berbew | e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4

Analysis

max time kernel
92s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4.exe
Size

296KB
MD5

ce936dba2fe9aa1fb18bd2a199ca10e4
SHA1

67e83aec61da3ecd517c075339b2a0b3701486c0
SHA256

e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4
SHA512

21f14abe002d0575eef4fb8d80cab96c27576e545c37543d414adb16fc48795216eb9e281e6f577df62b07a3d5a730313faaf53fa991f3c078218c2c155b1203
SSDEEP

3072:IjS714VO3iPkinlGzfO5zRvoHARA1+6NhZ6P0c9fpxg6pg:IjtpIz2VRQhNPKG6g

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 42 IoCs

pid	Process
4948	Ajhddjfn.exe
4512	Andqdh32.exe
2732	Acqimo32.exe
2108	Anfmjhmd.exe
1240	Aadifclh.exe
372	Bfabnjjp.exe
3256	Bagflcje.exe
3728	Bfdodjhm.exe
1980	Bmngqdpj.exe
1976	Bchomn32.exe
1052	Bgcknmop.exe
2012	Bjagjhnc.exe
2624	Bmpcfdmg.exe
3024	Balpgb32.exe
4536	Beglgani.exe
1596	Bfhhoi32.exe
3852	Bnpppgdj.exe
4504	Bhhdil32.exe
4860	Cfmajipb.exe
3960	Cjkjpgfi.exe
2096	Cmiflbel.exe
4596	Chokikeb.exe
1808	Cagobalc.exe
3012	Chagok32.exe
3868	Cnkplejl.exe
2492	Chcddk32.exe
3548	Cmqmma32.exe
408	Ddjejl32.exe
2900	Dopigd32.exe
1164	Dejacond.exe
4852	Djgjlelk.exe
3168	Daqbip32.exe
2512	Dhkjej32.exe
4404	Dodbbdbb.exe
116	Daconoae.exe
4568	Ddakjkqi.exe
4460	Dkkcge32.exe
4288	Dogogcpo.exe
1016	Deagdn32.exe
1156	Dhocqigp.exe
2076	Dknpmdfc.exe
2772	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4104	2772	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 4948	2804	e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4.exe	82
PID 2804 wrote to memory of 4948	2804	e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4.exe	82
PID 2804 wrote to memory of 4948	2804	e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4.exe	82
PID 4948 wrote to memory of 4512	4948	Ajhddjfn.exe	83
PID 4948 wrote to memory of 4512	4948	Ajhddjfn.exe	83
PID 4948 wrote to memory of 4512	4948	Ajhddjfn.exe	83
PID 4512 wrote to memory of 2732	4512	Andqdh32.exe	84
PID 4512 wrote to memory of 2732	4512	Andqdh32.exe	84
PID 4512 wrote to memory of 2732	4512	Andqdh32.exe	84
PID 2732 wrote to memory of 2108	2732	Acqimo32.exe	85
PID 2732 wrote to memory of 2108	2732	Acqimo32.exe	85
PID 2732 wrote to memory of 2108	2732	Acqimo32.exe	85
PID 2108 wrote to memory of 1240	2108	Anfmjhmd.exe	86
PID 2108 wrote to memory of 1240	2108	Anfmjhmd.exe	86
PID 2108 wrote to memory of 1240	2108	Anfmjhmd.exe	86
PID 1240 wrote to memory of 372	1240	Aadifclh.exe	87
PID 1240 wrote to memory of 372	1240	Aadifclh.exe	87
PID 1240 wrote to memory of 372	1240	Aadifclh.exe	87
PID 372 wrote to memory of 3256	372	Bfabnjjp.exe	88
PID 372 wrote to memory of 3256	372	Bfabnjjp.exe	88
PID 372 wrote to memory of 3256	372	Bfabnjjp.exe	88
PID 3256 wrote to memory of 3728	3256	Bagflcje.exe	89
PID 3256 wrote to memory of 3728	3256	Bagflcje.exe	89
PID 3256 wrote to memory of 3728	3256	Bagflcje.exe	89
PID 3728 wrote to memory of 1980	3728	Bfdodjhm.exe	90
PID 3728 wrote to memory of 1980	3728	Bfdodjhm.exe	90
PID 3728 wrote to memory of 1980	3728	Bfdodjhm.exe	90
PID 1980 wrote to memory of 1976	1980	Bmngqdpj.exe	91
PID 1980 wrote to memory of 1976	1980	Bmngqdpj.exe	91
PID 1980 wrote to memory of 1976	1980	Bmngqdpj.exe	91
PID 1976 wrote to memory of 1052	1976	Bchomn32.exe	92
PID 1976 wrote to memory of 1052	1976	Bchomn32.exe	92
PID 1976 wrote to memory of 1052	1976	Bchomn32.exe	92
PID 1052 wrote to memory of 2012	1052	Bgcknmop.exe	93
PID 1052 wrote to memory of 2012	1052	Bgcknmop.exe	93
PID 1052 wrote to memory of 2012	1052	Bgcknmop.exe	93
PID 2012 wrote to memory of 2624	2012	Bjagjhnc.exe	94
PID 2012 wrote to memory of 2624	2012	Bjagjhnc.exe	94
PID 2012 wrote to memory of 2624	2012	Bjagjhnc.exe	94
PID 2624 wrote to memory of 3024	2624	Bmpcfdmg.exe	95
PID 2624 wrote to memory of 3024	2624	Bmpcfdmg.exe	95
PID 2624 wrote to memory of 3024	2624	Bmpcfdmg.exe	95
PID 3024 wrote to memory of 4536	3024	Balpgb32.exe	96
PID 3024 wrote to memory of 4536	3024	Balpgb32.exe	96
PID 3024 wrote to memory of 4536	3024	Balpgb32.exe	96
PID 4536 wrote to memory of 1596	4536	Beglgani.exe	97
PID 4536 wrote to memory of 1596	4536	Beglgani.exe	97
PID 4536 wrote to memory of 1596	4536	Beglgani.exe	97
PID 1596 wrote to memory of 3852	1596	Bfhhoi32.exe	98
PID 1596 wrote to memory of 3852	1596	Bfhhoi32.exe	98
PID 1596 wrote to memory of 3852	1596	Bfhhoi32.exe	98
PID 3852 wrote to memory of 4504	3852	Bnpppgdj.exe	99
PID 3852 wrote to memory of 4504	3852	Bnpppgdj.exe	99
PID 3852 wrote to memory of 4504	3852	Bnpppgdj.exe	99
PID 4504 wrote to memory of 4860	4504	Bhhdil32.exe	100
PID 4504 wrote to memory of 4860	4504	Bhhdil32.exe	100
PID 4504 wrote to memory of 4860	4504	Bhhdil32.exe	100
PID 4860 wrote to memory of 3960	4860	Cfmajipb.exe	101
PID 4860 wrote to memory of 3960	4860	Cfmajipb.exe	101
PID 4860 wrote to memory of 3960	4860	Cfmajipb.exe	101
PID 3960 wrote to memory of 2096	3960	Cjkjpgfi.exe	102
PID 3960 wrote to memory of 2096	3960	Cjkjpgfi.exe	102
PID 3960 wrote to memory of 2096	3960	Cjkjpgfi.exe	102
PID 2096 wrote to memory of 4596	2096	Cmiflbel.exe	103

C:\Users\Admin\AppData\Local\Temp\e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4.exe
"C:\Users\Admin\AppData\Local\Temp\e502e35441fd3dca943e608e77c208d6897eee27c893da26af03b0c037dca9a4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\Ajhddjfn.exe
  C:\Windows\system32\Ajhddjfn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\SysWOW64\Andqdh32.exe
    C:\Windows\system32\Andqdh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\SysWOW64\Acqimo32.exe
      C:\Windows\system32\Acqimo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 212
        44⤵
        Program crash
        
        PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2772 -ip 2772
1⤵
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
296KB

MD5
32f2ba71e6f6d0ed2ca2ce3dd58fb108

SHA1
6cd551c917ed5374355471542cffa9e7d36a3ff7

SHA256
764a53a39d7ac1ac6dd13170049b316746269b90f1f7b9fab97e5b69d4ccd929

SHA512
740bda3a336e38087cfe8701add1e6894974e339fb90ce37096e241e8f3699ecd691ed103456be1104941901825a9e449cbd4e330327f145aa8208c965ae68d0

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
296KB

MD5
1c3165bfdbdadaaac9d8339d5ea21ebc

SHA1
8e7c4f5f16242399db8b99ad4ed646aa4ea5c3f6

SHA256
1b88ae2a9a65b757de3ba7ef64d0ed0e00d732acd0ff9fc5bd08e4e6b4a5c0cd

SHA512
0c6b5486ba9c8f300326918934c6aac654a8e6a71bc24bde6b7ecb190d9ff4c3298c372a88727e6ddfd7d622e0a8b2aa9f7153625f5f14933f2d6c3f5ac75222

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
296KB

MD5
e4361e00851ac63e2cb162ab1eac6469

SHA1
161919a7e19639cd64a3b7b41f86e8b21b6b6bf7

SHA256
6869f45e43eedd7972465f1807fc1bc040d8527db019e5c27474da2cf33fc91a

SHA512
fe8732ef01259f65240761571a414c83dc109d0596d4365e386bb189d8d71a469827c618783cd647d9f47713bdf5c1f36208b1407f1d7b43a21df9e68ac6554a

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
296KB

MD5
3bd1a2908dfcbfa506e381976e8ecad8

SHA1
4317841bc23182ad3f56a9f405b4f8e026a2bb9a

SHA256
86c8c6899c41a080bd22b878914d84f32c065f61f213c1ab0220170c3c9bfd58

SHA512
4f5f8cb27800a6b21a3b2ef5adc2ee1f14cacba7105ca7b661432316d282dab0ed6391c16e162582f4c9779503f5631998b8e8698dcdd37f016321ad064f606c

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
296KB

MD5
c7ac39b6c91775750943615253677b47

SHA1
57ff4f72d93d722f9db1df1df653e7fe69f13957

SHA256
3305eb8d326ba7da6cc74475e9f28efb4bfff41b386c21df2e309c426e0feb17

SHA512
ee916a2c498336283cafcbb7bca52fa1c1d9c282e0ff905e5b9534c6c21645cfaff2ec3390163c12c11aa08c5f93a40755a25c177aa18df016759a3fbe7dd43e

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
296KB

MD5
32c41a6311476f1c811012cf88663032

SHA1
caa09e62948cce8a8e1e4a363cf504351614ad52

SHA256
8b6f7229d47a1272ec21479d0163e69fb4934d2d99559b8b973c0741dbcba191

SHA512
c8b46957c1dbf4602e3d621c6031457225d4d6c75d4b3f958daa1133688a902f30b311a3706575e6bf59d5a789f46a98ec37c443f598ab35447f7b7b3a6b79fe

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
296KB

MD5
a8fb18014c19c156cf4726f803e525c5

SHA1
0378e83f9edc566cd303a67ed0bdef3143f4dd57

SHA256
201649abeb7b0c41aa9a642c3eccaf11035c83776a3108d2e6e27a1bf6ccad83

SHA512
d1f0c0df31591c1c2119221076a3da0c5becc3776bd8f449c7e86f288959aab61caf4234eb317a3aa70b497119b9fbc45f1eeeb9a1869a558fb3758b7cd87b70

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
64KB

MD5
c60ac2e3a49d289fb762b6a21d7d489b

SHA1
87ca40f1649b357bbe4ba7e48d24233891c1168a

SHA256
9595d94be66b9bf7139904a8632c184a44e253ea4f13a4e8a178f97d2ff9a6b8

SHA512
1a5e0fd7816e4c3d4885dc97f9080d2abd82f988e3f1dcd3462fbab8c1ce7f4d88eb5538f5ea86862dd9eea93414257431707d5850b1151e1e0698f6161cfb3b

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
296KB

MD5
7d1ee3ae1ed40cb6ca35e18debf1a442

SHA1
e913ccaf565792307a8aec9f39a7f6942ae7dca9

SHA256
3b8330af60d922417958603fe2d25b0acdf8324930d6611dedb82f5b17b564c4

SHA512
dceee2401ce297afdd2899e3777237006079a1e96988de961e3fd395786903e502d0f25eed8a4b4c7d1dcd60a7a3ef24d9e81f748c4720fece8d1b0a67d76cc0

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
296KB

MD5
84cbf5495a94c93f236e0d01803db054

SHA1
4509cfeb4dce89c1b3e3a61873d8c46df97fd2b7

SHA256
cb617b626ef973437c77984b8322ef59e4c20bf7882248f767c6e422a07acaf6

SHA512
4c30631bcc4614cd8de468e0363fec1f46b3e3a838318f68da03ba118296a6e298e39f7d288ebffecc535ac6823c4acfe70690a44777cbc00a1a7de5fab78b63

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
296KB

MD5
87587cfd04756a815b13f831771b9551

SHA1
7a889244864470542ada5ee9464f4daa3857ae67

SHA256
ce5e95e953d84af60198f2fa51f5232e9fb0793db2f20d8078f02486e803a422

SHA512
c1344adc49f86e9933d56754300582be9619272f6bfd79c251f03d9a1e5664a89b483eb82833632e1d124f521036f1934c04b7f9122987baff656a4f45b2a752

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
296KB

MD5
58197f7a1837a76ec9bbb412bcd18928

SHA1
0c59fd6751742e960b62015b23f8e9980b401ffd

SHA256
ebc218fdf4db0b5b545407a10d379006517bd9c101f7013afca42150384a7bee

SHA512
d2b5396f75223cef11a8cecf53d307fe38a17d3ba5b5fc6e4fbd89dbe2d0f3b6fd905e9a2715a044f32d01b53bdd91d3e37796263917c2933cec66acc0d40282

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
296KB

MD5
eb44cab5d27e0630197784731fb25fac

SHA1
9750325fbecee8e6732875b1a9f8f2d7826be55d

SHA256
6108000689fa8781ca4f0a63b34a3d7c614d707a83553ec754c820e32019b4b0

SHA512
f0b8be22be00fbe4db349dd37ce69a98fa97b5bd40dd36173c78c0d01924803e90e513279504bef70cb96a85078a9384d6e32c8ac7ac21ffd2a5a036efd5c231

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
296KB

MD5
ccc127e1deeafc1902794ccef2a087b2

SHA1
9b34b672b434fd9ff69b8ff07a5464419ee5014c

SHA256
b640fdd20ca49076be23ff99a01e6cdf7665cbb2d709d3199cc05c326c381b2c

SHA512
394c9c196e8d47dd779779403a6082e70398237b7531bd84aaa2cb51fe93449a884c873cdabadfb94fecb2bd93728a8a5caca18fb30f646fb74bdd2d1f594429

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
296KB

MD5
050e8b989d97aea408852bc05b9d4e28

SHA1
eba9573c97300f7d0463839c8d58e5b458eb4b47

SHA256
5bef6c9ad017e7cc5401c171f56bd2a16a08cdede6d92c9047b3e015b08b2fa0

SHA512
7bee671a78b461ae7f56198cd2d7ef96320364653f55cccd14a5b9615a5d8511e89a7ad0373daf6684556528dc7ffd42f85fdbd07385c53659d10a6ba40266b1

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
296KB

MD5
70eca707991f8f9dde0476cb04a4027e

SHA1
cc8d49512f1fe3e59dba714e00c3fc3c9097bdc3

SHA256
57a9cc46514502484c0112aff430eaecd17b1249ec161cbb62b19d6ac1ee5488

SHA512
54cd368a8f99b4c30e12e5250300805b7d574b93264930fe6e56142bceaae211dc9c14a9e3f05e8f32bf8f4a17f2cab96e86f2e7fb9a5729d2d5b92bf751e2f1

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
296KB

MD5
f8b08197c2a6cb4455d04624448f38d8

SHA1
5fcafc5034c89c70c6ca28d26f1ef52ca4bbcf77

SHA256
86770654fab95fd7ae7ea984899847ee280e978ecddd57957f6334507755c8f2

SHA512
76583dd073ae910daa264ef94d81b6faf00c3a79c9aba20a3d8298b645c925cb2734ae22d6617a041588294b82574c1bec01b23ce5bbd94b7731b04c63a340e5

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
296KB

MD5
ab14d9c856cd4292bfd156f983f6798f

SHA1
3c614d38c9a940483149b9ed52fe265a5d0d6a25

SHA256
69b70b2f7136c2de59f7a364a2e138459e314b85905207dba757c301b4378dd0

SHA512
721109def0593020536fa5b9996ac03339ba7d374a7a77333ac1452e71a2b54591b3b85a0d3fcd9b73c2ec637adb6f64bb1cba9706fe299134589f207267a649

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
296KB

MD5
f8ae9dd47ab9636caf3e1da636001c0c

SHA1
793e3d9648fae2f2477dad1e39e24a8de8313c9c

SHA256
b90be0d0cbd9d7ce5d9141b496cc79cc53b78256f86075abe32f1791b7cf8131

SHA512
21ff16eb09ad89341a0e056e46ea7530566936d1bb2879cff5d1521fba18100c71fe1e3b0af1d27b99e9a1cf01842df8b99f1421f284064a4a37c32f4e9b70ff

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
296KB

MD5
5a9edcd8ef798e801c93600034125269

SHA1
fac7fa8e40e8b536bebf06975a74d04eeff27378

SHA256
fee9d9816a9ba256a2228209b97f9527746d532ebdfcc4413d6386e4dc6287ce

SHA512
5468c552032a63ef1836906725c1db2abc99e9d33aa5fce0bcb1c54efa99bd9be685a6a4309684f853d53d921cfd56339ff7972419ee04d23c7e342c457d9534

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
296KB

MD5
b586f546328ff124219a9851819589ea

SHA1
69d386e97afe7d3f895fa6350f894171a5b14c09

SHA256
ded4d1f2c030f79d72c43d00a0c9ff977b5880692e36f9d8e6f0c8413fe2f9a7

SHA512
dc16c148319f7f2a36faa45eac4168047e916dca9f1ef25f1eadb86256d381f844d99afb1a2ee8c0cf3070990490efb936e84440b050ae992bed93076934a26a

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
296KB

MD5
4d0047b4a3df4f1f789c5f44be2cc7aa

SHA1
d97b12ff4916e61c2d20603c33a03b0b9f38e641

SHA256
873ff3a1e145d5c90211689e08a90713cc001867525b29b0a9f3ccb62c795639

SHA512
6b9650238458c926f148080e2e51ab98bfb39065bda994ffb2f705f3dc673b6044a3725f182601d8c1ad041893bea09fed00bea5d57dd6c10b037c5914d7c0da

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
296KB

MD5
3b6a113edfdbafd81703279e6f7eaa03

SHA1
c2f9fe87f13f12e57cd81a28d2260b44b7b71b23

SHA256
36e615bdc4cc143d6b18672582b402f7e42bc528720ed79da94bf73b4a79d6a6

SHA512
ed4d2e34ec8261c1b211484ee92160c08976dc547a1f69ebccd2ec496d2f430958656605253a4f09f740a2d9ad09e6c776b0f4c8ca9cb67f8860412c11c6ab80

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
296KB

MD5
4be4156496c7e01935cf614a176198d2

SHA1
d1547eb33eaf07723a04326097ba9b174da549ab

SHA256
22f20239efcfb25f0c15e328b4662f7139e9b9d0971c55175c8895f903925323

SHA512
2f35dfd0db526c9ab7c9da7f1b808c272328842e1039aa81979b3c381b87af425ff34c9c95c9bc56c451dcabc6c56e541c2b6c5282f043788f149920529d0d0f

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
296KB

MD5
f8ec6090a17085e86124f4e3ba02dafb

SHA1
32c24b64f3693b9826e493236b92761c316a0d93

SHA256
5fdbfd2daf4c6fd84437789112cbf0356a66ec084611bb4e99cbd3dbc4c2d3e4

SHA512
375cee813d695d93b930f25ba1dd2f9a277fa2c2fd726f7c0880015b6a412333a8429fc57f3b6a67c50551359587ac1069c29bdd9fffdcec3afa45f9d6ecb508

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
296KB

MD5
b1b850e8984796f0d987bb59481731f1

SHA1
3e1e578d485a1fa8839b36d744ec3da7ab35cdd5

SHA256
7b57247de6ea8167e3ed37e0aae459b3235fb71c922071be68d56e5bdf833325

SHA512
7e69ca12a8beb7914cc50314e9e28e6fecac73fcdd2931be82b7479611878be76ef3afc6bf5a111d6e09cb0a2dab510381a4b93ebc5c8509220d6406b54010ea

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
296KB

MD5
5048045e50173d5642b7ee4a83a22ceb

SHA1
060c4590f23295eb82cead3b2929ca1ac5862c5f

SHA256
a5ce75798edfc367b18df95c769c120157dc3a99f256a73e1bc351deb75ec24e

SHA512
fa4c15ca010abb4349875ec576e59b692e379480303febcf985febf072e0e8a21377d6b3f4522fefdf2b65682d1fc9a2f13e0106b3b5646c66be4eceed5883ab

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
296KB

MD5
481afd5dd08aad21abb62a0a645dd23c

SHA1
c838d8d9e6b4d655d24684411f59fe5b94a14a21

SHA256
66fee6cfd5b21a20bbb12a15f36a15a55f4b3e73ac64f2e834cb4db21187eea7

SHA512
ce5b51187f40e5aa820432ff212e4334c71ee276a11db4936f8a814c02e3242e4302048c96d0ec162935e084e5c4cccb0d8fc321933855f6ca52ca5d2636729a

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
296KB

MD5
dc0de73999ec175e6f567edf166650fc

SHA1
57bcfef8153d01e02858abb5e278705fbdc93fcc

SHA256
f0675fc483cd6f00055f796ee90d6503f8e2bb38d71c6d7084c983a1abb6ca8b

SHA512
fe18a0d9b0bf5ee2a4e2d35219e800c45c48ed15ef744e4457a057f34c8f67eacde465b328fe599740e7f3bf3a11e2e21b0483362f8420a10e980b36fff8268e

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
296KB

MD5
59ba6403e6431cb95acaa8eafa01c484

SHA1
01bf8d716cea254e1b0bc7d1c1881686fab3c899

SHA256
ecdf925a82cb1a95078d778e280629044aa2b79aa3c53b45bcd337f7dac2b0bd

SHA512
54b290ba920feb159432451b5e46f7d63a5671363ad5a7b71fec1aa8191405ea7e55fcc2e9f5423ef43260fb3dddbd65991c72c8ecd4dcfb6d31b8de02ba0385

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
296KB

MD5
f742fc007c7f38faf8de46151e3008ad

SHA1
d8a93ee03f2b152567d3dcdd89243dce3855b097

SHA256
a5ec377e94b58f2fd37e85785043122ca999a476a5fa2d2813f55277c49de8d2

SHA512
3b4d1111416220b50de8bb43ac60b64b6b1063169ef49d0a650b2877848ec28e029a13c8a7dd1d0d362df9eb5fd6aee987dd77f09487316e687a6b3b7e2dcafe

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
296KB

MD5
21a19f6533b827ad93906a51c974a8ed

SHA1
a49291b88081d45f358991fb96b10f08acb461bb

SHA256
204fbcd458c24311f44f30a61a356a00823e2dbaa71bddf7d23b38bfe235f545

SHA512
5dc04e09af313a06483039d71793ce1b32df02b3cd819698d9da14f401b5f95306477a1ad8b7cf2c97e7125bb4a66e7a98640303d68ddac9e9d8db406ac5e6fb

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
296KB

MD5
a0011f470c8fe728134130d336e7d973

SHA1
97346ce327541e99d286abcca99ac0e4df81efb0

SHA256
f3bb4fa7cdbf428a7e76c97abc2e0886c8e40987e482231a0f0c111b1149ab97

SHA512
5fe89b3579837294891b4e993b3ad7e29287322af3f9e1386b562040eab7cd79eafbd59e7897684f40a182be3560d8f04f84aea5c2f1bbcafed14b553e6932ba

Download Submit
C:\Windows\SysWOW64\Ooojbbid.dll

Filesize
7KB

MD5
3bc3fb3ad26e5b645038eacf2a5a8f87

SHA1
97213bcbe4a31b4230a26b7bf00210e4a15fccd1

SHA256
c896969aa13c9cb4139b0df1ef9fafefd670dc36680eead31555316f82f81845

SHA512
d6ddd5de1fc7a0b3fe4a424527e96d9602f47cc4d441701cf102957ed4bf9595598f4ea179976a4d7f02b1184a12ec6038c2697e604b985a3ba0f1beb33ef74d

Download Submit
memory/116-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/372-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/372-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/408-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/408-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3852-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3852-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads