46712d6c798fdc0388e715bc1f185318e7b721f67e8d65f4fc77d9785d88a39dc92

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
64KB

MD5
6da280d7a2a26fe0c58d7345a3ce4ef4

SHA1
5013184fe01873a17fd355c22a13819ceef679d7

SHA256
159e7c5dcc4815dd48ebef55b1b80a27fe24ab2e84330e0ae7ef2fff5cdafef3

SHA512
305671bf75d3d4bd257227e23e77449136976266e5f9bc1046c7c178cb9722ffd9204b56a0c690f4f73fc2cca19db6fc7fa826ce0d211a454403415c7fbe6bb4

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
64KB

MD5
7a4487747f0d2a9dba7c12d4358cc0df

SHA1
8ab5e37afe42c389c290b06f789c80a177485282

SHA256
73d25b6ccf947f0d2cad5598cc5bcdf7c80221f350b2e46f7f3bf7018193e476

SHA512
5230bfa58d6f5cf6a84aef6b46a0885f1d6d5712534beb2921e3548a9ad43805804b4aed182209b850fd4799f843565eac15ef35d214dcc3e3b71b6d887e1646

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
64KB

MD5
a80c963b733563ef32273e048960bc34

SHA1
ce8a428710881d8b07207d3c90703067aec4e31d

SHA256
2c190409f89d902510ebf8fda8191f1dc5b70a635310c19318990843123b839f

SHA512
b1de6d48b38370a648e9ca8d17cd5b49cec8209e4208a8bdc75257696bc2515a011d5acb8a1e59ec498476cfa9340ff072a9a8f5bc1f2a05c5f2d966e64a5f0d

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
99ebe6557c4531b02adde1a3f4cf3e62

SHA1
67c428f0650a833261ac853014a46ff5304d097e

SHA256
bd64df8985f6be5e05d9d4bd690a965f05f281096f1782e9f3588445a1b7cb60

SHA512
94db7cb610adb56301b3f70684f5118f6037b9924d84e3a7d4c3830aec3595dcf78538373986fcf9f9b075d64419795b84245ca5f0879296525e7dd04a85a598

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
64KB

MD5
c662ef14edf2ad36a9d86e6ef2f37342

SHA1
3d8c5fa48b696ae40635c56d8bf642a00202f2eb

SHA256
70d3501841308f781fae0b13edcf37a6eef0ba1fe075390fc8c2e0a01480e5ee

SHA512
a0652d4bf5fdd6720c336a9c6af4687288cca4dc4740182ae6ad70b669d67638ab3300f8e5bc5206ecc1733a6b870090b70783c3dbc2b46f0598f0f032eefd7e

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
64KB

MD5
225d1c1cd6946954e49c4e1a93502639

SHA1
469fd700578720da88d137259646521c7191e5de

SHA256
ac5004074a8357bb13db04d590972cd4fc07a2b8b03cac7958d7ec73cb44654d

SHA512
be779bcfc2eaa237ecde85df5a8cbbe03de733cce754f74f0e7f47e252c49ee183cc41b11f7c5e6dfac9a58ea9e7fd7d5ae2a25924b3b10749599a70580f40ad

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
64KB

MD5
e0fe23bf7f26e498b0bf83a7d4742709

SHA1
c9aeb04c9f2cb93d9ed4d132c17cf506c3943df4

SHA256
81c1a68511fd7ce6e734ff21d165127ed577ddd69156150655d090171294bb07

SHA512
e90b55fea7dc3eb9c1f8bf02e8eee8345dcf905860bedaca5eff25f9ba42d9c5d560faf744306b52e91d88a20e2971d38db30c4c574867bd294acb053415b252

Download Submit
memory/456-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/860-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/860-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1248-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1248-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2444-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2444-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3252-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3252-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3412-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3412-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3436-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3436-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3560-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3560-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3880-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3880-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3952-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3952-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4032-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4032-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4264-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4264-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4288-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4288-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4480-306-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4480-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads