berbew | 2651d78ac4d6378b5b7e1f68f96e871c8c30f7120b3bfc81c0dec3d682895d5f

Analysis

max time kernel
95s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2651d78ac4d6378b5b7e1f68f96e871c8c30f7120b3bfc81c0dec3d682895d5f.exe
Size

337KB
MD5

b5bc5c18d3f1f0e30ab203241a2c5fa8
SHA1

24cc071c132750f33afa8545e807f30cad588651
SHA256

2651d78ac4d6378b5b7e1f68f96e871c8c30f7120b3bfc81c0dec3d682895d5f
SHA512

ee24afc35b652b04963231af18b5fba969a3b2a1c2c47b94d75442d0f1b6a7579aff6e1a5665854de5788f889a3fbd7cb201737c7e3ff266e96f2799ec24f92e
SSDEEP

3072:mGu2Ce0DgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:mG6D1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 38 IoCs

pid	Process
1236	Aqncedbp.exe
2408	Aclpap32.exe
4408	Aqppkd32.exe
2696	Ajhddjfn.exe
4248	Amgapeea.exe
4668	Afoeiklb.exe
3952	Anfmjhmd.exe
4548	Accfbokl.exe
3772	Bjmnoi32.exe
4488	Bcebhoii.exe
2904	Bmngqdpj.exe
4592	Bchomn32.exe
3860	Bffkij32.exe
4188	Bmpcfdmg.exe
1272	Balpgb32.exe
2156	Bgehcmmm.exe
3440	Bjddphlq.exe
3564	Beihma32.exe
872	Bclhhnca.exe
5020	Bfkedibe.exe
1976	Bnbmefbg.exe
4040	Bapiabak.exe
796	Cenahpha.exe
1068	Cnffqf32.exe
3240	Cjmgfgdf.exe
4472	Ceckcp32.exe
8	Cnkplejl.exe
3784	Cffdpghg.exe
2068	Ddjejl32.exe
1052	Danecp32.exe
4484	Dobfld32.exe
376	Delnin32.exe
3536	Daconoae.exe
3252	Dhmgki32.exe
804	Dmjocp32.exe
1612	Deagdn32.exe
1668	Dhocqigp.exe
4356	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	2651d78ac4d6378b5b7e1f68f96e871c8c30f7120b3bfc81c0dec3d682895d5f.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4824	4356	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2651d78ac4d6378b5b7e1f68f96e871c8c30f7120b3bfc81c0dec3d682895d5f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2651d78ac4d6378b5b7e1f68f96e871c8c30f7120b3bfc81c0dec3d682895d5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2651d78ac4d6378b5b7e1f68f96e871c8c30f7120b3bfc81c0dec3d682895d5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	2651d78ac4d6378b5b7e1f68f96e871c8c30f7120b3bfc81c0dec3d682895d5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2651d78ac4d6378b5b7e1f68f96e871c8c30f7120b3bfc81c0dec3d682895d5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1236	1104	2651d78ac4d6378b5b7e1f68f96e871c8c30f7120b3bfc81c0dec3d682895d5f.exe	82
PID 1104 wrote to memory of 1236	1104	2651d78ac4d6378b5b7e1f68f96e871c8c30f7120b3bfc81c0dec3d682895d5f.exe	82
PID 1104 wrote to memory of 1236	1104	2651d78ac4d6378b5b7e1f68f96e871c8c30f7120b3bfc81c0dec3d682895d5f.exe	82
PID 1236 wrote to memory of 2408	1236	Aqncedbp.exe	83
PID 1236 wrote to memory of 2408	1236	Aqncedbp.exe	83
PID 1236 wrote to memory of 2408	1236	Aqncedbp.exe	83
PID 2408 wrote to memory of 4408	2408	Aclpap32.exe	84
PID 2408 wrote to memory of 4408	2408	Aclpap32.exe	84
PID 2408 wrote to memory of 4408	2408	Aclpap32.exe	84
PID 4408 wrote to memory of 2696	4408	Aqppkd32.exe	85
PID 4408 wrote to memory of 2696	4408	Aqppkd32.exe	85
PID 4408 wrote to memory of 2696	4408	Aqppkd32.exe	85
PID 2696 wrote to memory of 4248	2696	Ajhddjfn.exe	86
PID 2696 wrote to memory of 4248	2696	Ajhddjfn.exe	86
PID 2696 wrote to memory of 4248	2696	Ajhddjfn.exe	86
PID 4248 wrote to memory of 4668	4248	Amgapeea.exe	87
PID 4248 wrote to memory of 4668	4248	Amgapeea.exe	87
PID 4248 wrote to memory of 4668	4248	Amgapeea.exe	87
PID 4668 wrote to memory of 3952	4668	Afoeiklb.exe	88
PID 4668 wrote to memory of 3952	4668	Afoeiklb.exe	88
PID 4668 wrote to memory of 3952	4668	Afoeiklb.exe	88
PID 3952 wrote to memory of 4548	3952	Anfmjhmd.exe	89
PID 3952 wrote to memory of 4548	3952	Anfmjhmd.exe	89
PID 3952 wrote to memory of 4548	3952	Anfmjhmd.exe	89
PID 4548 wrote to memory of 3772	4548	Accfbokl.exe	90
PID 4548 wrote to memory of 3772	4548	Accfbokl.exe	90
PID 4548 wrote to memory of 3772	4548	Accfbokl.exe	90
PID 3772 wrote to memory of 4488	3772	Bjmnoi32.exe	91
PID 3772 wrote to memory of 4488	3772	Bjmnoi32.exe	91
PID 3772 wrote to memory of 4488	3772	Bjmnoi32.exe	91
PID 4488 wrote to memory of 2904	4488	Bcebhoii.exe	92
PID 4488 wrote to memory of 2904	4488	Bcebhoii.exe	92
PID 4488 wrote to memory of 2904	4488	Bcebhoii.exe	92
PID 2904 wrote to memory of 4592	2904	Bmngqdpj.exe	93
PID 2904 wrote to memory of 4592	2904	Bmngqdpj.exe	93
PID 2904 wrote to memory of 4592	2904	Bmngqdpj.exe	93
PID 4592 wrote to memory of 3860	4592	Bchomn32.exe	94
PID 4592 wrote to memory of 3860	4592	Bchomn32.exe	94
PID 4592 wrote to memory of 3860	4592	Bchomn32.exe	94
PID 3860 wrote to memory of 4188	3860	Bffkij32.exe	95
PID 3860 wrote to memory of 4188	3860	Bffkij32.exe	95
PID 3860 wrote to memory of 4188	3860	Bffkij32.exe	95
PID 4188 wrote to memory of 1272	4188	Bmpcfdmg.exe	96
PID 4188 wrote to memory of 1272	4188	Bmpcfdmg.exe	96
PID 4188 wrote to memory of 1272	4188	Bmpcfdmg.exe	96
PID 1272 wrote to memory of 2156	1272	Balpgb32.exe	97
PID 1272 wrote to memory of 2156	1272	Balpgb32.exe	97
PID 1272 wrote to memory of 2156	1272	Balpgb32.exe	97
PID 2156 wrote to memory of 3440	2156	Bgehcmmm.exe	98
PID 2156 wrote to memory of 3440	2156	Bgehcmmm.exe	98
PID 2156 wrote to memory of 3440	2156	Bgehcmmm.exe	98
PID 3440 wrote to memory of 3564	3440	Bjddphlq.exe	99
PID 3440 wrote to memory of 3564	3440	Bjddphlq.exe	99
PID 3440 wrote to memory of 3564	3440	Bjddphlq.exe	99
PID 3564 wrote to memory of 872	3564	Beihma32.exe	100
PID 3564 wrote to memory of 872	3564	Beihma32.exe	100
PID 3564 wrote to memory of 872	3564	Beihma32.exe	100
PID 872 wrote to memory of 5020	872	Bclhhnca.exe	101
PID 872 wrote to memory of 5020	872	Bclhhnca.exe	101
PID 872 wrote to memory of 5020	872	Bclhhnca.exe	101
PID 5020 wrote to memory of 1976	5020	Bfkedibe.exe	102
PID 5020 wrote to memory of 1976	5020	Bfkedibe.exe	102
PID 5020 wrote to memory of 1976	5020	Bfkedibe.exe	102
PID 1976 wrote to memory of 4040	1976	Bnbmefbg.exe	103

C:\Users\Admin\AppData\Local\Temp\2651d78ac4d6378b5b7e1f68f96e871c8c30f7120b3bfc81c0dec3d682895d5f.exe
"C:\Users\Admin\AppData\Local\Temp\2651d78ac4d6378b5b7e1f68f96e871c8c30f7120b3bfc81c0dec3d682895d5f.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\SysWOW64\Aqncedbp.exe
  C:\Windows\system32\Aqncedbp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\SysWOW64\Aclpap32.exe
    C:\Windows\system32\Aclpap32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\Aqppkd32.exe
      C:\Windows\system32\Aqppkd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 408
        40⤵
        Program crash
        
        PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4356 -ip 4356
1⤵
PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
337KB

MD5
69668156812a31062c85bd5371418859

SHA1
91ecc3979079917c425ab4bf7ddd1977c48699f6

SHA256
500610bb1134fd9d2df916001e6d4d8bed60738edb6852db0ffc207a822f5305

SHA512
61e20fcbb72bff10791269f739e7bd2d8a9fb039c9ab1c9a9d9674763e2609142751fec4f34338dc7ea420a42d5c4a694535625de3fcfa56af1fb2419b24e6ad

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
337KB

MD5
c7d4279ff4661e482e2d27174bb38f1e

SHA1
adb3c927138a3f2c78c891d88d78b2409ba028ef

SHA256
9aac91ed7210b39296abfed2e9b2590ad30f2c7d78561164ca18772b304065e9

SHA512
e2fd6cca204ebd0b8fe7fc517de5eb5462c071cbd686a5b25f50bbd5aed2fe2561d0cd7097ee91d45db889d28b09a2126565c2baa597516679b25aa8b4484d29

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
337KB

MD5
e50a4a3f18f72031fa3d81b51808d3c4

SHA1
68589f45a6bced1ff7ca846e8ca6e72789e76142

SHA256
26bc5bf3f24a8b183e4616fdaf874158a4b09bb42939232c348f625e3aa3a2cd

SHA512
686b63d7ea3a92b35ceba4612907c04a00adf075a8cafc5e27b7b1607552730c7725e106856a5533c64704bc9336f3bf294d666c732684298a8c37c06ed1d228

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
337KB

MD5
727309b4060b4ca8c2eb529668dbc5c2

SHA1
1bb58b60a4ab141062836220b9a8fb84a7a402bd

SHA256
e47c6d29b7e9dec2ea7ba230eef41faf4206c780662960a4b2cc3d85d12127bb

SHA512
a09af4f1b2db9f91415256f60982a2358f8112df313762b70d47a98e7f19f113a13c20cf2c1f87458c5de473617217e0fd7a2976c5b6662d3e9b4ae9884e15e3

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
337KB

MD5
96f1eafd5d4ea57b4fc3074b136825bb

SHA1
a91c8400b03c759f7ead8d83170db14723c188b8

SHA256
8a9db16188906638e91453243a0749da8d5c7a4b4c869c96df1b9431cfd7c50a

SHA512
cec3ed32e28f9634dad41be2500b0d7a94c7b205e0a8b8bc1dcce447e7e3c0b5e4813c03f1da08af64efd6aa6326b8c9f45a9b729f77d3d15ce3c4f875897751

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
337KB

MD5
1182f56996de015ff5d7317419638bc8

SHA1
e14122e30309cadf85f4dee76f3fa62be49bcbf2

SHA256
f2deada6fffe46582bfd62e3ae9135103344274ebe1621a1472e5e8824039e75

SHA512
5b98b9b38829e9ae7b4c55507192c44bf03583c2040caf9133e3f565587239b262379cd050e08871e7f1cae44eb10615846692f257c2e2e499bf4991c9598513

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
337KB

MD5
94717a426ef478585294ffa900bbe1fc

SHA1
de866a2e43ff8ee4429ccc942736f8f8b8844eab

SHA256
2ff95bc19a5d2f37a90fd90bb7b08f1e883834bc6c3aa67444edc92efc363f93

SHA512
e0ac7e31db57ada28d4f1f4e41a8fbe430828d325cb82d23a34b0c32b133c7d67af47a5d2f860132cb41c455bcd89a0cf86d9abd3ef128bc760b3df8829c267c

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
337KB

MD5
f442be5499175710a85ec0a6b8b2fcc9

SHA1
40a8ec4f1403e999c8c3e884fb2cb1c47e6f38c9

SHA256
ad9f6d148a893b00c127889e861f282c31538883ebf29c3935dfc12b89630764

SHA512
8dada01fc8176f746dc8931883b5295ef4f8e4c7d420d54969864bd74f19b163922afa018e2735e21b721f24f9a919bbc86b339937778ee1fdec7b30e6576c24

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
337KB

MD5
10d7776328a897eaacebc44502208086

SHA1
596618ccae7cbc29c1a17f5cb82e6dbadb52ff4f

SHA256
e92d65ac954547367519bd16accf14e4ea4ad7b392c98c68ac61cc0add5e6351

SHA512
3ca21220c46cf05d3bc76aff3d1da34f775353630ebe768040b5f4609e035f701e36c0bc35cd6ca3b42a61c8ae3ab1ec28dba789070c8dde28ef001ecac57433

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
337KB

MD5
a1d2f846651b6f40df5eb067b7bd7530

SHA1
44ac8dc7ccc926abc1151cf0d7a2f26081242e07

SHA256
2351af97ff5c1fa17eeef70870e50eae598ed51bd00004a661c0d8ee6ed79dfc

SHA512
4106e75f3e1fb736fa0b14a7623727aa24083df2dd29ffe840a1c6e5dea779636df5b9f59b4d9542beb6b704c8ac109cc61523fc455ffa18d1e7acd6de4a29a8

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
337KB

MD5
5a1e0c20700a272039bbd610ac14cf59

SHA1
2883f202c7f1f48275c1e6a7c269a855851243e7

SHA256
bbc29463b012cefb9578846490c1f9620394244092b67d79acda8061e7375ab9

SHA512
a98ccef0460d90f9a54565f2c55650a7da7177aa76c1569646f9c8ab29889494af1eae9f01f3f6da5380cc51ea99ff292afbb41c4642227e86c3069f485babb5

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
337KB

MD5
433f93182b5cd16d7cb400b306936de6

SHA1
1d889794fed617559785f1c129c8e8171c4e5dd4

SHA256
c0bd6ea9fa3afda9856cd17742e5122cf0151b49c6dc0e1363d1e958fdae4a0a

SHA512
c774925c3770c980dfac101275f6b4b57043a8a8685459aa9548b2473cbc161969f56c3d1183aff856a625f1d325b7a976277f747317755e3ec9eeeb415d4a90

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
337KB

MD5
164d1c64a420ca5f8a129aa03eed673e

SHA1
3b9b15db362e602e01861dbd041dc827b2d20977

SHA256
77d05793d0cff73cb1ef7425c60686e0d5c8e5b74378e812648beea6bb9dc7ac

SHA512
9b1fc5dfccb0200b187fba35f52695f5e7fd9c5afa01985697602c50e8bcd5b6563443ace973c440d78aee62a6dea20f8b65f22968a22cb07b494d2649bd681f

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
337KB

MD5
d0dbe6c85240958e77dbbac383f39619

SHA1
8b225e6ed7a47bbc8342ca23cfc182efe3fa09a3

SHA256
5c065baad4678bc8e6289a106c3364b38839f00a98df7ee62196b29207009738

SHA512
7fa76b800fdf3d6130a30af8506fcad92e9fae3c55eddc42cad96a2e0e9b004177c8acc117ccc377d8c5fb2e0bff464a3ba2e009e13f46d8a3281f3b5fbe38da

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
337KB

MD5
be44f81f3a888cf8345c1e572f33c63d

SHA1
0113cc3b1f45b15b2b5e5a9d03607536a17b2e28

SHA256
4f0c6b3c672119c824e5ac32fa5085d7689f16ae86903b2f7366b8ba95f7ac38

SHA512
0993b5603370726b1614dca3019af63f9ba37ca0d3be4445fed99dd7f4290f0eee38b7077aab14358e47371b8001b849aa0fca5b8d5c6e729ff73da1e3698e59

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
337KB

MD5
368ef64f8ff2d746e0d353ad1ca86d10

SHA1
8df0bbc4912b7618ecf9953c5dc920942897db13

SHA256
9e0676184190af6dc9218ce71dedb3ba40c059848e0f8c6ddb5e329acf74fe1a

SHA512
747fce8a3ee0653914839c0dbfc6ae6513fffb46962a6dc777026aa68fa4e6703e87995abd2ad5ffd48369ba70b35e674f99c807b23fbf3c3e4c58b0577c76fa

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
337KB

MD5
cda998e0331d749efdec138452f6da53

SHA1
240d675b8dfa9223df7c15d9ac4185e5a29dcd5c

SHA256
c1ed91d7ddd9f634fe3363c89bac46e7f34d11f73ba7ccc3d9bf871f9a114fa6

SHA512
cb80d1e64ed49bd2d1e39f2db10f6515e6549171782afa441d15983b32f983dffa4cdfaf9ff5b8a788f25efe810b9896c137dd57e31aaa970a40f4f864315ac6

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
337KB

MD5
9e99639826ac1ef75abe0b606c64130b

SHA1
5730b60582f16ff36b471916a042a3c973be7048

SHA256
85817c5d4cfac3fdca5ae617da551ecc8915e9cf6da558e32b4924e66f68a9f6

SHA512
cab289abe58b64f39faaa61a356efb5edb1da52769287085c31cf397921ebc9a42c44d738318e361e0e4953eb3ba2791548628ed08a7c1887ff190106f3de15c

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
337KB

MD5
ef86af6bddd6e96843f5be0a5d3bc480

SHA1
5ccf5995f04a93d0ddb25aeb1ac1e0339e942873

SHA256
afbb16c5b91a56bad8cb682473dd9bf973c2dcd776ad8971c1232cc842ada4d4

SHA512
2b9ca7988be0702dfb61a13708d9f60b6d429e844999e1a09cd6d4cb82886e88c29d18262b025121c4e15365e6c3209f59934a20cad7515bd2862447417c444c

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
337KB

MD5
43771675cc4c13fe8a37db46f6e48e3a

SHA1
a40911c700c58f027d679e9d87f5b4965e8779d6

SHA256
85b70944880c27ca20863f6c8bd2f5ddfe84a536bbff862b6173f562b581f389

SHA512
bcf9c042881ed28b2b5872bc3ab7eb1ebdb1f659db843d7dfb31d670f1593cf98c2da8e1d0011e220dad493bd493da4890b915670beebae786bdcfde5568c40f

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
337KB

MD5
1673991a58a146fd07f7ee77d667f4c0

SHA1
0cab1b74d7fb6a717982863e2d09d4f35c1659a2

SHA256
c98fbb0189a1938e06a1c9cd18ece02c7e47cfc9b8979c1a8fb5fa398ded4e3c

SHA512
33990ebe772fab3e7dc29a262f6c4e753dd3d1411f8282e909f24c8466352c5b04841b26c3fb491abc3fd68b14f1a61da957f80e9cb31095296b9cb5ac98e6ed

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
337KB

MD5
1029d66a021bed79674318ace9fbea80

SHA1
99dc83364361436288881a8630bae9e7f8495780

SHA256
d40127b8ccb27983c841b786261a73997bf9ec0ec0849eed9e5a4828eda4440f

SHA512
9b1622d9c0ae945fc14454e526682fb1d291c11b2e7e1f39657c1aa5b92b4dc387a4ffafb6f17102972aeabf8d13b07a439e36fc7efdf290f137a2d6adb8bd64

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
337KB

MD5
d5f848e679c9d44cd61af60adb229fe5

SHA1
98f4c7f4ee2e3d16150d901b1a0c2a91b29149c8

SHA256
65edbd69705b9db8fe62c92d69bbbb951ebdbe5d45b65550c8ed2883c465542b

SHA512
1cb7501843d2bd9796d12a46361ca2bd7b160b17152950250594828883d17544ccd1aeffb9f1157b93a5b78fa3d71ba1338c1b1287ebc01d2901e3d389f303f8

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
337KB

MD5
575e7db0ad5c3b139fe86d08209a1a77

SHA1
f79835b7af304ced853f51b18239d9c5cbdb8479

SHA256
d2f94b62bcd6405c6d6b7dcb150de0e621232fdb7ece4af0e096007aca9eb353

SHA512
dcef2e8f4a3d84a85b3da4e9fc43515a582b5a54dce251e98ddb1bedda4ee30be2d26e4e4b3c573050b29938c8eed9141df4fcd5d6ecfe45d7ce3a1f7826aac8

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
337KB

MD5
ccb47ed4342278cf79524d63c2702cdc

SHA1
df92e048f6520203f67dc9d21726ac2d281dd351

SHA256
5492d6b747d3e1f815db18cc884f7131608b49a15f804b6fa11b4d5911aef016

SHA512
0a9365d12aaffc0c7dacf485d9fb853e0b5d49ee0ca4501c501ebb560298e5a75745b53d6bb1102638f3a0a6e2e401be2e781a7153424e580842679e7f9d2451

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
337KB

MD5
7fe42354f8f54563ae485e68552be714

SHA1
4dbcc934016e7f35e462deabd9fac89e4f0c37ef

SHA256
fe3b0caba631de7edc0a53ffcbacf0f0e4821d3d2117d591c1c93644fdfd2788

SHA512
9745da86cb1d51d6ce9dc595bb4ecf0dcbc20d219a1870e8f633b7ead27c9ba6139c8bc9aa9698bc15fdb66e2ccbb5074ffe5866d4a7cc3c9dfb12df02c343c9

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
337KB

MD5
6f9cdabe847830e3fa0473326742eda6

SHA1
c6e288376d8610b1d24448f42ea8a6d60fc45c0f

SHA256
fd2b8e0e7fb70c1fbb14db0c479c55cf23741817edf7675e90df8bf1dfdc4b7f

SHA512
d9dec5ca80a003473f5011b613eda5fc52248b5700ca2574ae0703e77a0b8d25e37c1a1aaa4265f10b6c6cbd33b564bd928b83b322383ba7dafe80a197285fbc

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
337KB

MD5
566ad1a76c3a9c11c39a8d74086c582f

SHA1
f1830fefc4858ed261ec1a5b0c841fa8d45c66a2

SHA256
41235aa098593a0001b1d0f6ab6a31a5731c8615c200a240dca71025295ff735

SHA512
c04e1bbbf1eef978fb4e5996742ca6ada3116f358e2a74c00193083663358ff4d415bc8a1a42aa3263c1eab6ed7a4eb9f9ccae8115fc5481dc064f6690555438

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
337KB

MD5
e523d0848b3b80516112e9787bd04269

SHA1
8bd469dec430aa368ecec560a483efbc94c23649

SHA256
585ab736647dd2974b53ff5e00075326893317313fa87551b126d8fa9ff06d1a

SHA512
8f0ac43f3d8985102fcbf70a94c003d1edabdab6686b47dd55a49d4a8bb5c03a0af0ff4ebf593ac3be0ce06ee707e82d3b1306d8c809ccbf8485c3449e37d925

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
337KB

MD5
4c62eecd2d2a0b61aab9eee8a6a55004

SHA1
7a43d74625ba02dc5b520420cd9300dd97ff2972

SHA256
52349132d0a5ce8ffb078b01f5cbfc5d1e19919b78aecb9a9ecce437c58ea5b3

SHA512
c7ffe6f0957cc0029b1a45b431fe62f17d78270ddf6bb5125c4e00e96957891b80af72e96a04d3dfe637973ec8314f64ba48ea2a3884ef282fb2678038e65a40

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
128KB

MD5
5a1b97cdf44f79c3b96e3acddabb267d

SHA1
a8d539dff4d7f0503817f85fe128f920ed6a1231

SHA256
a47bb424cbc67ce99d4c52e1bc772efaf8d7afed9eb0aa750b57eb70a2260967

SHA512
ca40f8cf88fd4f93f94dbf212b85768b9438a7a901005905e35327bb7d849761e36f2289ce5c3c6e6d309a37d027d9d428bd1b30ff500612a0661a3f2a37caeb

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
337KB

MD5
783baf8758152da0c4822bfc7ea2e085

SHA1
45245080edd59df6f088ff378066181ce135a525

SHA256
6b01fb379a0cdebd78a4a813a708e838b6f1f4dfeb060269d2d47edb74da3f1b

SHA512
979da8be7e020622634db9d2be85a642841fc2589b485247e2b3e244e3eeaeffa1ac54b4dc3c3950caf2a74a7f16bda8dc52f886a20dbc9f384d7400c3139b11

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
337KB

MD5
4f8d39a3cb7d1e9b0027342b9b985c11

SHA1
1de109fdb288f1f54ae5b526d06ce6537476f29d

SHA256
ae1b30311fff78ce40a38558a9dd9d8a72edd9292e56f5274e59b2a5f211647f

SHA512
ebfeab4750a0f999271437a658f1449cb54622e4c2830981f50ac619fa65ed850add77c9af5451397b5a2bad93a3103507809d36117f8d50c966fe7301b46789

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
337KB

MD5
df5bf9b427423809d3107f5e0df0a2a8

SHA1
a707fc2c90ba12b33f19617fafa234c87296bac0

SHA256
89c0f501f5d13643de8947f2cd14e79ef3f971c80c1beaff5408cadd97d7e2f0

SHA512
e45908f3d59bc859840f096a556f8cb4ada055fc73c908966a23c9e883d73abfb571dbf80255efba588bfa18b5ef2f52cf77714564e7a48daa938854b5645239

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
337KB

MD5
971288661072da485879dd0b033c8023

SHA1
b1203a260b5d0f6004abc43772b2651b2647dbdc

SHA256
2e5e0e0467ee845094a9a2102068dcb2509567f5c94b6dc4a729815310c5ba0f

SHA512
916c4b52ead78607b27236a3908d11e31d36821744bc6a0b1dafd7915e9618a94ac50b24353841a871848860cf3fab97ac84dbb63b76500869634218fa289bcf

Download Submit
memory/8-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1236-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads