berbew | d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3.exe
Size

96KB
MD5

4f798f8ed42315e9f76cb3164e51ed12
SHA1

7ef69f31164c2b27c572efb319940bf4ccd5d892
SHA256

d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3
SHA512

d6c2ef62d8c0d488ac8c90777c6604ffff198b1aaec7fe6d57640366fb49de17e6c0c5102098a297f2a1bb83e9791f4cc190e765cfb80bb947ff4a40cfe70816
SSDEEP

1536:9VGHlQCzbA1z2ZP6vDaJ0voY32Lm7RZObZUUWaegPYAS:DYllz0SZP640ImClUUWaef

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cbd-182.dat	family_bruteratel

Executes dropped EXE 32 IoCs

pid	Process
4588	Bcoenmao.exe
644	Cfmajipb.exe
3896	Cjinkg32.exe
2336	Cmgjgcgo.exe
1932	Cdabcm32.exe
2804	Cfpnph32.exe
4228	Cnffqf32.exe
3740	Caebma32.exe
1540	Chokikeb.exe
1676	Cjmgfgdf.exe
1468	Cagobalc.exe
2400	Cdfkolkf.exe
4564	Cjpckf32.exe
3388	Cajlhqjp.exe
1852	Cdhhdlid.exe
2260	Cjbpaf32.exe
1544	Cnnlaehj.exe
2328	Cegdnopg.exe
4036	Djdmffnn.exe
4968	Danecp32.exe
4576	Dfknkg32.exe
2368	Dmefhako.exe
1772	Ddonekbl.exe
4952	Dodbbdbb.exe
1352	Deokon32.exe
4932	Dhmgki32.exe
4184	Dkkcge32.exe
1348	Dmjocp32.exe
4636	Deagdn32.exe
4724	Dgbdlf32.exe
2540	Dknpmdfc.exe
4432	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1612	4432	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cegdnopg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 4588	4308	d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3.exe	83
PID 4308 wrote to memory of 4588	4308	d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3.exe	83
PID 4308 wrote to memory of 4588	4308	d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3.exe	83
PID 4588 wrote to memory of 644	4588	Bcoenmao.exe	84
PID 4588 wrote to memory of 644	4588	Bcoenmao.exe	84
PID 4588 wrote to memory of 644	4588	Bcoenmao.exe	84
PID 644 wrote to memory of 3896	644	Cfmajipb.exe	85
PID 644 wrote to memory of 3896	644	Cfmajipb.exe	85
PID 644 wrote to memory of 3896	644	Cfmajipb.exe	85
PID 3896 wrote to memory of 2336	3896	Cjinkg32.exe	86
PID 3896 wrote to memory of 2336	3896	Cjinkg32.exe	86
PID 3896 wrote to memory of 2336	3896	Cjinkg32.exe	86
PID 2336 wrote to memory of 1932	2336	Cmgjgcgo.exe	87
PID 2336 wrote to memory of 1932	2336	Cmgjgcgo.exe	87
PID 2336 wrote to memory of 1932	2336	Cmgjgcgo.exe	87
PID 1932 wrote to memory of 2804	1932	Cdabcm32.exe	88
PID 1932 wrote to memory of 2804	1932	Cdabcm32.exe	88
PID 1932 wrote to memory of 2804	1932	Cdabcm32.exe	88
PID 2804 wrote to memory of 4228	2804	Cfpnph32.exe	89
PID 2804 wrote to memory of 4228	2804	Cfpnph32.exe	89
PID 2804 wrote to memory of 4228	2804	Cfpnph32.exe	89
PID 4228 wrote to memory of 3740	4228	Cnffqf32.exe	90
PID 4228 wrote to memory of 3740	4228	Cnffqf32.exe	90
PID 4228 wrote to memory of 3740	4228	Cnffqf32.exe	90
PID 3740 wrote to memory of 1540	3740	Caebma32.exe	91
PID 3740 wrote to memory of 1540	3740	Caebma32.exe	91
PID 3740 wrote to memory of 1540	3740	Caebma32.exe	91
PID 1540 wrote to memory of 1676	1540	Chokikeb.exe	92
PID 1540 wrote to memory of 1676	1540	Chokikeb.exe	92
PID 1540 wrote to memory of 1676	1540	Chokikeb.exe	92
PID 1676 wrote to memory of 1468	1676	Cjmgfgdf.exe	93
PID 1676 wrote to memory of 1468	1676	Cjmgfgdf.exe	93
PID 1676 wrote to memory of 1468	1676	Cjmgfgdf.exe	93
PID 1468 wrote to memory of 2400	1468	Cagobalc.exe	94
PID 1468 wrote to memory of 2400	1468	Cagobalc.exe	94
PID 1468 wrote to memory of 2400	1468	Cagobalc.exe	94
PID 2400 wrote to memory of 4564	2400	Cdfkolkf.exe	95
PID 2400 wrote to memory of 4564	2400	Cdfkolkf.exe	95
PID 2400 wrote to memory of 4564	2400	Cdfkolkf.exe	95
PID 4564 wrote to memory of 3388	4564	Cjpckf32.exe	96
PID 4564 wrote to memory of 3388	4564	Cjpckf32.exe	96
PID 4564 wrote to memory of 3388	4564	Cjpckf32.exe	96
PID 3388 wrote to memory of 1852	3388	Cajlhqjp.exe	97
PID 3388 wrote to memory of 1852	3388	Cajlhqjp.exe	97
PID 3388 wrote to memory of 1852	3388	Cajlhqjp.exe	97
PID 1852 wrote to memory of 2260	1852	Cdhhdlid.exe	98
PID 1852 wrote to memory of 2260	1852	Cdhhdlid.exe	98
PID 1852 wrote to memory of 2260	1852	Cdhhdlid.exe	98
PID 2260 wrote to memory of 1544	2260	Cjbpaf32.exe	99
PID 2260 wrote to memory of 1544	2260	Cjbpaf32.exe	99
PID 2260 wrote to memory of 1544	2260	Cjbpaf32.exe	99
PID 1544 wrote to memory of 2328	1544	Cnnlaehj.exe	100
PID 1544 wrote to memory of 2328	1544	Cnnlaehj.exe	100
PID 1544 wrote to memory of 2328	1544	Cnnlaehj.exe	100
PID 2328 wrote to memory of 4036	2328	Cegdnopg.exe	101
PID 2328 wrote to memory of 4036	2328	Cegdnopg.exe	101
PID 2328 wrote to memory of 4036	2328	Cegdnopg.exe	101
PID 4036 wrote to memory of 4968	4036	Djdmffnn.exe	102
PID 4036 wrote to memory of 4968	4036	Djdmffnn.exe	102
PID 4036 wrote to memory of 4968	4036	Djdmffnn.exe	102
PID 4968 wrote to memory of 4576	4968	Danecp32.exe	103
PID 4968 wrote to memory of 4576	4968	Danecp32.exe	103
PID 4968 wrote to memory of 4576	4968	Danecp32.exe	103
PID 4576 wrote to memory of 2368	4576	Dfknkg32.exe	104

C:\Users\Admin\AppData\Local\Temp\d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3.exe
"C:\Users\Admin\AppData\Local\Temp\d3d68619ca8f35061cfc0667a17156714e8a625813a078236de610689ffb1fc3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\Bcoenmao.exe
  C:\Windows\system32\Bcoenmao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\SysWOW64\Cfmajipb.exe
    C:\Windows\system32\Cfmajipb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Windows\SysWOW64\Cjinkg32.exe
      C:\Windows\system32\Cjinkg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 396
        34⤵
        Program crash
        
        PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4432 -ip 4432
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
96KB

MD5
57732992b18e7116e4067f1da07ade37

SHA1
4cedd8a622fe287d00bdf08a89caf40fe052e842

SHA256
fe4568fab05169ad27d0e2b81afe40c2b97061c2e31ead83400ac52e01db3ef9

SHA512
cb3e1c7e7745daf605792f9b679c4c414aa61329cabdac342cf0670eeebc29d44ad16629c130bd02e2969eff7c736280b794a7e6baff671a10fb76f7d0c83cc9

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
96KB

MD5
30dc15c35033ba8e3d94ff6b4f73d2af

SHA1
069099200428ec458231497d5810f142ef59b0a2

SHA256
88162fb1ec32ec76c3ac05c492f2f2d9355dc2f3279795635def25fb659d1814

SHA512
5d32265592db165679798b40797eb568839b425766666001d6e3ad290f231bf06111ce464cd632c188a01c94fc7640af25ed913d721c8a0f5193a01f195caec0

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
96KB

MD5
70be32286308d268c1d659ef21dd2ede

SHA1
8329d13fbd1814005ca1f343c566100b9b404723

SHA256
3ed678d695d6f8e0b80ee10f4099a19f986095caadfecb255d896c55e8fb3d17

SHA512
08a5aad39b5151d683cbd3a7e3af9de45286a1c32b61ce829e8d48a2b28664740a17bfa0eb095336d57fc39ebffaaa247244dcb3daee525d5dd4a3c00be6e10e

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
96KB

MD5
11dce4db8bc8df96c07df42e40232c66

SHA1
c55e6db07bb465338f27231bb7e6f091a74723e9

SHA256
0657456ca1c5c06e08cde64c250c86021c4dab4da8589b9a6433e09ef0bcb029

SHA512
68254b91484a60ded260e01c0a8509c7d9e236cbc5f9ecc8d0a45a6f715445eb775e780f53ef53c0915c3b58ae66eeac11fc3f1ed3d039d20fed6a6a60f688f9

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
96KB

MD5
0e8f58090cc659d915954d90cedb8e22

SHA1
8ee2c242a9c75b9868da32490c585800be1d7e30

SHA256
ddf6d3032e899cbd2a8f348b2893e4905aa008f4de30c8f3ff318a8d8a3dbb0a

SHA512
02557b2fd41607d568e571d1213134e561b4cd76c95edf05ed608a63084cf3158472e62648aa213d753ba50a138d3ab8b985b3bae016ac62520518aed03d0bc0

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
96KB

MD5
43feac26d515d5e9c1f0981c7dd088c3

SHA1
8f152500bfe4e1a2e13261a56af87f9134edf76e

SHA256
9ebc0a430e9fc0d38c87c41b1c5a25286a2baa43dd429d7f6fac057a946eabe8

SHA512
58b233f1a6aa06e4ef0552f2d640208dee697bcef4fddacdd647182068ed647693f8228e30388bd802698c119913e79726abc186928ccc600d54bef68a10a61b

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
96KB

MD5
2b2a9d4694730e7e6f331dcb2bcc5ce3

SHA1
9696148108dc0e130ee78b918c6631c9426ae724

SHA256
1b4115af831869229f84bc5d67d1c5dbf2afea5a87017b2830c6a4fadd0e597c

SHA512
53c48c1b520fb8a90807b80fc27a7e7cabcfeaa9b3db54490fc23c797636aa27e60edcfe231ed11bc4ccceb46a5758fa40021fad7993854a612bc44dd9cedfae

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
96KB

MD5
c6549f0d1fbec6b88a7d308ff0521c86

SHA1
265cbe1c0fd9cc28c164ea48453fa01d58ce444f

SHA256
7bfe047f52245703bf07e4615c0ecee822ce46778e9f6d9410808b04815a965a

SHA512
ab924c464950a81089c545cf08e6e980dcb49d1ef78f94c57b2b70480d17189b0f20c647f99e59f51427c649ea4eb6c576f98456ef5f1f810944b2ee70ac4812

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
96KB

MD5
b545850ab6e409f18d0a65a1c6f77d37

SHA1
1775cf29cbddb56870f3ef3cb5035a436acc3fbe

SHA256
956d4b305c95fb3c1b391d3ab1a193b32b1770892d1ea26733ce4105f0711920

SHA512
11089973fafe179bde0d3eaeb474aeab32cc28afe3a946ea38ce1d628f449d4a5acee0c8926d140a73d917fef814d4075cac192f34a855cb81f2754c043911b6

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
96KB

MD5
540bf3b33d918b11a9ee965268ebbc8c

SHA1
d302c693eb2fd47ead02e77f24426819f054685e

SHA256
a31f09c1b86cf5a42b1ffdec892b2c7934899f427982523d9e3ad02bd1dffc54

SHA512
81b2e6429ff0b28729c9b96ff1e3445490106ccdff9c5eb2c3f4a8266b7b0e6ee4d8138f4520b04dfbae2fcb0c2acf73ce281bddb71c8c1f2b8aaf1a90ca6374

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
003c09e24f647e3a1782821d89ffae07

SHA1
bcc249f530b197894a7ba8b61e8311745d1ee44c

SHA256
c96ef586d7c647b30600392b1e907aa276fa12768deccd64cd9a4b39af51cc89

SHA512
4990f8a6b519f3892cafa8236715702a4c595192c67c0c941375ffc484f60e1708256fba7e26c8474886927ea84ead5c5847893f6a75c62ab6a3e68f0ae6b35a

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
96KB

MD5
0d21518bfd8e5a7af315d80cc54747ba

SHA1
0e12e4e248c1b75eb8c82bfe2e55157923d95e03

SHA256
5c1cdf4e56ad5f71aff2d9a7aaa4778fecba6967dc3f77a90e633b2d37118574

SHA512
b9156f7b8d20170dbf2062320dd8a80f4e0c414a61188c77da1d338002fb61e9d1e112925fca58df112694aafe9e1cc347947fe810299d0e5ac630b50c6f4718

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
380818851a845acb1c333362e9a1d43d

SHA1
8098068b71f9586db6cd52897bc08edcfd08bd6a

SHA256
25710d9d940d5ba956017c3d46b3a1afa5f74b4ea492bac7d5238411d21bf379

SHA512
52eeb5091480c47c4f7924c545cfa8e9afc8f3865fd6417152b918c786a81f753e32542541bc4d88da7ed89e999d66244855f32df2eb17c81f8817af3a7a03ae

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
96KB

MD5
162e5e6c5b0a2ad40264099adca9b524

SHA1
2d8d3ffcc4bd4fbb0c123b41f1138bbdf05c04e4

SHA256
d7a0cc98fda665291ad8bd1b1bd10a7384b541df6ea98a4ae881b075b7d2c83d

SHA512
dc1404e5e7c4548ff8667d3f1192269ecd7be30c6961e10192db0fe130d100865faf3be46067e0a5df26166899f63eb5228745a4be3c00463998466b20b0abe9

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
96KB

MD5
59299c145b63787e6736fcac29501adb

SHA1
b364b0226164a6d954e3d17dd60d4bfea3e4e2ef

SHA256
ff55ef7fb1ed15f73cebdf489aa5cb8daa969aac16dece77690c4fb6dcf2218b

SHA512
daeef64cdb9603da23852c4548253abc7358eca0e07d457ef4a2304d7ab4734aaff6729d50b0db3cc58b6f87c02f523bbc4b440af0d6858865a22cea827fda45

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
96KB

MD5
4596d1bcd159b8dd1567219bf74f7ba6

SHA1
c9d88aa12fcec422eaa72e71ea2f98a4d352d862

SHA256
9e1ccbbd46e32f3ebe4741526f51fae9dccca7ff217b8c0f0e522d030fb796e8

SHA512
eac468d0472a0ec416f3941601731138bd038d0026f6ea9ee84f0874bf20e69115200b904a3d2f8ad86def20db7d1adea8c08d6ed98735283604d4594966e840

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
96KB

MD5
78c7f39a202510894726370ba3c49bcb

SHA1
66f1b14a5c7672f3963a6c00cc496c19bcd43127

SHA256
18871faeeea14ce3772c7b2350bc900970c1cbeecc6e37e0f6b1d452c04615a2

SHA512
12a70c380ee4517cbe59408d8423b2a32d6964612d9215439a266e6e7dd29ccadd378f10593867662c9ad80b2b3c54e18193567b3260aee6a77df4f85c4c5732

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
7d3d381bf356d8f078def0c80b67e83c

SHA1
c4e14feef7811f34491643370b6b1fd20f48e56f

SHA256
4d5944073937c12e8cd63785024dd925bc4b51dbd04aa4bc8f2b57be5921843e

SHA512
3542b12f4c95409e51c71d15d6ccaf1d989fb7a810df83f1a008f9c248043d7e8d0d7910807d902d260d101142ea93b3c4e422c5079edfdee8ec9ecf0957529b

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
96KB

MD5
486fb96a2b201f17cfb9381ecff94217

SHA1
65c7b81ba89c9dd60035de1d1d93bef5601bfd8b

SHA256
c7164ca973f1469e3866da8ac21029368a36e4dad6c7efde4247627e8a8ee6b3

SHA512
8704f04131f7f2c3912e630c2cd5e34207a8f076c39a66dc09a77a422b9cf4258cdbd42b17ff1986eb37f00c3ba1b6bbeee1fa216eef8b64d789a29b7b2766c5

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
2dbb6c1e5257a43c73335c8f440619ee

SHA1
6cd2cec064f5db66cbdffbc17e98e818fc4c4e2f

SHA256
105271cad7c1aca25fa7efaee572c11fc68b3b67d02c6b5ae25d1d0cb345d048

SHA512
1c42774596a2172af11480693bc597e5751cbfa9c6791055b9f03a94f9bc0309ee8b0b8b25a2c00a599ecdb774a73a928c95c2e8ae8caf5ac4a7097a4753fddf

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
96KB

MD5
f52b098b45150d9c1281a455665a62ca

SHA1
a9f7118ec3dac81b8d3573f75ec58489aeb2f501

SHA256
e9e33d51c28015f0d0c84496061a819b14ce82e1eb54af0eac6f29c0361e117a

SHA512
4dd600225e48046c77e3950a4670375a8efb3ab3c135f694420191d81de297ee92484c0a651e0f20b5bafa1d86947ba724d090b7bd60ce6a0bde4be9b9935550

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
96KB

MD5
e9cdf7aefeb92e6f2c2f8bf572581654

SHA1
52a6fad7336b13a6b576a7787d8c4950d6ddb949

SHA256
b3ebb60f4eedaa0f9edf5f4a6cf4b3dc46b3ea42ee3917a7113d3744b893f6dc

SHA512
8462052eab0a5819e39d3c5126931099751292378324f83ba56d55f249858f512365fa62eee3a8c46a5b7d9c219e842898d27769beb370fff6568646cbaaa11a

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
96KB

MD5
3e120dd0c42b80699a1c19f204b97879

SHA1
639cbf6dad6247090540003669fcb5c7b70a8e9b

SHA256
c0b9e4902655fdb085af6aab2119fa4c6119739283b02af770810c716a38259e

SHA512
41ebc17b8421f9b863776a4769c835770780ab630b29facfe1469b8e5c47a93d37a65adbb7060cb0ca194c7d77592a46928696f32233477d5dfc66e20d907509

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
60e3f9fc77fcc1e5a19b461774127fba

SHA1
7794ff363a370ab932eb02cf554563979164e597

SHA256
d128279e0057b474f3cb2fe38b62600d2183e6b9713e654c61d3945ac32f064d

SHA512
003ca36baf3789d798efe32f3e2674b6403605c54d24f766f731effc8be380edc1a3c8e14ac54cfb9441f4a8788c518d023e6ff23aa84f215ad1741e648d4f97

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
96KB

MD5
73aa406bf0d27e63167afa22cc13ae06

SHA1
91f4ac7128c9d3d1e6c609148061218b1d50002a

SHA256
3498a81ab132bffb4d01603a0daeba7a4838350838664186c1c9fb5f4d15a4b9

SHA512
add64d625a3caf7f5e9fc7944a8294070cb985ee1673ddf39babd098df70cae3b66c8b8c9785a44317feab5247db224771578bbb36bc00a9243088f7ffd5801a

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
96KB

MD5
a80b959ea9511d5e8006466ec2658973

SHA1
7a8931784ac5195a08b06e787b724aa8aaa6d22f

SHA256
99a8fbdf4a2aa517f9e66a5439f9fad78834bacab14775ebbc04d75afe377188

SHA512
b996a7cfa6d5e70cc767749563c61dfa3f1aad9486f0c0e1ed3e2f05df7dd71bae9a8ca33c313268f873e4fcaeb042147766c2f953955002c6dc38ba7bd4ebe9

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
96KB

MD5
996e3bdd28b1f2801a4a3f5bbea15773

SHA1
35b1beb2f5644fcfd816509d7ef30d289f02573a

SHA256
5232be5de6ad2e649638910ed15f503d6fdc007de9e5ed64b0d6da33693d453c

SHA512
4af46850369fb7c93941b247ad9326aa16e654390ed6d1822f9c8ad51f8cb999ce85d2abb28c6df4baa7338120888d55febb45b3835c2899c951dab6176e3729

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
96KB

MD5
f57bab072542c8d2f83709de0bde00b5

SHA1
47edbd50cf4570c7c2d991560aacff9db62604cf

SHA256
4794d2e8f3e118e5950acc8ae221cdb43c29a11d5082c4fcb8a583302246efed

SHA512
9c2cb68bc69b1c8f2cd770402550f906a8dd4a4067fc2db5c373cac7b03a29bb0501ee9bbd401d9cf4bddee6ad8c01c0e152dd7fb243f17c6c8751eb030dffe7

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
3e0afb590b58797ae98a6fae17fedfcd

SHA1
0301f1df524c64e1dc9a3726d0780bd3cda05945

SHA256
cdcfa0666c1fd948d27927ab8dc8726e89051f68259f12cfb32b5d4145727be6

SHA512
853e04bb8befe6d75f01a646fac0a4dd49f872c5d84fc09e439ad17bc20d9a26405f5f918d0ff81a167985fc797a4c56eb2a6fefe43a19503aae6a7519cdfc51

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
96KB

MD5
e10c16a23aa61b92b9a92fb418e864e7

SHA1
3443d499af110daebc727cea352e1ff943553957

SHA256
2d5f5c0c7f32cd0528329ebfbc1da1b470eaaaa1eb54cdcb3d2fdc07a4160c95

SHA512
6e0018190ce662337a6f08bd3faed56472fa88eddeed5d884ade768dad48e6428db932f21d05424fc631546bf47d1592c57fe78b4a5f02f1d4913292b378a0b5

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
4cf1b3ade683e0e53f97848de355d43c

SHA1
3a7408d093a170a7c814a5b4b933bffe9f455576

SHA256
0213676c5256935bd3fff9418fca1d41b1fd2d13498866f3f908776765fee877

SHA512
a00caaad75d4c7e507de5d09190cd4d7a31ab920d370d2ae7ed287cf864ae870dce3b869a5ad210c8f66d97b875a408438b96451fb3730d27711aada52713283

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
f50f4c870c08d9492205be9343072dfc

SHA1
804a9cd7f75bc1447c55c60a1e101371264f0b7c

SHA256
4e29d903bfc974acadae25b9b075ebe1ea196dd372b6ffd6cc4ee908273910d0

SHA512
d7a71e3a2dce11a10e39993b70530a13f42d6865518a0f9ea07d3e100acea5fe727b8df600d57ebdbafdddba87157cd7a62dde871dd8560afbad13a7e51297b7

Download Submit
memory/644-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4432-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads