berbew | 57df401098160712e759339f441af6b7c3e7332313f54bfd8818e4c0f224ee8e

Analysis

max time kernel
33s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57df401098160712e759339f441af6b7c3e7332313f54bfd8818e4c0f224ee8eN.exe
Size

94KB
MD5

ee6c3a4a5a011549c9865358062fa8e0
SHA1

d052db6290674ae771685b6a82c5686811e85e9c
SHA256

57df401098160712e759339f441af6b7c3e7332313f54bfd8818e4c0f224ee8e
SHA512

4b301a7086e0b813f3e95eb48d3e10d000f5925efabb5e4659919a217e4b3ffb0d639c475dc6dfad121aa92941af891e9336b7ecf12f18f6316d7e4b38c449bb
SSDEEP

1536:OSHMASjhpSaJE/bFe42cI9YDtoxWY2LBS5DUHRbPa9b6i+sImo71+jqx:cNjhpSdhe42cI9YmxsBS5DSCopsIm81F

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmmbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhbbcail.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbchkime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdngip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djoeki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epcddopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhbbcail.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	57df401098160712e759339f441af6b7c3e7332313f54bfd8818e4c0f224ee8eN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blipno32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnflae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqmpkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blipno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cppobaeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdngip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqmpkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhklna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blniinac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdjno32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfaqfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddppmclb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgnminke.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epnkip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecnpdnho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blkmdodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhhge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnflae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpdhna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhdfmbjc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbbinig.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejabqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbchkime.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cppobaeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnckki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djoeki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejabqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fipbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhdfmbjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkbbinig.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkcfjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecnpdnho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caokmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbmkfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eifobe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnofaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chggdoee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqngcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eebibf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqngcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epeajo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 49 IoCs

pid	Process
2676	Blipno32.exe
2740	Bbchkime.exe
2092	Blkmdodf.exe
2600	Bceeqi32.exe
1512	Blniinac.exe
2204	Bnofaf32.exe
1076	Bhdjno32.exe
2948	Bkcfjk32.exe
2308	Cppobaeb.exe
1764	Chggdoee.exe
2164	Caokmd32.exe
1372	Cdngip32.exe
1696	Cnflae32.exe
2376	Cpdhna32.exe
1904	Cfaqfh32.exe
2100	Cnhhge32.exe
1100	Cgqmpkfg.exe
948	Cjoilfek.exe
1940	Clnehado.exe
1536	Cbjnqh32.exe
1928	Dhdfmbjc.exe
2488	Dkbbinig.exe
2500	Dbmkfh32.exe
2508	Dhgccbhp.exe
344	Dnckki32.exe
2700	Dhiphb32.exe
2680	Dkgldm32.exe
2820	Ddppmclb.exe
2596	Dhklna32.exe
2264	Dgnminke.exe
2868	Djoeki32.exe
2940	Dmmbge32.exe
2116	Ejabqi32.exe
2980	Eqkjmcmq.exe
2856	Epnkip32.exe
2616	Eifobe32.exe
2184	Eqngcc32.exe
536	Ebockkal.exe
2356	Epcddopf.exe
2956	Ecnpdnho.exe
1216	Ebappk32.exe
2176	Epeajo32.exe
1828	Ebcmfj32.exe
1096	Eebibf32.exe
2252	Fnjnkkbk.exe
3028	Faijggao.exe
2408	Fipbhd32.exe
2452	Fhbbcail.exe
872	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
2372	57df401098160712e759339f441af6b7c3e7332313f54bfd8818e4c0f224ee8eN.exe
2372	57df401098160712e759339f441af6b7c3e7332313f54bfd8818e4c0f224ee8eN.exe
2676	Blipno32.exe
2676	Blipno32.exe
2740	Bbchkime.exe
2740	Bbchkime.exe
2092	Blkmdodf.exe
2092	Blkmdodf.exe
2600	Bceeqi32.exe
2600	Bceeqi32.exe
1512	Blniinac.exe
1512	Blniinac.exe
2204	Bnofaf32.exe
2204	Bnofaf32.exe
1076	Bhdjno32.exe
1076	Bhdjno32.exe
2948	Bkcfjk32.exe
2948	Bkcfjk32.exe
2308	Cppobaeb.exe
2308	Cppobaeb.exe
1764	Chggdoee.exe
1764	Chggdoee.exe
2164	Caokmd32.exe
2164	Caokmd32.exe
1372	Cdngip32.exe
1372	Cdngip32.exe
1696	Cnflae32.exe
1696	Cnflae32.exe
2376	Cpdhna32.exe
2376	Cpdhna32.exe
1904	Cfaqfh32.exe
1904	Cfaqfh32.exe
2100	Cnhhge32.exe
2100	Cnhhge32.exe
1100	Cgqmpkfg.exe
1100	Cgqmpkfg.exe
948	Cjoilfek.exe
948	Cjoilfek.exe
1940	Clnehado.exe
1940	Clnehado.exe
1536	Cbjnqh32.exe
1536	Cbjnqh32.exe
1928	Dhdfmbjc.exe
1928	Dhdfmbjc.exe
2488	Dkbbinig.exe
2488	Dkbbinig.exe
2500	Dbmkfh32.exe
2500	Dbmkfh32.exe
2508	Dhgccbhp.exe
2508	Dhgccbhp.exe
344	Dnckki32.exe
344	Dnckki32.exe
2700	Dhiphb32.exe
2700	Dhiphb32.exe
2680	Dkgldm32.exe
2680	Dkgldm32.exe
2820	Ddppmclb.exe
2820	Ddppmclb.exe
2596	Dhklna32.exe
2596	Dhklna32.exe
2264	Dgnminke.exe
2264	Dgnminke.exe
2868	Djoeki32.exe
2868	Djoeki32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fhbbcail.exe
File opened for modification	C:\Windows\SysWOW64\Bnofaf32.exe	Blniinac.exe
File opened for modification	C:\Windows\SysWOW64\Fhbbcail.exe	Fipbhd32.exe
File created	C:\Windows\SysWOW64\Fpfjap32.dll	Cdngip32.exe
File opened for modification	C:\Windows\SysWOW64\Dkbbinig.exe	Dhdfmbjc.exe
File opened for modification	C:\Windows\SysWOW64\Dhklna32.exe	Ddppmclb.exe
File opened for modification	C:\Windows\SysWOW64\Dgnminke.exe	Dhklna32.exe
File created	C:\Windows\SysWOW64\Epnkip32.exe	Eqkjmcmq.exe
File created	C:\Windows\SysWOW64\Bopffl32.dll	Bceeqi32.exe
File created	C:\Windows\SysWOW64\Ngeogk32.dll	Bhdjno32.exe
File created	C:\Windows\SysWOW64\Clnehado.exe	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Dkbbinig.exe	Dhdfmbjc.exe
File created	C:\Windows\SysWOW64\Dkgldm32.exe	Dhiphb32.exe
File opened for modification	C:\Windows\SysWOW64\Ebappk32.exe	Ecnpdnho.exe
File created	C:\Windows\SysWOW64\Mnmcojmg.dll	Ebcmfj32.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Fhbbcail.exe
File created	C:\Windows\SysWOW64\Bbchkime.exe	Blipno32.exe
File created	C:\Windows\SysWOW64\Fopknnaa.dll	Bnofaf32.exe
File created	C:\Windows\SysWOW64\Cefllkej.dll	Blkmdodf.exe
File created	C:\Windows\SysWOW64\Bkcfjk32.exe	Bhdjno32.exe
File created	C:\Windows\SysWOW64\Dgnminke.exe	Dhklna32.exe
File opened for modification	C:\Windows\SysWOW64\Ejabqi32.exe	Dmmbge32.exe
File created	C:\Windows\SysWOW64\Jacgio32.dll	Ejabqi32.exe
File opened for modification	C:\Windows\SysWOW64\Epeajo32.exe	Ebappk32.exe
File created	C:\Windows\SysWOW64\Blkmdodf.exe	Bbchkime.exe
File created	C:\Windows\SysWOW64\Bceeqi32.exe	Blkmdodf.exe
File created	C:\Windows\SysWOW64\Eebibf32.exe	Ebcmfj32.exe
File created	C:\Windows\SysWOW64\Jcngcc32.dll	Faijggao.exe
File created	C:\Windows\SysWOW64\Bnofaf32.exe	Blniinac.exe
File created	C:\Windows\SysWOW64\Ebappk32.exe	Ecnpdnho.exe
File opened for modification	C:\Windows\SysWOW64\Cgqmpkfg.exe	Cnhhge32.exe
File opened for modification	C:\Windows\SysWOW64\Epcddopf.exe	Ebockkal.exe
File created	C:\Windows\SysWOW64\Ieoeff32.dll	Epnkip32.exe
File created	C:\Windows\SysWOW64\Ecnpdnho.exe	Epcddopf.exe
File created	C:\Windows\SysWOW64\Odlkfk32.dll	Eebibf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhgccbhp.exe	Dbmkfh32.exe
File created	C:\Windows\SysWOW64\Qleikgfd.dll	Dkgldm32.exe
File created	C:\Windows\SysWOW64\Chggdoee.exe	Cppobaeb.exe
File opened for modification	C:\Windows\SysWOW64\Dkgldm32.exe	Dhiphb32.exe
File opened for modification	C:\Windows\SysWOW64\Bbchkime.exe	Blipno32.exe
File created	C:\Windows\SysWOW64\Ifhfbgmj.dll	Cgqmpkfg.exe
File created	C:\Windows\SysWOW64\Hdpbking.dll	Eifobe32.exe
File opened for modification	C:\Windows\SysWOW64\Ebockkal.exe	Eqngcc32.exe
File opened for modification	C:\Windows\SysWOW64\Cfaqfh32.exe	Cpdhna32.exe
File opened for modification	C:\Windows\SysWOW64\Cjoilfek.exe	Cgqmpkfg.exe
File opened for modification	C:\Windows\SysWOW64\Dnckki32.exe	Dhgccbhp.exe
File created	C:\Windows\SysWOW64\Gmaonc32.dll	Dhgccbhp.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Fhbbcail.exe
File created	C:\Windows\SysWOW64\Blniinac.exe	Bceeqi32.exe
File opened for modification	C:\Windows\SysWOW64\Bhdjno32.exe	Bnofaf32.exe
File created	C:\Windows\SysWOW64\Aiheodlg.dll	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Necdin32.dll	Clnehado.exe
File created	C:\Windows\SysWOW64\Ddppmclb.exe	Dkgldm32.exe
File created	C:\Windows\SysWOW64\Gbmiha32.dll	Ecnpdnho.exe
File opened for modification	C:\Windows\SysWOW64\Fipbhd32.exe	Faijggao.exe
File opened for modification	C:\Windows\SysWOW64\Bkcfjk32.exe	Bhdjno32.exe
File created	C:\Windows\SysWOW64\Cjoilfek.exe	Cgqmpkfg.exe
File created	C:\Windows\SysWOW64\Bdnnjcdh.dll	Eqngcc32.exe
File opened for modification	C:\Windows\SysWOW64\Cdngip32.exe	Caokmd32.exe
File created	C:\Windows\SysWOW64\Eqkjmcmq.exe	Ejabqi32.exe
File opened for modification	C:\Windows\SysWOW64\Dhdfmbjc.exe	Cbjnqh32.exe
File created	C:\Windows\SysWOW64\Dbmkfh32.exe	Dkbbinig.exe
File created	C:\Windows\SysWOW64\Jlpfci32.dll	Dnckki32.exe
File created	C:\Windows\SysWOW64\Eiabmg32.dll	Epcddopf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2068	872	WerFault.exe	78

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caokmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjoilfek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbjnqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbmkfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnckki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejabqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blipno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnofaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebappk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eebibf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkjmcmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebockkal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqmpkfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdfmbjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbbinig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epnkip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbchkime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkcfjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddppmclb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epcddopf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epeajo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhbbcail.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkmdodf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkgldm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdngip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhiphb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgnminke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmmbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjnkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blniinac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cppobaeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhklna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebcmfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfaqfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhhge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhgccbhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eifobe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqngcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faijggao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fipbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57df401098160712e759339f441af6b7c3e7332313f54bfd8818e4c0f224ee8eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdjno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecnpdnho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chggdoee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djoeki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clnehado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceeqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnflae32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clnehado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhklna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Endjeihi.dll"	Cpdhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiheodlg.dll"	Cjoilfek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blniinac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnhhge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necdin32.dll"	Clnehado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booqgija.dll"	Cbjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbmkfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippdloip.dll"	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdpbking.dll"	Eifobe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blipno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngeogk32.dll"	Bhdjno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdngip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qleikgfd.dll"	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faijggao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnofaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpdhna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfaqfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkcfjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkcfjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbnboph.dll"	Ddppmclb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnflae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cppobaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caokmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnflae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomohejp.dll"	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopknnaa.dll"	Bnofaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbchkime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlkfk32.dll"	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfadkk32.dll"	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejabqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoeff32.dll"	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomjld32.dll"	Ebockkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdngip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhdfmbjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejabqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebcmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fhbbcail.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	57df401098160712e759339f441af6b7c3e7332313f54bfd8818e4c0f224ee8eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnofaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dangeigl.dll"	Bkcfjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjoilfek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebockkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epeajo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhcgajk.dll"	Dhdfmbjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhgccbhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnckki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddppmclb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfjap32.dll"	Cdngip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpdhna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgqmpkfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2676	2372	57df401098160712e759339f441af6b7c3e7332313f54bfd8818e4c0f224ee8eN.exe	30
PID 2372 wrote to memory of 2676	2372	57df401098160712e759339f441af6b7c3e7332313f54bfd8818e4c0f224ee8eN.exe	30
PID 2372 wrote to memory of 2676	2372	57df401098160712e759339f441af6b7c3e7332313f54bfd8818e4c0f224ee8eN.exe	30
PID 2372 wrote to memory of 2676	2372	57df401098160712e759339f441af6b7c3e7332313f54bfd8818e4c0f224ee8eN.exe	30
PID 2676 wrote to memory of 2740	2676	Blipno32.exe	31
PID 2676 wrote to memory of 2740	2676	Blipno32.exe	31
PID 2676 wrote to memory of 2740	2676	Blipno32.exe	31
PID 2676 wrote to memory of 2740	2676	Blipno32.exe	31
PID 2740 wrote to memory of 2092	2740	Bbchkime.exe	32
PID 2740 wrote to memory of 2092	2740	Bbchkime.exe	32
PID 2740 wrote to memory of 2092	2740	Bbchkime.exe	32
PID 2740 wrote to memory of 2092	2740	Bbchkime.exe	32
PID 2092 wrote to memory of 2600	2092	Blkmdodf.exe	33
PID 2092 wrote to memory of 2600	2092	Blkmdodf.exe	33
PID 2092 wrote to memory of 2600	2092	Blkmdodf.exe	33
PID 2092 wrote to memory of 2600	2092	Blkmdodf.exe	33
PID 2600 wrote to memory of 1512	2600	Bceeqi32.exe	34
PID 2600 wrote to memory of 1512	2600	Bceeqi32.exe	34
PID 2600 wrote to memory of 1512	2600	Bceeqi32.exe	34
PID 2600 wrote to memory of 1512	2600	Bceeqi32.exe	34
PID 1512 wrote to memory of 2204	1512	Blniinac.exe	35
PID 1512 wrote to memory of 2204	1512	Blniinac.exe	35
PID 1512 wrote to memory of 2204	1512	Blniinac.exe	35
PID 1512 wrote to memory of 2204	1512	Blniinac.exe	35
PID 2204 wrote to memory of 1076	2204	Bnofaf32.exe	36
PID 2204 wrote to memory of 1076	2204	Bnofaf32.exe	36
PID 2204 wrote to memory of 1076	2204	Bnofaf32.exe	36
PID 2204 wrote to memory of 1076	2204	Bnofaf32.exe	36
PID 1076 wrote to memory of 2948	1076	Bhdjno32.exe	37
PID 1076 wrote to memory of 2948	1076	Bhdjno32.exe	37
PID 1076 wrote to memory of 2948	1076	Bhdjno32.exe	37
PID 1076 wrote to memory of 2948	1076	Bhdjno32.exe	37
PID 2948 wrote to memory of 2308	2948	Bkcfjk32.exe	38
PID 2948 wrote to memory of 2308	2948	Bkcfjk32.exe	38
PID 2948 wrote to memory of 2308	2948	Bkcfjk32.exe	38
PID 2948 wrote to memory of 2308	2948	Bkcfjk32.exe	38
PID 2308 wrote to memory of 1764	2308	Cppobaeb.exe	39
PID 2308 wrote to memory of 1764	2308	Cppobaeb.exe	39
PID 2308 wrote to memory of 1764	2308	Cppobaeb.exe	39
PID 2308 wrote to memory of 1764	2308	Cppobaeb.exe	39
PID 1764 wrote to memory of 2164	1764	Chggdoee.exe	40
PID 1764 wrote to memory of 2164	1764	Chggdoee.exe	40
PID 1764 wrote to memory of 2164	1764	Chggdoee.exe	40
PID 1764 wrote to memory of 2164	1764	Chggdoee.exe	40
PID 2164 wrote to memory of 1372	2164	Caokmd32.exe	41
PID 2164 wrote to memory of 1372	2164	Caokmd32.exe	41
PID 2164 wrote to memory of 1372	2164	Caokmd32.exe	41
PID 2164 wrote to memory of 1372	2164	Caokmd32.exe	41
PID 1372 wrote to memory of 1696	1372	Cdngip32.exe	42
PID 1372 wrote to memory of 1696	1372	Cdngip32.exe	42
PID 1372 wrote to memory of 1696	1372	Cdngip32.exe	42
PID 1372 wrote to memory of 1696	1372	Cdngip32.exe	42
PID 1696 wrote to memory of 2376	1696	Cnflae32.exe	43
PID 1696 wrote to memory of 2376	1696	Cnflae32.exe	43
PID 1696 wrote to memory of 2376	1696	Cnflae32.exe	43
PID 1696 wrote to memory of 2376	1696	Cnflae32.exe	43
PID 2376 wrote to memory of 1904	2376	Cpdhna32.exe	44
PID 2376 wrote to memory of 1904	2376	Cpdhna32.exe	44
PID 2376 wrote to memory of 1904	2376	Cpdhna32.exe	44
PID 2376 wrote to memory of 1904	2376	Cpdhna32.exe	44
PID 1904 wrote to memory of 2100	1904	Cfaqfh32.exe	45
PID 1904 wrote to memory of 2100	1904	Cfaqfh32.exe	45
PID 1904 wrote to memory of 2100	1904	Cfaqfh32.exe	45
PID 1904 wrote to memory of 2100	1904	Cfaqfh32.exe	45

C:\Users\Admin\AppData\Local\Temp\57df401098160712e759339f441af6b7c3e7332313f54bfd8818e4c0f224ee8eN.exe
"C:\Users\Admin\AppData\Local\Temp\57df401098160712e759339f441af6b7c3e7332313f54bfd8818e4c0f224ee8eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\Blipno32.exe
  C:\Windows\system32\Blipno32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\Bbchkime.exe
    C:\Windows\system32\Bbchkime.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\Blkmdodf.exe
      C:\Windows\system32\Blkmdodf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\SysWOW64\Bceeqi32.exe
        
        C:\Windows\system32\Bceeqi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\Blniinac.exe
        
        C:\Windows\system32\Blniinac.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Bnofaf32.exe
        
        C:\Windows\system32\Bnofaf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Bhdjno32.exe
        
        C:\Windows\system32\Bhdjno32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Bkcfjk32.exe
        
        C:\Windows\system32\Bkcfjk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Cppobaeb.exe
        
        C:\Windows\system32\Cppobaeb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Chggdoee.exe
        
        C:\Windows\system32\Chggdoee.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Caokmd32.exe
        
        C:\Windows\system32\Caokmd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Cdngip32.exe
        
        C:\Windows\system32\Cdngip32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Cnflae32.exe
        
        C:\Windows\system32\Cnflae32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Cpdhna32.exe
        
        C:\Windows\system32\Cpdhna32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Cfaqfh32.exe
        
        C:\Windows\system32\Cfaqfh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Cnhhge32.exe
        
        C:\Windows\system32\Cnhhge32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Cgqmpkfg.exe
        
        C:\Windows\system32\Cgqmpkfg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Cjoilfek.exe
        
        C:\Windows\system32\Cjoilfek.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Clnehado.exe
        
        C:\Windows\system32\Clnehado.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Cbjnqh32.exe
        
        C:\Windows\system32\Cbjnqh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Dhdfmbjc.exe
        
        C:\Windows\system32\Dhdfmbjc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Dkbbinig.exe
        
        C:\Windows\system32\Dkbbinig.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\Dbmkfh32.exe
        
        C:\Windows\system32\Dbmkfh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Dhgccbhp.exe
        
        C:\Windows\system32\Dhgccbhp.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Dnckki32.exe
        
        C:\Windows\system32\Dnckki32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:344
        
        C:\Windows\SysWOW64\Dhiphb32.exe
        
        C:\Windows\system32\Dhiphb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Dkgldm32.exe
        
        C:\Windows\system32\Dkgldm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Ddppmclb.exe
        
        C:\Windows\system32\Ddppmclb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Dhklna32.exe
        
        C:\Windows\system32\Dhklna32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Dgnminke.exe
        
        C:\Windows\system32\Dgnminke.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Djoeki32.exe
        
        C:\Windows\system32\Djoeki32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Dmmbge32.exe
        
        C:\Windows\system32\Dmmbge32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Ejabqi32.exe
        
        C:\Windows\system32\Ejabqi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Eqkjmcmq.exe
        
        C:\Windows\system32\Eqkjmcmq.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Epnkip32.exe
        
        C:\Windows\system32\Epnkip32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Eifobe32.exe
        
        C:\Windows\system32\Eifobe32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Eqngcc32.exe
        
        C:\Windows\system32\Eqngcc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Ebockkal.exe
        
        C:\Windows\system32\Ebockkal.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Epcddopf.exe
        
        C:\Windows\system32\Epcddopf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Ecnpdnho.exe
        
        C:\Windows\system32\Ecnpdnho.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\Ebappk32.exe
        
        C:\Windows\system32\Ebappk32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Epeajo32.exe
        
        C:\Windows\system32\Epeajo32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Ebcmfj32.exe
        
        C:\Windows\system32\Ebcmfj32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Eebibf32.exe
        
        C:\Windows\system32\Eebibf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Fnjnkkbk.exe
        
        C:\Windows\system32\Fnjnkkbk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Faijggao.exe
        
        C:\Windows\system32\Faijggao.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Fipbhd32.exe
        
        C:\Windows\system32\Fipbhd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Fhbbcail.exe
        
        C:\Windows\system32\Fhbbcail.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 140
        51⤵
        Program crash
        
        PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbchkime.exe

Filesize
94KB

MD5
dfacd7baafd1aaaae8d271c195095442

SHA1
73b891fe6933655a5a9d6a124c0011fd86d42442

SHA256
b32472c9dad0419f51ae2bcd827f15c9aa00ff1aa371bb78ee81936578858e53

SHA512
faa56f5552f8e348bf2ab7e9bf0ee6d2e90611eed2405ebf9b4be8f103b19959fd330ca4c6da6a2d7c5c006446bb4f841dc9eed8a79e443491478a188bf824b1

Download Submit
C:\Windows\SysWOW64\Bceeqi32.exe

Filesize
94KB

MD5
8a37e324873e7bf7f5e60db8c08500b3

SHA1
b6d8b4b7da5aaaeb4e862998df4763a978d448f6

SHA256
fad30db7deb247e90df6b3bce16cb1390153fe78c141400fc5ddd164a116e6f3

SHA512
a9f0a30a5ea2e14fc343f317731c18858d2712b9238c588d43dfab2daf1cc5995d4b32b943c55edd34a84555cd51c12ae422578833261ed4b14f230fc2b6206e

Download Submit
C:\Windows\SysWOW64\Bkcfjk32.exe

Filesize
94KB

MD5
b4b1891655e4f01713f86d9f174baab5

SHA1
3e18a5f04511f067bac6404b98c90a10a3cff269

SHA256
278fec2ebafb85c4d23c5fab896c3dd035f368d737d3b68a098507824707c196

SHA512
f224b846f42a560b233314428a191307754640197a2481042e44feaaaee1d9af5a3910daeeb300f3c4837971dd1155d5055915bb27bb7d57ad4ee2657f2ad79b

Download Submit
C:\Windows\SysWOW64\Cbjnqh32.exe

Filesize
94KB

MD5
f481986d4338d8b113fe3fd68bc2f285

SHA1
bd8b94966d2af9439cb899b33ea9150ced4bd55a

SHA256
86c88f05108f2b245137530fee20a6d521aaf894e1ec28a19352ff8c2b789902

SHA512
b01ee842c849b326fbd9169fb118009c7120e7f09f9f8e3b895f15dc3237830928da782fdf2b6d1a6e90978066292fda5580eade5b9cc1ca05f4d60a91dc0640

Download Submit
C:\Windows\SysWOW64\Cgqmpkfg.exe

Filesize
94KB

MD5
b2e02abaca9eadd6f7f8a1091fb4c624

SHA1
2f92eb89ff96fadbc65fbbea6a6cca337feccc22

SHA256
6601e960d5a43f5bef24c8f73642492c8b028b24fbced67925ad3fc384ffc401

SHA512
6fdb7a240f4a55b0f5ef4def74ced7d9b4e3e02e152798ee299dffa5dda7119034e522bbb6e2b893b32ec2f900958b281ac76b809778eb002eed450bfc6c7a4b

Download Submit
C:\Windows\SysWOW64\Cjoilfek.exe

Filesize
94KB

MD5
e027dbd862042cdcf08ff6f8cced6ddc

SHA1
ef25ebbf57dd78233eb51c2e57959e8cf7234e13

SHA256
22dfc38aea07ac3258b111ff9d3b86322e6946d82c142f9dd70d005e9981f259

SHA512
ff978fc6eddbee2a9836af0285861c098b74080687c33b7df5f6dbfee4d52b91ada0c3e4e33b12b825c6b8b0cd2a26cf0aba574740a7c73b1790ef1a9c52bd2b

Download Submit
C:\Windows\SysWOW64\Clnehado.exe

Filesize
94KB

MD5
82cb50a04f134a7f55f766e2b4e2caf5

SHA1
bb1c703f57541b3a094b7f2cc0883686e4fe32c1

SHA256
e694306ca685cf015d8f1dee64cb7ff819f4f373af471d297379d106a1e54046

SHA512
8d30aafa1b63933d569039ed200c75bb850bbd9aee9e785ac450bd7133a742356eaf00508432df750d35e5662ef90de15d1b7c1d00b2ed792b14f2009fdefb8a

Download Submit
C:\Windows\SysWOW64\Cnhhge32.exe

Filesize
94KB

MD5
acd689df729207d20b3665847597a773

SHA1
47dfc765f91f5126e66d93efe7a787c1a2880f61

SHA256
b151a2b9ebcfaff01e7d8d3260f2fe9acdf3e2cedfe63b8ef82bbe07eeda9548

SHA512
989c07f4e139713673b2d3175075e1695a1943066d392f9e5cde2db4767ebd3e18699947c188f6533307393d9d0e414f8e4292c76ee1178df1aa0b6eb6c2a1ac

Download Submit
C:\Windows\SysWOW64\Cpdhna32.exe

Filesize
94KB

MD5
892fc3d87b3b09485767eb62e385e7ab

SHA1
0231c3f6251ac790f38d127d3192085bfce86c21

SHA256
9d166a0fa4b3da953de21e0d7600c8f758f8ab8343b2f421dc22598a2f8f88a3

SHA512
435aab17a0d693688545dc76cccdee8f6472cc11872e42f03783ca9cf46d96b1d4ab46beba7ae92465b93848f4109d8dde066c8106f709f8bd8400cb85ced6e2

Download Submit
C:\Windows\SysWOW64\Dbmkfh32.exe

Filesize
94KB

MD5
183827e42a5dfabf1bfd06d5f253f765

SHA1
ca089561a212980347d23a5748e2b05980d3cde6

SHA256
ee93ac1774c09c02cfa7d7f4fa45198fbd16f6da64787c0ce385234621935b91

SHA512
bd5eb003c4f7ba1802ea230430706c6a8fd4853dce84d33cb2c2c115c281790371181e92dfbf4ff70c001a37ebdf075fcf87f4d3c5346a9f8841902365e3b08e

Download Submit
C:\Windows\SysWOW64\Ddppmclb.exe

Filesize
94KB

MD5
7f245e3e6f9089227b75727eecb67158

SHA1
0e93abff4517c97c62f998ad7ebeac85b89bafc6

SHA256
a04dcfcf81c8cd89eb93a55191058aee33bcf0b3ace2422dae07df6cf0a2e8e5

SHA512
4f8860b5447a274df76eae14cd5e3e5f3590aaf20be41b07c4ddbe6654d9c9033e31f279c5b0bbb6883fb9388533fd1f3dfdd44530e9e74cab315a5eea534007

Download Submit
C:\Windows\SysWOW64\Dgnminke.exe

Filesize
94KB

MD5
68e3a81e7fd25f6be28c77663efc59a9

SHA1
c09e6da77a09c3655fecdb42fe8a1cb05b55c156

SHA256
86739eb9d0180742cd4e34bb2e12f2dd999c9bf00d3a79e2945b55fd622044be

SHA512
af4f0778d9a71880b5e066d2248a4133c2244fec2680a0f15ac22710f88c95aceea93c8c1c8b460f5bfaf742a11562279e74d6b24d2523df194f983998be3403

Download Submit
C:\Windows\SysWOW64\Dhdfmbjc.exe

Filesize
94KB

MD5
84f821d3d165c7484b915f3ccd6760bb

SHA1
2e46ae3828255ae252468ce5454cf8e759d093b3

SHA256
9a62ce2ed8f23bb60177894de4437343d2b1a116558bdbe1e7eaf9c7e693dfc1

SHA512
b7bc9aa5de15e2bb6c65a509e53ebc0f7a704728e047d003b0e96add96a20466da61e95edaccd02176bb2f33add7dfbf54848cfbf8f5368f567958e24e469254

Download Submit
C:\Windows\SysWOW64\Dhgccbhp.exe

Filesize
94KB

MD5
f246e3eb73bd8068ccc49d456b4fd2e0

SHA1
11db34e13fc77abec99e6b82500b87e8db1a9a8e

SHA256
13df829189577de3060c5338a45b6a8f5d63f3c3b9cb99d39172d2dd9bde152b

SHA512
1e5d3309c3091c4f1aaa0def0af4c6c88b3c04f38df7032e4f115e27d233db3049752db89b40add1d8a9a5c8633b217b70f70be837b6d01f43ae1781beefa0c1

Download Submit
C:\Windows\SysWOW64\Dhiphb32.exe

Filesize
94KB

MD5
844ef8b2391e0e15f08135ef1eb7dbbe

SHA1
5f5a318d41a6f1e36b167e8ae7f88264bff73ae2

SHA256
ade3f01b370ea31de40a916d39deebbdbad06ce30d6ff5256be057f7ca2d8725

SHA512
0c00ebaedb92793f9c6da715046e0cd5ad305e204a9bfd34ed7f80f410cd1766bfe45be4d00aac24c0d70fa26af2d2ec538dfc084a65160cf6b9f941433c319a

Download Submit
C:\Windows\SysWOW64\Dhklna32.exe

Filesize
94KB

MD5
6dbb8a38dae7a0458e9e3c792b8075b4

SHA1
70cf25d695f31f60bb30de12aa09d2eb472eb7e7

SHA256
38ad112e19d2967ccfd0109d0052799b5164e992575b05bf0255e5cf4d23a8bf

SHA512
684348fad6a379ff247408805bd39dfd561efa01820b024fddbae78e148115a75055b7615fa12d3538420af4f250f0723337511a0d714a6c0002f69caf45a266

Download Submit
C:\Windows\SysWOW64\Djoeki32.exe

Filesize
94KB

MD5
b689c6797ccfc41ec9184c23a7a633b7

SHA1
90bff7cf7517c2303b74ca47339c3da3f6f9f598

SHA256
bee50d5228f6c1d3a6e87804a883facb14390982610912d073478d4ceccd7b91

SHA512
f0d28e1b391c0d5c1285ac2e4eefec1ff0eda3476c3d739a9292d6ebbbea73364cdd60bee9c24a3c33b253d3821e4e43d70fc54d19aa6d4d04a3df65b62cfa48

Download Submit
C:\Windows\SysWOW64\Dkbbinig.exe

Filesize
94KB

MD5
9eca2fba213a5aee0eeaa51db1df8a1f

SHA1
027c5f08f94f0c03770b4e64b18737b26ff4a630

SHA256
39faec28dfca9e6a431917910d908c7d9b88e93e6ab185d97418bc431342982e

SHA512
90abe5da5626562e156680fb7be6d4a18388074c4ba582f37c292093bd098bd8aec57e8dd489f81968c8203bda87b68a2f31754f485e3354b53775279cca7e7c

Download Submit
C:\Windows\SysWOW64\Dkgldm32.exe

Filesize
94KB

MD5
c451d0647502041b8769342fabfaadcf

SHA1
3a4b208ddbbce4b123e17e80ef19ac010d4bbc19

SHA256
4abac4335120df6726380375f996a88b08c8830ce0a9cc17007c676f938f19ec

SHA512
cd588ce43ccda58e5ace98b97625b227acb97b8f73a681463128c66d2d32ff718cf5dead5a94f38c49c4b919e40809378083e5091592dc9f6d8fd48be51b26b6

Download Submit
C:\Windows\SysWOW64\Dmmbge32.exe

Filesize
94KB

MD5
0571b08454b2188802ac94f5920fe86c

SHA1
26d4d5b59726365a7752116b487fb3240dfccc78

SHA256
c3cc6d912be55413a2a82792ea833f5a7434e2de567f9f9cfa84760308b1fb44

SHA512
b6f2b4d0fad58aa2d0248905d2a314279b632cfd09e995ff3b61b38af507b02755bd2906278678053f6c1b891997dbf456ef300d085d3b41ee8521428a6e76e4

Download Submit
C:\Windows\SysWOW64\Dnckki32.exe

Filesize
94KB

MD5
237f2ea2eca968597dac86ddcd65e315

SHA1
0b688a909c5f5e72652bc70135442048e46dff76

SHA256
4e3782a9227b4b0b3aa314f301e9eb07fcffeabce028a3a5f9c82b58751bdffc

SHA512
2f304350527d2834ca00afe003da5c33d6699ad2e78b3aaa1d9913f513d105d37a593b4646a58e0200e8fd1f9fa5647881f7eb5655edc6e1fd4a50c6b0df03dc

Download Submit
C:\Windows\SysWOW64\Ebappk32.exe

Filesize
94KB

MD5
ca46ee50a5c24ca1e1166449b2e38e03

SHA1
a27835f8bbb1ef0e5a1850090d32f0307f1fad60

SHA256
0fecb45b0f36757ba3e7c4678d01007c38a70b50f53c87180be65cd9b9bea394

SHA512
e6b9e10a1c1e922d412fff4eebae708b6b75b84288f11733e4e713cf986559f5e0fb4b7adfc1f37babbbc63aea08d6fc553fff46db42a34de5a0d76bc780c1c0

Download Submit
C:\Windows\SysWOW64\Ebcmfj32.exe

Filesize
94KB

MD5
ddbff37eafc1adddb39a1fbe9b776498

SHA1
6d87caf98150f37f028b86707e8391b34e47e7f2

SHA256
d0759e942796fd895dc91c8d1fec56047c13b1ec7cdfa0dff28b28040f1bcd5e

SHA512
00ad837509282e904bd793144e36f0e3a5267aa24e222029f43211c520318b597fc0a7de87f00883562151119258e150bd0e8e8ba0c2356ed42d14dda878e910

Download Submit
C:\Windows\SysWOW64\Ebockkal.exe

Filesize
94KB

MD5
4552f99655df9b398d8e326b1fbecfae

SHA1
3479d8cbf2dc36c77128a607972da396c7765fd2

SHA256
04204639ba8b8a47d309184328bbb2382d286685f703775beb294720af4bd3e2

SHA512
da24617246f975a5472f038966b53ce3897271ab56412f995b33cc48f63078785ac87e6d5a9c027f9cbd4b2d63ef5b31c8c1b541316b251c1f31be366c60abee

Download Submit
C:\Windows\SysWOW64\Ecnpdnho.exe

Filesize
94KB

MD5
be601617b3b46b96e189421de66790a1

SHA1
b20440141e57ebc1089a4a52823b5568355c868e

SHA256
e8fff5f459eb4c13afe431303c6d1316f48ede3d4ca0b0526bf420719c2f6f5d

SHA512
966cf9dce9a7fb2867a71bfd817aa0ec461139d5fe78d71a082b2cf6e1f2ccdc9b4d2ebd043529cd0081a438e0d3b051993f082d7d7a72da162a67285e89bbe0

Download Submit
C:\Windows\SysWOW64\Eebibf32.exe

Filesize
94KB

MD5
fed4f81aa2f5437dfd1476987a88f8b9

SHA1
b2e4d4d9fcbede58ff30e8073a04f28aacec034b

SHA256
a05b4621a98f91ca71f7c2041c65b9303ad240e1d85113bbc7e106591b8dd3a4

SHA512
10559d0686198b577454e85f96de996a61f60090e8e33298fec6994c50f09e62b4afebf3bb0b92129e1393b1c5ebc068db267f8d2a9fd7904bac20e50d3d8d30

Download Submit
C:\Windows\SysWOW64\Eifobe32.exe

Filesize
94KB

MD5
9cf38d2b8cecc84e58e7911eea698c59

SHA1
e2bcf9cd6fba31520c16d01df2b34fcb3d48f32e

SHA256
4553aea3dab292ccc3f7d44f57e9626ceb268aa104f803271c2437266f3550c6

SHA512
9e3dbaa259a9fd08d18cb205717f3d1805a42f912b2632e06ab037f6b6d3d44f99b0e60154810d76f526a3c24fb2e439686f9f15b4c122e494efbf5a79b9197f

Download Submit
C:\Windows\SysWOW64\Ejabqi32.exe

Filesize
94KB

MD5
a10926d52c0bbb4474ac67497749f2ba

SHA1
30c9326c9073d0c5814d5a7f18abfc7c6824b573

SHA256
c2d5931fcecbd90288bebe28251ebf3d668bab3d0519a04490f2da63896776a5

SHA512
24a875ce44ba00366b25f3439c99438b29e15ee393d551be692297ae28d5678fc37fc41a25549704e3222ca0f63c0dce3a8dedceb0357ef89d0b94a904e4b9bf

Download Submit
C:\Windows\SysWOW64\Epcddopf.exe

Filesize
94KB

MD5
1f0a4dc82b892a4f6495bc996abc9327

SHA1
9561905acbd8730c38af31d5f0ae573ed18865c2

SHA256
143290ff35e909efb21a25db1044e51d3f6a65722bee191978f8c758af9e0ca3

SHA512
a79766e10c80c8a315cad884164a7e4cd74990908537f16f9a58e17b4c65d34d03bf828873a3074e0e5963e1d7f7b99c8093a65ee421733a14543778a15e7061

Download Submit
C:\Windows\SysWOW64\Epeajo32.exe

Filesize
94KB

MD5
33767c64e8c5c0dbcfb1fdc26b084f6a

SHA1
d07f9539dd26c5b989c983e8116dbc13331f89e2

SHA256
502046986e4a30389ba2fdc196f074c90888650c83098a3c6b3c08b383379a12

SHA512
f33d549140d861bbab0059b23f481ddcce93ce05d7cff1dfbfe988c5f02713c115156ad43c13656731ee5c4557043189a7ddb0ce7f060a0056afb52a66d3068f

Download Submit
C:\Windows\SysWOW64\Epnkip32.exe

Filesize
94KB

MD5
a0bc3480a04b3cc7dabc8280ad19abd6

SHA1
74bb9f09695e83f7d962c097080c889f91e1af1b

SHA256
0c5e7aa79029dd5f186d5eae40a5e044fd569c5cc75e7c570cc4691e0ed9a084

SHA512
b5548b3897d7f9072d139da464fd5dc8726fedcbc35a25ff1629d475e68d44088fc447dc951ea77f402f391061cb90b718144d56ff498a9e17113ed5550371b9

Download Submit
C:\Windows\SysWOW64\Eqkjmcmq.exe

Filesize
94KB

MD5
68c7fc671c9fd2648356b8ed96561d87

SHA1
7b24e1a3b2929a5ff25a7c65e270dad05d6e361e

SHA256
8ea377b3f64e5d22415a0376b77345acbc14e7bf6a9e017ee48e62c7ca4de88a

SHA512
4d45f0086aada82faa515abc49516baae576d9298d76897df589313b74b633dfe95c93fa4974604f26d0207dd9a8c75c93907abef49cd180d24d2047acf65ce5

Download Submit
C:\Windows\SysWOW64\Eqngcc32.exe

Filesize
94KB

MD5
fee35f7346dfed6b97f5ddaf474918d4

SHA1
b6b56fbb41c64f54c1c27569be5825d5722e50fb

SHA256
a909f08809097642a693844ee895602e7cf2b4e1944a29b15f3daea0f934df82

SHA512
d6675e7be1f93316a2b68c565b5c89417d84208a500437b0a443724d9db3a7ae73cde821116901522c1fd9d98d861a77be09e379d7903a82b18e9bf183e1bcd6

Download Submit
C:\Windows\SysWOW64\Faijggao.exe

Filesize
94KB

MD5
4e25e1846d849e4ef3796c53295a5a76

SHA1
b13c6ab8b77775cf3cb773ad88fb75a1ee5aae4a

SHA256
dc3c939859ba9993a95df57d48cc5aba39dcd70387fef8c1d89bf6cca350da40

SHA512
640cfcb2c90eb504af538f2fff4e29d6d495340dd96bb9e5289d79c7bb0fb950f0f888d2d327918bd56e5bfe8c0f29d10722805b51c677f0f7092e4ebf8e89e8

Download Submit
C:\Windows\SysWOW64\Fhbbcail.exe

Filesize
94KB

MD5
4310c055c678f4d00afb0548c78c2a83

SHA1
d4544b0c2877cd0b8db8165c5eb3f58dba70a073

SHA256
03c44116399f01f42ba780f1998bb144adaf9820d561256efadb6ab698eaace8

SHA512
46e84b8fe84770688221ecd8a5e351274457cdd1d09b8b57bf68b8d89416cdb5b45d3ebf2c5fe60495aba00184752e65c755634f9f8fbb5d73b32e0d2eeb7e8d

Download Submit
C:\Windows\SysWOW64\Fipbhd32.exe

Filesize
94KB

MD5
82ce3fd5c72c715c7af5c123719e64de

SHA1
434c1392cd69f54d9b1b53f10bd9f671c7119591

SHA256
f6338e6d52fe3be27861f25daca5ad98b51408644f79ad98188e72862f52308a

SHA512
4e8819461c3e21d2e4010dbfc0853a61d78b17d2bd3f941f91e0abdbade933e98dd32c3b4284411e6701d211717633444fc22e38e89e6e8d5bdb7113f4939f1d

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
94KB

MD5
99ad635ed04169e93bcb2cb169a954ba

SHA1
229a65aa83e349dbf5ade9592ca1a6e33cc127d9

SHA256
d7a94cb455dcbe426a4248f811f2813ac41f22d3dbcfe68ddeacd861d6ae42d6

SHA512
c670cba6d54b47d1bc97d57fdcb089394e14bbbd02ffe3a9c3dae16eb92d0f09391876439912a5ca289f08436e46ce731ddbf67549fa8543c86e76cc8d4a0fd3

Download Submit
C:\Windows\SysWOW64\Fnjnkkbk.exe

Filesize
94KB

MD5
70fa3c38e38f09d08dd9560a08178282

SHA1
786ae6324a89c41c125b430867025e33b9d4451e

SHA256
e27cfac56c6a493da7c2e2da72cafd7f0bd4880a86a3cd70fec508acb5110f94

SHA512
28adda34fbf8040db6cc5a427fe549c534ad95b582aed6eea38ee01876b7e68b5c73ec00a338e14e342dcc927ee0c57b9097e455650385666f8f169a954a610b

Download Submit
\Windows\SysWOW64\Bhdjno32.exe

Filesize
94KB

MD5
ec293081d6a380e8e6901147c59030a0

SHA1
85205db0e27a4ee3df4fd4d65a6a899457d59865

SHA256
989bad27606c153c5ebc690e88f6378abb74badf5373c239e3ff316ac4603932

SHA512
761a862a74b5b05934f9a58025681628cd0fdb7ce35405d499cae47568db32ded4d6f3ae82362a7c4a95628a8f7b659679d52e2ebf99154e1da354456353357d

Download Submit
\Windows\SysWOW64\Blipno32.exe

Filesize
94KB

MD5
89877f6f4b01e9d7929dbac8897fdc5e

SHA1
5635a5ce1d6660d012f46c722500e95e84bd2936

SHA256
9b17849c143c81b679886e2a5a35a47c6019524e87b0316c991ab9bf846f51fe

SHA512
88d89e7f540722caa3dc479a5770569ed3138aa808b4c05ba3a3751487d51f9774debedd40ccd7bd8d742fa3da574faa7fcfb46a5cd1704d47b727089667ccbb

Download Submit
\Windows\SysWOW64\Blkmdodf.exe

Filesize
94KB

MD5
ea9cd2a4a792e6ece80bd350e0c83368

SHA1
9781376ab51528a82f587d99a67c2aa57625861c

SHA256
52322ff6e9cf56ac93296b95e6a50dd770e0a64f4a8617bf3554d2b9634878ff

SHA512
34c7c66a1fc2ff6199092b2435f925f780c6df38743f60d07e28ba1654ebe8ffe735d1ff85c8df84eb496aa713f0d3847159c25ac045eac2fc675a8f73d36eb8

Download Submit
\Windows\SysWOW64\Blniinac.exe

Filesize
94KB

MD5
f3b2880e2dad6b1b84b4eeb7b3a9c9b1

SHA1
d755b6eec15b434fdbd7077153a229704f387b7d

SHA256
514447170d1fa9025132c611cbbb68fdaa7aee49be3cb503567427aee0d9aa9e

SHA512
4d27a88ba8b269f6f5a1dd2b13deb2ac7dc2397b5e34c9bc86cdb49ec695661b37b7f857cce19538569df93afd51d24095c04c3ad801220f7743e7ce47b9650c

Download Submit
\Windows\SysWOW64\Bnofaf32.exe

Filesize
94KB

MD5
3d0e2200642106f30e0b158c6cab4ff4

SHA1
2248689c2ffa7373ba4e057c60bd22c3aece675d

SHA256
a1b85bda032a6632e043f19fc7961d0f0de14c1a2fc79036fe07c6b3ba8389cd

SHA512
691d60c5db50d8937e94b756e2ac4234893667a7becdca135621989e1e9991167f32719ca725b5737ecfd686c6f2e88ef9aa4580f4fb7b2c06117c7a45186eb9

Download Submit
\Windows\SysWOW64\Caokmd32.exe

Filesize
94KB

MD5
7347801c108ca362d7aa78cb5c9146f4

SHA1
cea9a87f41b43156682751864f46a95875cf3c83

SHA256
5e613791e5bc3b0fc92825e9c162400d575b9bc4eff649555d7d527ee1b7013a

SHA512
191d629b2431cc9504392fcd15f39270e2a4d88c2f34bbfe60915ad5781fcf09133d99c3f378f91ff22ff6704b42aad4856edf40d4410fd7a2e17764739383f2

Download Submit
\Windows\SysWOW64\Cdngip32.exe

Filesize
94KB

MD5
d0dbcc88267d98d690e91beef0640cf4

SHA1
2af8f94457f37e02c767bfe18a81ed2cce9397fd

SHA256
cc41ee9dc4aaa6c81662283d237066b476c15e7958a4a3ab7d8a3cd5566d0499

SHA512
b9b4b905f29e19d6d1101e8e7385348201444d601686e3d9ba00b24a51202173913c3c3e95a015288839227c7df7854cb89865e1791a69138a5fe8ca1988282e

Download Submit
\Windows\SysWOW64\Cfaqfh32.exe

Filesize
94KB

MD5
eec0c38adcab84d8f2b8683cc9c4577a

SHA1
80181e533b93cd6984242161596fec65aec7ae68

SHA256
d84d26b5da6f48d4d34ecb2656e18ee6bf86b8d694672b0b81261c7349899fab

SHA512
8ea29c809b79bf3cb1307480edf01b59ea8230e2389524c381a46bfa1b93147d1d556d7424c0ef9d9902d3b815ddb9ddb5aa5b0cfc8446453ac11cf61e3b2b48

Download Submit
\Windows\SysWOW64\Chggdoee.exe

Filesize
94KB

MD5
3de4186acd41366ecb858247d5b29a79

SHA1
4ceda49816a34d0fa2321ec19d298ffb09576dfa

SHA256
a3facacf6db576bf2aae57796f55ff09faab9291e632077dcd985484b57647f2

SHA512
60e496a31990291eb33f322299987ec5f0bdf7c9c227ea838d387f8f160773ad01d9a48691c5448689d550ab62a940a733b86307cda6d8f69b2776404a42e20c

Download Submit
\Windows\SysWOW64\Cnflae32.exe

Filesize
94KB

MD5
62dbf08fed5239dd7bb993fb7650a583

SHA1
9e9978b3491b477f3c00fb16e94825a67cbf83d2

SHA256
fb13908d3ca1c3cd8e51f38ba5ea2a1bddf6e8565cd44e3ce4a375d573f6bddc

SHA512
e80a7cff8cd123c2c01826687b07aa5a5c44bf81b74d55bfeeaa3d5699690bec94b3956c78e1c5a0ebb26093d86cc337e5883049bc977a3f7e3594f6a79eafb9

Download Submit
\Windows\SysWOW64\Cppobaeb.exe

Filesize
94KB

MD5
b73613f155e7d422a9e0290d06fe8058

SHA1
211f13ccb45588c29ab7860a6e80aa1653e2faca

SHA256
4c7fd3e90974d2b6f52dc066d70e7cb5a17570638ada49eee0a0111c321d0b30

SHA512
45fc5392f7dd79dc26312cc67ef853cdafbb82163488228720c23144402f64bd033ff29f4b1dd0f5af7703ccbd71e00263be8765e6f7fac35872cd1773a5518a

Download Submit
memory/344-316-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/344-315-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/536-446-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/948-240-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/948-234-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-103-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1096-510-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1100-230-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1100-228-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1216-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1372-464-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1372-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1512-384-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-259-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1536-263-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1696-179-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-478-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1764-145-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1764-146-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1764-133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1764-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1828-509-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/1828-508-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/1828-507-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-506-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1928-274-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1928-270-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1928-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1940-253-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1940-249-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2092-363-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-519-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-220-0x0000000000340000-0x000000000037E000-memory.dmp

Filesize
248KB

Download
memory/2100-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2116-398-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2164-149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2164-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-489-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-445-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-78-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-85-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2264-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-434-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-435-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2356-466-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2356-465-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-338-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-12-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2372-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2376-488-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2376-187-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2488-280-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2488-284-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2500-289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2500-294-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2500-295-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2508-302-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2508-296-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-306-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2596-355-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2596-362-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2596-361-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2600-52-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-383-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2600-59-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2616-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2676-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2676-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2680-336-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/2680-337-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/2700-327-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2700-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-322-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2740-360-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2740-34-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2740-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2820-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2820-350-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/2820-349-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/2856-414-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2868-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2940-385-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2948-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2948-113-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2948-118-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2948-433-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2948-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2956-476-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2956-477-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2956-471-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2980-404-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads