berbew | fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023

Analysis

max time kernel
94s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe
Size

96KB
MD5

e26126286c4fdfc477ee8225e79419e0
SHA1

c484d745f0e6e5c58728c261ea7f120b4d486893
SHA256

fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023
SHA512

42d501a7197abfb8cf67594917cd7ef0611c0a63504987673df1e91f94554169475118e283d051d85eba640c8b9495aa2856a709101c0953edcc5f44b0407844
SSDEEP

1536:ln24nqBRoXUIGvh2LFaIZTJ+7LhkiB0MPiKeEAgH:ln1Ev6FaMU7uihJ5

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 38 IoCs

pid	Process
4600	Aeniabfd.exe
664	Afoeiklb.exe
1520	Anfmjhmd.exe
4668	Aepefb32.exe
1248	Bfabnjjp.exe
1544	Bagflcje.exe
2104	Bganhm32.exe
2292	Bjokdipf.exe
3236	Bmngqdpj.exe
1368	Beeoaapl.exe
2716	Bffkij32.exe
3340	Balpgb32.exe
3704	Bjddphlq.exe
3628	Beihma32.exe
2036	Bmemac32.exe
3112	Cfmajipb.exe
4740	Cabfga32.exe
4760	Cfpnph32.exe
5020	Caebma32.exe
4584	Cdcoim32.exe
2392	Cmlcbbcj.exe
1728	Chagok32.exe
4912	Cjpckf32.exe
1092	Ceehho32.exe
3044	Cjbpaf32.exe
2520	Calhnpgn.exe
3700	Dhfajjoj.exe
1744	Dopigd32.exe
2012	Dejacond.exe
4968	Dfknkg32.exe
1984	Delnin32.exe
4388	Dfnjafap.exe
372	Dkifae32.exe
3352	Daconoae.exe
4824	Dfpgffpm.exe
1344	Dogogcpo.exe
2908	Deagdn32.exe
2904	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bmemac32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
452	2904	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 4600	2596	fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe	82
PID 2596 wrote to memory of 4600	2596	fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe	82
PID 2596 wrote to memory of 4600	2596	fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe	82
PID 4600 wrote to memory of 664	4600	Aeniabfd.exe	83
PID 4600 wrote to memory of 664	4600	Aeniabfd.exe	83
PID 4600 wrote to memory of 664	4600	Aeniabfd.exe	83
PID 664 wrote to memory of 1520	664	Afoeiklb.exe	84
PID 664 wrote to memory of 1520	664	Afoeiklb.exe	84
PID 664 wrote to memory of 1520	664	Afoeiklb.exe	84
PID 1520 wrote to memory of 4668	1520	Anfmjhmd.exe	85
PID 1520 wrote to memory of 4668	1520	Anfmjhmd.exe	85
PID 1520 wrote to memory of 4668	1520	Anfmjhmd.exe	85
PID 4668 wrote to memory of 1248	4668	Aepefb32.exe	86
PID 4668 wrote to memory of 1248	4668	Aepefb32.exe	86
PID 4668 wrote to memory of 1248	4668	Aepefb32.exe	86
PID 1248 wrote to memory of 1544	1248	Bfabnjjp.exe	87
PID 1248 wrote to memory of 1544	1248	Bfabnjjp.exe	87
PID 1248 wrote to memory of 1544	1248	Bfabnjjp.exe	87
PID 1544 wrote to memory of 2104	1544	Bagflcje.exe	88
PID 1544 wrote to memory of 2104	1544	Bagflcje.exe	88
PID 1544 wrote to memory of 2104	1544	Bagflcje.exe	88
PID 2104 wrote to memory of 2292	2104	Bganhm32.exe	89
PID 2104 wrote to memory of 2292	2104	Bganhm32.exe	89
PID 2104 wrote to memory of 2292	2104	Bganhm32.exe	89
PID 2292 wrote to memory of 3236	2292	Bjokdipf.exe	90
PID 2292 wrote to memory of 3236	2292	Bjokdipf.exe	90
PID 2292 wrote to memory of 3236	2292	Bjokdipf.exe	90
PID 3236 wrote to memory of 1368	3236	Bmngqdpj.exe	91
PID 3236 wrote to memory of 1368	3236	Bmngqdpj.exe	91
PID 3236 wrote to memory of 1368	3236	Bmngqdpj.exe	91
PID 1368 wrote to memory of 2716	1368	Beeoaapl.exe	92
PID 1368 wrote to memory of 2716	1368	Beeoaapl.exe	92
PID 1368 wrote to memory of 2716	1368	Beeoaapl.exe	92
PID 2716 wrote to memory of 3340	2716	Bffkij32.exe	93
PID 2716 wrote to memory of 3340	2716	Bffkij32.exe	93
PID 2716 wrote to memory of 3340	2716	Bffkij32.exe	93
PID 3340 wrote to memory of 3704	3340	Balpgb32.exe	94
PID 3340 wrote to memory of 3704	3340	Balpgb32.exe	94
PID 3340 wrote to memory of 3704	3340	Balpgb32.exe	94
PID 3704 wrote to memory of 3628	3704	Bjddphlq.exe	95
PID 3704 wrote to memory of 3628	3704	Bjddphlq.exe	95
PID 3704 wrote to memory of 3628	3704	Bjddphlq.exe	95
PID 3628 wrote to memory of 2036	3628	Beihma32.exe	96
PID 3628 wrote to memory of 2036	3628	Beihma32.exe	96
PID 3628 wrote to memory of 2036	3628	Beihma32.exe	96
PID 2036 wrote to memory of 3112	2036	Bmemac32.exe	97
PID 2036 wrote to memory of 3112	2036	Bmemac32.exe	97
PID 2036 wrote to memory of 3112	2036	Bmemac32.exe	97
PID 3112 wrote to memory of 4740	3112	Cfmajipb.exe	98
PID 3112 wrote to memory of 4740	3112	Cfmajipb.exe	98
PID 3112 wrote to memory of 4740	3112	Cfmajipb.exe	98
PID 4740 wrote to memory of 4760	4740	Cabfga32.exe	99
PID 4740 wrote to memory of 4760	4740	Cabfga32.exe	99
PID 4740 wrote to memory of 4760	4740	Cabfga32.exe	99
PID 4760 wrote to memory of 5020	4760	Cfpnph32.exe	100
PID 4760 wrote to memory of 5020	4760	Cfpnph32.exe	100
PID 4760 wrote to memory of 5020	4760	Cfpnph32.exe	100
PID 5020 wrote to memory of 4584	5020	Caebma32.exe	101
PID 5020 wrote to memory of 4584	5020	Caebma32.exe	101
PID 5020 wrote to memory of 4584	5020	Caebma32.exe	101
PID 4584 wrote to memory of 2392	4584	Cdcoim32.exe	102
PID 4584 wrote to memory of 2392	4584	Cdcoim32.exe	102
PID 4584 wrote to memory of 2392	4584	Cdcoim32.exe	102
PID 2392 wrote to memory of 1728	2392	Cmlcbbcj.exe	103

C:\Users\Admin\AppData\Local\Temp\fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe
"C:\Users\Admin\AppData\Local\Temp\fa6b014b1b755a28a06b109749faa9b5ce3a9dd4916dedc65c857064d3623023N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\Aeniabfd.exe
  C:\Windows\system32\Aeniabfd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\SysWOW64\Afoeiklb.exe
    C:\Windows\system32\Afoeiklb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\SysWOW64\Anfmjhmd.exe
      C:\Windows\system32\Anfmjhmd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4668
      - C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 408
        40⤵
        Program crash
        
        PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2904 -ip 2904
1⤵
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
96KB

MD5
ff86f71ec1ef639e462ce82e11573d76

SHA1
2b6f422bbc8e8970091ec22b0e1e7a7dc4e1bc17

SHA256
9436f687e1924f6132cba6baa070d3e5857a7231451108a6a696bb29ee0284b4

SHA512
f61e5686791bae364f09529796b3a14e46e84d53629fd17c539ace212956d58045dd146ce13090760aaf2e9f260f4d3ae5ab47c9409ec10ed54742692af37786

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
96KB

MD5
a3e2fa68d01f43feb844a5ee725060ae

SHA1
ffe312a75dda537e6562c798910ebb31c6db4d57

SHA256
d098a2d526126809c2dfa0eba66d1a43bbefe764753ecf8875c625bc44992bf1

SHA512
c6029f968cbaedeed604512221e6c8a2acbfb97d72f38ba1a1fd959b3ce90b678858163a75dcba090800bdbed3c0d77704c126ef28c016deb6ff5a9a456103d8

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
96KB

MD5
51ff2ff857d5ea481ab4079e67f9545b

SHA1
aeb4618c3e3a22d241b87ef038581da84a92a6d1

SHA256
dcb12c4f0fc3d0abc6182336588ced06138ed084fbfd6bd791f91a2bf6c9c950

SHA512
f0fc847834c3a6354c952f7b736ec547565690f215eada8042bfcb45d88eee72d95e6d0a3a9b85d472714a9e97beabcb8c03b2c51ba82a765daeb72f223e1b63

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
96KB

MD5
10fbd46ca733ffab07c678562be283f4

SHA1
1e3e61a77cd0641dc73262ada47c9d150d7b5be6

SHA256
1c31afb6d5d22953f3dd2fcc57b0ec1aa71dcb672fc3664ba87d9bc65b17bde9

SHA512
533249de89b3b4af5635f785c29e06e16e278f2551ac19ce7861f394a010d3f8beaad0051ae0654df3826046be8bd91ecec97867cff12854ad69dfa07fbcfcd1

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
96KB

MD5
fef659deb3ef3ec38314a23d1af6faa1

SHA1
ff66e53012c04a8506eee075c1d313acba634c13

SHA256
1335d5bbb83d584133c5d2e4a4033b196769cf88ef45fa88e4c25966287b74e3

SHA512
e373583c33563189e7f49b03e69af2dd91aadfa74a8a11084ec76031d516dcb0d2ab2abae264af3efaa6e38ad1b946c09acb3c050abd21394c1a6475f98e02dd

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
96KB

MD5
694373b0b629065ca592e61fc8c5f4f6

SHA1
96933451aa9de2ad4bebe6e4996cf52d0d946ed6

SHA256
e071220afea2b5200321f3f4ee73264859fc4afd3e7ad846448035f120689720

SHA512
41217ef5d79b66b3d85a119c04b5f4ab936e3f5cb0890f2a1baa1fe7d819ae9ad230c267f86239751e2aec100aa9df9fc8cd0979536ff5a6f0363a6389365df3

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
96KB

MD5
45a6dbc12d5528ac915cb4e37ed3dd1f

SHA1
435f4b51ad93fec410ffb07838e5e2c80020d125

SHA256
a66226962e8c2046e815d930f9d71a82fd49453c29a958fcc771d661b7ef610f

SHA512
63aa5e661979a623199fb2a6d3798aa0662bcc051f3d002c024dce59a6e0ba21daca747e883da77df2a1dfb3ecc3ec75e70c5facca174ae0e62ce64de8e15d17

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
96KB

MD5
fc10320b7fde4ef3d323c7cfb6f4bfb6

SHA1
ca7e607099b7d437c07c4fb2a5f284d1b58a17f5

SHA256
b1f12af00c1af6c36ef90f872f088ec7af3b5f4c33581054838dcc0091e3e9c4

SHA512
a72e81218fdda05b426c611bfa5d8f968b02226b9c42d71008406263f1e66ab790d272324e1960301b4a5d8edec6341251a4c430db77e70db422020093c7e8e0

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
96KB

MD5
471adae598dc74a5f993dde21ba151aa

SHA1
c20a73769c48c0a3c6d14f965d414f9916d103b9

SHA256
6f3bb465f1e1cd4a8603b53d66b35bb6d816628425163333f25751a78160df80

SHA512
20024741efa050b33a745b6871debb2626578617f37450fe077531ee1689214bc3070ad124c4cbb7f8e550fca7a86b1a6d24510e45a27cc758baa0511b296ab6

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
96KB

MD5
5e96b0f35cc085b9114537cc79df7cd1

SHA1
ae44f99b0e9eb3d6245cf67b0c1fedbf132c77bb

SHA256
80b39e324e85fd2750c8ae513619b2b1c600c88445e83fedb3c69d52fb74fb8b

SHA512
a3862e259a210d7574f79a1e13e485acd63fc34b2a3edb2a22fa3fe52d1b7bb78ae68d1305f21807f35ac6aede2addb8e02f0986e8876da2f21770f012d6b7ff

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
96KB

MD5
03f233635cf8dabe5032802d31ab8b0c

SHA1
eca53339a128e95f8b6e2746f6721fb1d837d8bc

SHA256
db628d1885459626d3c9bc4aa3620b4ecbb1bdcb9e9f1c3b167ad29b95cd59eb

SHA512
4d5fcd2aecbc2532e4b05093746dbafab6a1097da64aba9eaa26c6e66bc638744073cfd316b8ae75b09565e12acd3e21803a1369cbddda46496038f1f6d9caa9

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
96KB

MD5
3dbd61653e7bb3434c50fbb7616d7bcb

SHA1
9222cf9e46eb76e00b89b2f83eeb65e5c6497a79

SHA256
267e314d7209ebc25725129c8010d96bc82b7003b9ed34c61ea69722ff1926b9

SHA512
8d0be81e3dc541ba0db9bfb005d4d96ae708ab5de6343b01496209615ef9510a47cdd8960614acca40db25dda90a730328c239230c4379ca532709d85e16452c

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
96KB

MD5
cc361647ba25c74a54270aed1b7a1d14

SHA1
d8245092b34f7830151e7a09c91769f1616a4652

SHA256
1f18dae356e7102f60e64073605c963bb600fae55a06676c3cf4894320834601

SHA512
c7033a860e6aeb3d56b36ba1f871c6fddfa338bbac18c203edb9562121aece21424786199080aad305fa678f10b82a365256596dd381d839b671e0612300433e

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
96KB

MD5
caed0d2e60359c9ff9a891eed84505ba

SHA1
00bd445f492e1ff1d7a9635e0a22968688fcfd63

SHA256
943e5ae302fbd3ba3603774ab006e490737437e7d80468d0ae2195bda8f27d20

SHA512
2fe343eead7e08d86278855402c25f3d7aa357c9f2e0e8327cde05c5b4cada9d079cef53e65ee70c4729ae9e03b4713810a9951852d822f57482d2767916861e

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
96KB

MD5
eb77d6453521346f0567e7ed149ef0f9

SHA1
64e22458b7a0e75ad972c2a703496bfc7c0baf29

SHA256
a657e4e6f58494aa7601d27840afb931aa5fa0fe6347d07efa3d3eac34c5e772

SHA512
5216333bcb2197092f4bf1bc9414c603a1bfee551ae544b47fe77738eabf324ad6803addac5005819f60bfbd48408ba6ad82871f5560bb8eebf129983997efcd

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
96KB

MD5
129ff040c35cfc15d1400fee69bcc5e5

SHA1
800060d6380210dc83a2557d62d2468d70aa1a92

SHA256
6137f1f8fce30e85d538bba683a506953ae5ced68bf24bf4b773526187423d10

SHA512
2a05d4ba85bdd76938df0440e2db8000f24eac69a8cd165854d0e7ab6708a295a7b935df2f2d448e4667c1da06e7b43fe8e0edbf9503bb5c2d71cc41fb08e82a

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
96KB

MD5
b0749e2deba7e2c9652e08c7bac21345

SHA1
cbe978fff58fe90b00fcbebbc7fae218950f7823

SHA256
c1501e56729b146897ec07da29fdd329608d3538315e089ff2f5463cc48340aa

SHA512
d1d814f61ad64f01633aa936bc25d84d1e9cbbdcebb148c08a95d90b4a0f2e0c12bf0951e981c2c6898b55ad9c22b2ab596693ec0ba5c1c64de70925f48c1523

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
96KB

MD5
7614ba1bdd21132a8b3b3fe08916989a

SHA1
9cca02656b0b0ee2fcc790395851ef322c82b6b5

SHA256
6fa58238c27aaf6ab473a8c05970d33daf3e0e0ba251d952b27c2bdba03b4901

SHA512
cb0d9ea933abc31be3ab3efccf82aaafe75a77ac085f867d34e2f589898aac7e23564a4bdc9f4c5b3979137904c5085d63ff1af73c4511723937524727012759

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
96KB

MD5
ce864a6ebf6a82e3eea3b55d0e8b3a39

SHA1
e02f09f0a9b09d00bc48a1cd8dff5eab7164d01e

SHA256
6d57ddfb6d2c74d4b166794c47e0bbb21cdf872494b3198f1e6e6a3902fbe45e

SHA512
295100f00ace9eb8e85ece1d02e909b16ebaab202c57933128de0d33b612e2824ebce6249d0bd6a2e433d68b4daed8339e1becc2db6f25a2abd595b75947a9d3

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
96KB

MD5
8b99052365f7c03f8478c4cfd80f060f

SHA1
602da942203c6036fe798270fad2c0595b56258a

SHA256
5ea37866f23363d7a5a7524347fc3e062203bc2d88ed285da9f0393e56162504

SHA512
2196099db0d55e74be3cd20b6a15c61fee4b18c4fc61aeb518177286459d774f2e5f071cd843641c432d745a23b55ba0a34845d9a72637b51b16e41a981596f3

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
96KB

MD5
05ddf9b9600d79de3f71974ddd5219a9

SHA1
4b7abf75f05d11e9a018529739de9224bd4b89a8

SHA256
dd3005be0cf1f88ba7c96d19063caeb0947342a66d6b509b72f70451911344f7

SHA512
8d564391c12521d5921a9ae98c94f40639e5ce9c48083f71ba867169cd2a17ea9348fa53440aa00fc182e256e53c836a180736d7bdda2e04d075adba22b53ff0

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
96KB

MD5
389935fc93d8c6d8dcd543d70fbd1c93

SHA1
dfb5a74b24e1a7b0d7c31f29f8450d1c95b95043

SHA256
5144704fe1b750b727afe7fa8cd118514add907278d8727994ee1d041f8036d4

SHA512
c4e8fa8deee2ce23256475b81cb22e678da0b7beeb5874b0dc312399857a5756a061ac0b88967b54efeeac3ceec5a8db7009d971479e50723f72e315a941f1d5

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
fa2ccd77576520d5e4144b704045273f

SHA1
9b2c3679f4a4f1960bd734d1fa97a399069aa699

SHA256
80f5bf5cd443b858ab464254ac417692fff8d646d0e6de178b0d190be2a5d226

SHA512
e9b40e8c13315b482d16ec6f404dbc92b1d4da6e8d4b6bffa7dde07734bd39eaf79d1e533b6376caae1a10b5bbb3428d9b18537a1485e440890bba170ca6eb17

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
96KB

MD5
3c9ba7cd7d0b74bca343c07ae1efdff9

SHA1
50b320d3ebf0c47acf05ce1fb6a059ddd1a40c09

SHA256
affc283bb5dc92458b28fffbf8e92bcc755a1dba34306de72acbdd6ff949f0ee

SHA512
5847107035ff61c698789273717f14af35e7bb3810da34a0d42f17d14b0f6bf17a7f412c01f071caeeba92a28763e3f372e04b3e28b1437cbcca7021eae126f8

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
96KB

MD5
2e8342e0a2ac8355fb70d6be0a2299ec

SHA1
5aad60554297533a40f167b311f99a9ee9a71c0d

SHA256
d502f8718d291a68daba62ce867e5bef64b13514a531262815515b6d096d8f75

SHA512
dd798812ffe38bf0e2630bd22114a9632fdfc231ea04ea175c909f0c78a9d9d27d001ce0ecadfc7f4043aaba5d62954c324a4dd03cc05e0613bcc908fb7f5862

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
f068cb8895cbb470660dbe35e0c72790

SHA1
329fb58c0fa35a43efa00289174b3a9db74c76b9

SHA256
8b94f3671780a9303bd9f60e013a67ee2526dfa0f1fb9e59488b8e891bab4c73

SHA512
8770156e236786b95826d90c07ebaca499a3c19ef1e647445859ab0d5588555df6f069bff9d1c77b02f25a68495f182ee3f5c0ee13ccf1116d879bdd594836cf

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
96KB

MD5
244edf89d625ef4bc5af0bb6ba88da8b

SHA1
674f146671a78657c443b7ec7415aa4b88c5ce53

SHA256
3f8517d9a4931deba6d4f765ce097d09a50d2d1a7f9116b7dcba1aa13ea9e06f

SHA512
bb57c2b37869a2a33771893de9d4b30dbaa80f684fd473fd6427c12689db41d821a3f2aeae99f400ce18b67989e986d367b048782b14549dd367924a568540dd

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
0c3d2e43afdccdcec726812f889eeb2e

SHA1
f3bc11e6dd72e68b8ab206f1b1e202c0fd6d7a20

SHA256
f0fbe38f039586efd76b10f577a4a2612b68f5430def15f517bcfb70e937b27f

SHA512
d131c9e8398a4ab5a5f01451339443a9b61313f889acee9e76158b137c9d49deb2a32b4ee3ded93435499d41f35d77633f8c4b631e08da5c0b7afa74994e70f1

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
96KB

MD5
64c0b7799873ac7ac87f12c5617abfcc

SHA1
790ef45135e4011eebcef4aaac6eadf0ddcfcbb0

SHA256
91350310fd81c1839cee4ad351003c77d12afd1081f5634267eb887836e1790e

SHA512
3abd798ad27c113187322f74a9c8f56ef4799b24af33b56af2d77032b60d3edc3fdf88597fb96a76f01dc8d7b78545b9a6db439b68ea86b12039c687cc0c7915

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
affb092347428feaef02571f7e769f92

SHA1
e2c9b25fc767f3646e2d7207b187a9f33361ddb7

SHA256
5420fc313c5238f0091c534aa8d92fa0b75ead87386c0706b57ecfaadc919a89

SHA512
e65c809332cb5d4e6850682ad90ae38261116dfbe57d8b4aa5bf23966ebb30879712bb5b8b88f15360e940d4dbdd4de66858b57e45eec89903cb95ddaf245871

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
d0a8668b859f187f5c6e8b1f0b3a45e0

SHA1
d7e627fc429099195488954021111dd4a1134ac9

SHA256
c77e9f02520227a6f9664e4dca1e9f9a77f0df400a3ea38b83d0ec9858d69f83

SHA512
e91b6ba50b116b45df62cde3d1383e83dd53ffb677024c9c8951bd55575ece29898f8c1eff0e0e921977d85195a755595f74b0cbbf1811ce70bb28b7cf7e982e

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
96KB

MD5
4bebe13405f7ec32f8f1909adc0127b7

SHA1
0fb1d210df2e8546899916b44fdd7f34a845af17

SHA256
7379ec69dcb8b80e1c3a4cc478e0221f323ef6527d04ce2833b575cbd77519ad

SHA512
add0a975076d013dddda87e13f3b77c8eb99d698e6a0bd1d14dc9dc483041ba09fdaa36571ec17d02d66720a1af22dcedef15c913254caedad1b8ec257eeeaca

Download Submit
memory/372-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/664-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/664-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1092-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1092-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1248-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1248-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1344-308-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1344-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1368-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1368-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1520-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1520-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1544-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1544-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1728-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1728-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1744-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1744-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2012-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2012-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2036-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2036-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2104-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2104-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2292-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2292-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2392-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2392-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2596-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2596-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2596-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2716-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2716-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2904-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2904-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2908-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2908-315-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3112-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3112-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3236-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3236-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3340-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3340-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3352-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3352-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3628-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3628-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3700-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3700-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3704-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3704-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4388-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4584-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4584-172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4600-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4600-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4668-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4668-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4740-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4740-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4760-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4760-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4824-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4824-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4968-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4968-330-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5020-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5020-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads