berbew | b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963a

Analysis

max time kernel
95s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963aN.exe
Size

371KB
MD5

dfaffcb9113c333b2d793abd5dd55a80
SHA1

cc51e3a5fb5f87b057522448fbc8101e2e403018
SHA256

b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963a
SHA512

562cfe3065765b9f52c1d7776186c71dc4f15d679a55a67529efc8e1dcc06d8b196ae66330a6094a49c70fba768533235fe26cd91b2d816d467fcd7be60d2cdb
SSDEEP

3072:wJTdCPswC0oUIephbRdIu6dNeXZs+XBL+FhVukEB0pwGvJe2VTBpifm3FKCE:rsvArN+NQs+RLOhSiix

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963aN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 39 IoCs

pid	Process
2752	Qcgffqei.exe
3012	Ajanck32.exe
3436	Adgbpc32.exe
4948	Ajckij32.exe
3220	Aclpap32.exe
3124	Anadoi32.exe
3048	Agjhgngj.exe
628	Ajhddjfn.exe
3356	Aeniabfd.exe
336	Anfmjhmd.exe
548	Bnhjohkb.exe
2132	Bjokdipf.exe
1504	Bgcknmop.exe
512	Bmpcfdmg.exe
5020	Bgehcmmm.exe
4636	Bmbplc32.exe
1100	Bclhhnca.exe
1636	Bfkedibe.exe
848	Bmemac32.exe
3092	Cfmajipb.exe
4752	Cndikf32.exe
3204	Chmndlge.exe
2448	Ceqnmpfo.exe
3836	Cagobalc.exe
1284	Cjpckf32.exe
3136	Cdhhdlid.exe
2152	Calhnpgn.exe
4664	Dfiafg32.exe
4504	Danecp32.exe
892	Dhhnpjmh.exe
4892	Dmefhako.exe
1112	Dkifae32.exe
2120	Ddakjkqi.exe
3028	Dfpgffpm.exe
2396	Dkkcge32.exe
3216	Daekdooc.exe
3528	Dddhpjof.exe
3364	Dknpmdfc.exe
3188	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963aN.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963aN.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Adgbpc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3576	3188	WerFault.exe	120

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 2752	4476	b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963aN.exe	82
PID 4476 wrote to memory of 2752	4476	b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963aN.exe	82
PID 4476 wrote to memory of 2752	4476	b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963aN.exe	82
PID 2752 wrote to memory of 3012	2752	Qcgffqei.exe	83
PID 2752 wrote to memory of 3012	2752	Qcgffqei.exe	83
PID 2752 wrote to memory of 3012	2752	Qcgffqei.exe	83
PID 3012 wrote to memory of 3436	3012	Ajanck32.exe	84
PID 3012 wrote to memory of 3436	3012	Ajanck32.exe	84
PID 3012 wrote to memory of 3436	3012	Ajanck32.exe	84
PID 3436 wrote to memory of 4948	3436	Adgbpc32.exe	85
PID 3436 wrote to memory of 4948	3436	Adgbpc32.exe	85
PID 3436 wrote to memory of 4948	3436	Adgbpc32.exe	85
PID 4948 wrote to memory of 3220	4948	Ajckij32.exe	86
PID 4948 wrote to memory of 3220	4948	Ajckij32.exe	86
PID 4948 wrote to memory of 3220	4948	Ajckij32.exe	86
PID 3220 wrote to memory of 3124	3220	Aclpap32.exe	87
PID 3220 wrote to memory of 3124	3220	Aclpap32.exe	87
PID 3220 wrote to memory of 3124	3220	Aclpap32.exe	87
PID 3124 wrote to memory of 3048	3124	Anadoi32.exe	88
PID 3124 wrote to memory of 3048	3124	Anadoi32.exe	88
PID 3124 wrote to memory of 3048	3124	Anadoi32.exe	88
PID 3048 wrote to memory of 628	3048	Agjhgngj.exe	89
PID 3048 wrote to memory of 628	3048	Agjhgngj.exe	89
PID 3048 wrote to memory of 628	3048	Agjhgngj.exe	89
PID 628 wrote to memory of 3356	628	Ajhddjfn.exe	90
PID 628 wrote to memory of 3356	628	Ajhddjfn.exe	90
PID 628 wrote to memory of 3356	628	Ajhddjfn.exe	90
PID 3356 wrote to memory of 336	3356	Aeniabfd.exe	91
PID 3356 wrote to memory of 336	3356	Aeniabfd.exe	91
PID 3356 wrote to memory of 336	3356	Aeniabfd.exe	91
PID 336 wrote to memory of 548	336	Anfmjhmd.exe	92
PID 336 wrote to memory of 548	336	Anfmjhmd.exe	92
PID 336 wrote to memory of 548	336	Anfmjhmd.exe	92
PID 548 wrote to memory of 2132	548	Bnhjohkb.exe	93
PID 548 wrote to memory of 2132	548	Bnhjohkb.exe	93
PID 548 wrote to memory of 2132	548	Bnhjohkb.exe	93
PID 2132 wrote to memory of 1504	2132	Bjokdipf.exe	94
PID 2132 wrote to memory of 1504	2132	Bjokdipf.exe	94
PID 2132 wrote to memory of 1504	2132	Bjokdipf.exe	94
PID 1504 wrote to memory of 512	1504	Bgcknmop.exe	95
PID 1504 wrote to memory of 512	1504	Bgcknmop.exe	95
PID 1504 wrote to memory of 512	1504	Bgcknmop.exe	95
PID 512 wrote to memory of 5020	512	Bmpcfdmg.exe	96
PID 512 wrote to memory of 5020	512	Bmpcfdmg.exe	96
PID 512 wrote to memory of 5020	512	Bmpcfdmg.exe	96
PID 5020 wrote to memory of 4636	5020	Bgehcmmm.exe	97
PID 5020 wrote to memory of 4636	5020	Bgehcmmm.exe	97
PID 5020 wrote to memory of 4636	5020	Bgehcmmm.exe	97
PID 4636 wrote to memory of 1100	4636	Bmbplc32.exe	98
PID 4636 wrote to memory of 1100	4636	Bmbplc32.exe	98
PID 4636 wrote to memory of 1100	4636	Bmbplc32.exe	98
PID 1100 wrote to memory of 1636	1100	Bclhhnca.exe	99
PID 1100 wrote to memory of 1636	1100	Bclhhnca.exe	99
PID 1100 wrote to memory of 1636	1100	Bclhhnca.exe	99
PID 1636 wrote to memory of 848	1636	Bfkedibe.exe	100
PID 1636 wrote to memory of 848	1636	Bfkedibe.exe	100
PID 1636 wrote to memory of 848	1636	Bfkedibe.exe	100
PID 848 wrote to memory of 3092	848	Bmemac32.exe	101
PID 848 wrote to memory of 3092	848	Bmemac32.exe	101
PID 848 wrote to memory of 3092	848	Bmemac32.exe	101
PID 3092 wrote to memory of 4752	3092	Cfmajipb.exe	102
PID 3092 wrote to memory of 4752	3092	Cfmajipb.exe	102
PID 3092 wrote to memory of 4752	3092	Cfmajipb.exe	102
PID 4752 wrote to memory of 3204	4752	Cndikf32.exe	103

C:\Users\Admin\AppData\Local\Temp\b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963aN.exe
"C:\Users\Admin\AppData\Local\Temp\b5ead3a1c05c0cbdfe761899172d9ad371e55f3b6d305ac7197837111ba2963aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\SysWOW64\Qcgffqei.exe
  C:\Windows\system32\Qcgffqei.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\Ajanck32.exe
    C:\Windows\system32\Ajanck32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\Adgbpc32.exe
      C:\Windows\system32\Adgbpc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3436
    - - C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
      - C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 408
        41⤵
        Program crash
        
        PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3188 -ip 3188
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
371KB

MD5
a5863b27050bee0240bdef8031560e26

SHA1
3f5474506c63d99ed17ecf6fb284984beb60b6f8

SHA256
8fb83e77274004cf43ffebe8931bce4b19f496589ead030243b8eb80ade14047

SHA512
dd89469e4106a270ba37855912fd0531c864f39a37b03b63c1e13f02c10622903f1810d7d4a1bef29735fc526d5abf29b663b1baa718a5e8ff8eec2cb0f24ae6

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
371KB

MD5
896c36b64544801092a341c4e35d47ff

SHA1
c236d5f94b3a7721d530435d481270252a1de949

SHA256
6c38ea0f8ec3f2dc546964f27ddfc9d5e36826768ddc0a652780134bbd0da09c

SHA512
5c66c8bf5bcfcd1c4ad7a16b8bbdd68e366624b365cc1da27e0c0a6fc6cb57acc5c588a754bab63e8a5eee6516b24a16c01d7db59c99e3e8cccc170f9d6ba1f0

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
371KB

MD5
3b2862103b782656d2ce377e0765fef4

SHA1
173116d7fcb50523d6e2c8c6a155f9582f19bbb1

SHA256
8654de92e0a73f7401547425d8aaf4fa7a914cf0cd724c0278b3217f41562bc9

SHA512
19a780b3f6e955bf38ae9034406d10ab7151d685336f55c65c951fd7e3db43cfc681d0d41c6a83d6aa62eb87f2bae348574f642131d4db85535732e2808e0764

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
371KB

MD5
0bf1278f9237c6251d3b3c51e41d3b7f

SHA1
16f70a01a679ea0a88e74f33e2a4aea50aae33fb

SHA256
1da91ddcaffbc8f890521efb33ce467839d7f0f76dcc2ca4045327111c84007e

SHA512
8db95cc93af32f6ac22518b573f3b3a4cf20005f9d8f51b9a134559d5cb4649f98d169ed50185fd330bec2550fd3f2c4aa4c657deec4e63dced999715694ae8b

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
371KB

MD5
b3fca2d8b2cb445560bc72e513e0f83f

SHA1
6b055dec2b6ae1742f6a86229a7c181fb44efe39

SHA256
7e62274482708596dc2d3b5e7222c9b95a5f53c05eae1184967493dec75d2bd1

SHA512
89c93dde5d9495801e0b1a758b1e3ba2754281ffa71e57aa195dcf9bb31c8b9c625fd42f8051124b54fd11705f3ee609ff3493682392228bdf6d8984d52487df

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
371KB

MD5
d0c5d97f956aa31a4c63624849528c36

SHA1
1a7fb6dbc1caf87889746e3fabc357cd874fb683

SHA256
1f3ca975a22e124990383973ea8e61c93bd1fddeeb44b9d1cb418ce47fc88c4a

SHA512
44073084e175fb1e628684e0bfd4209392b4fd10e2560bd75832576f8f66db5da1488cadf08bd7592d812044db314cb78374a78464af918fbe4518d84b31a9e6

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
371KB

MD5
9e35211d467621fadaa818d07580eb79

SHA1
eb4c7584a2b04a99a0e3146f04b97877190d2138

SHA256
2751ab19c771b0425f6ec50639fe6eb1cb2c4b66b1fbe62592da476cb1431cad

SHA512
97caddf3ada2aed988b42268df8b65cefda54ae076a467ce2ff1f2f3c2026ca244b543dbd73628dc0fed9d6a7a00581950c54ff672c834bbbcb26a5ae4cd8c29

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
371KB

MD5
104e402219ca8aab2904e6a7b93919fc

SHA1
5fec22cf812a84021684f919ea2addd3ab58c5f7

SHA256
0e281045a1efcaf75feabf7f0b98f0fbf6288556aa7171d1a2db1ead71127c63

SHA512
8994e29748c8921a8f16a19088de88bac399bef7bc1db97879102c51c3268c2196b1325b43fc8a0d04bc83fcf666e55effaaae26e3b692e5b75a20913cdd218b

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
371KB

MD5
b53b04522a845be8c05225a291c70f14

SHA1
5546f339dbea8df1a6c2b1e10252e043628d8725

SHA256
e5cf1151fefcd6ef9804178d04c9eddc76ededcfde5c1761fd455f26f804555f

SHA512
605b6e44180889e4f9d32026889a1f404fb5e8784f14368826ec86c806096d92a2a91ea580956a2a1e22eb02f3f9ca0eb603e8e1ba20b0d5bd088ae327ffcecd

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
371KB

MD5
7d4f7eee91f0f6c1df31b716e1aa0ef0

SHA1
6c7823eb0ba3db0dcfa94d9abd1abe718177ed73

SHA256
2db513ff728d01f307a080f972f00f78f29556280af7cbd68ca8cbaf61c038ed

SHA512
bd8b5e6d3e3ddaac7e222f3510074e368e1161cbd0985d9523d66562aa25e83367feeb19f41ecf48377ef4c64539355f895247938c9efc28051c490aff8c5763

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
371KB

MD5
542c4e81735003669798a6ae624c2d9e

SHA1
8396f50b3024c076503f79cc296166398fd3d394

SHA256
89646e139b240a539f670730230902500ff4c72c44a4e01e0068a2a3f143f8be

SHA512
1e517bc1d03b0c6712bbfbb4981775db19f1e03b8f911f2d6203e3ee74faa65c3a7682e675cb1ce29b874d3d028d44e2c090130994025c2ddabd052230a2d712

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
371KB

MD5
67da0a392e3a81135ad2a5e5653bf3cc

SHA1
c2888a4c5db49fbc2dd65a90323a0b93ee9dce23

SHA256
fbd007dacdd3322e167a3020b4e1b148549bbd518ca360899f165767de0210b1

SHA512
8e75a5e4c635df9e8454af5a9b829371cf904d9de93bddab1a1a52bdcae2b7422117419a879de3342787f8652bc472c008a918beddf0334892c39f5cb087eda7

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
371KB

MD5
dae9916934f3f42860ebf6750daa27d2

SHA1
08d69cc1bc5cfad43fcda835b585f316fab13592

SHA256
5f517cad8bedbe9597ba058432fbc6394d8acacfd0a3b69474f31fc9c1923db4

SHA512
f6428b35193df6c798592dde05598ae02a87065c362c871afd2ff4a1b8faf4a96dfaeebfc4acbf4994dfc74de191cea35d6debbcb853713eabcae891bd91eb0d

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
371KB

MD5
34b76a3ba95d55645be5724e29e53502

SHA1
0dff113107ea2ca880b7417ab1bc47deece0deab

SHA256
5f2d98fcb772726308726c6d82d6df619de5a3b22a8326f03cfc4772aa65967d

SHA512
76d350e5e46cd45203c506672ad9c20a6f50068dde06f380ec42d6c60ddbaf0d3586cfd27bc1a94652b0e49982905b38e1ea5f102f424d6a26a953cc5355f860

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
371KB

MD5
34b609e8e91a3eec789dec2830f4906e

SHA1
d1f4e6be91eddfdfc76e10fe4b99b613833742fc

SHA256
fd3ae01ba8e4acaf66c6a24f3ef126c8d8a2892761b7fdcf548b1ee29b5e05d9

SHA512
0fa5093604a4d976a984d2a03fa0eb967b4eba7770c045f08e585411c329f312e35a81459dcb32ca73440be8612f094bf6d28d4f9d3551e56f5e6d0d7239296f

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
371KB

MD5
b506afb5cd529eeac68a349e7b467c61

SHA1
a28db9d89b4a5608c0829898a1529f2cb3f093e6

SHA256
57d571f064a8c4248f8d95928bfedc2fa150147c153c2fa985f72da1cad84a84

SHA512
57cc7644f39d36b5f14de672550cef082814628b446fe9abc4835af334bc0ab9c851800af2f8305853b02c1092b706052c172070a9b1312058ad85f2a7ab4ebf

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
371KB

MD5
c9ce4b0888f4d9168ee05a5315a6fe3c

SHA1
e71d26209e202cfb53a35ccfc65f844016387cea

SHA256
5163a9623be71aa6be9cc546dd3798ca918773ca73c0aa42655f23895f9d035d

SHA512
cd61500ad210dd8acdd7588f4a67c2e1ef273828d83187c6691a3199904ea95e9b191cd65010f9b33bba1ab1ce42e9c9086baf5e1a0cf7c1f98c324cfb637a6f

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
371KB

MD5
140b7f90e535aca6ff1edaff41c7da55

SHA1
1aadf5ff476761e3ba26c0c9f66ca19e17e612d2

SHA256
5091476d0d896e80f4a62cabab211f308f9f12d58612d0249ae389f8184989ac

SHA512
9450c409a9e13ffdf96c6909904a18bdd5071ecac4a56dfc83ead44a8d36a88ad4089ede25e95f937a8fb113fa1a0b65953201f44533b36304347216eeac648a

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
371KB

MD5
756d51f2635b6787b88191408b8c0f0c

SHA1
a9c0013e29b5a9fb0a585b6c7127ec739ba85761

SHA256
0c3c8b35cd4afd018962079cb03fd016abfb7249e3bbb69e9db87a1d5d4d0f1f

SHA512
180a92b9de88414b6133aeb7f7760bb7e717a9ac3bc37839a5a00470d1ea75247b4a53b4635bbc2726911859dbdd6df76b7c73134be8f818dafe3c50cd8e7403

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
371KB

MD5
d414fab16756b50b129521222de56dbb

SHA1
2712e16fdc236720680f87de0318afcaa0452ee4

SHA256
e72a8a59b77bad1b44e3e8ac77ab6a095127e72369a80c546b25e22b211bfb05

SHA512
d75f324f65cf9dcc3d261fe859b3d028878e666d6c38bb01a702cc1efe3864248b8026f1a1a2bf3e63effe1a58fa076808417f2444241f1f062ed83a6a91f309

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
371KB

MD5
e5708669099c2ce13377b73a7dfb4e8b

SHA1
b2a3ac142ee0b24c077141cf073c4371a98dfb1c

SHA256
1567e427eb1ebda458c62fdf9f90d3f08942e765b997dac12f68f607f1a0bc9c

SHA512
a5edbc143b3c41e221100d15af03d20ebb3a7c830d1109a3b206010aa120ac594ccefe2b643b88a9d225c84426e208f51db7b438218661dff238018098d19374

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
371KB

MD5
d70a6560f0cb99e075b570a32f73e285

SHA1
4d5ffb981ca628270e2d5cfb7d20bda82be23639

SHA256
2700e9645d918425cecc8de65311ac2c3ca80c3dd39e62348136cf191acfda38

SHA512
573aa396e383d099561d006b0701a6a5ad22d9c0451788fd91d72cc8b82f5a8ae009ac2b9c5ef45fb4bc6e582044f9077b568e59671c16fd6348795e8f0d61f9

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
371KB

MD5
96df6eeb4860c1262f5b1a203161ae8e

SHA1
a78b6c81323c4ad72e0e24b5357dab512e4c9783

SHA256
2d3cb9b303fccdb083092171715638b41d9035616388be5df86ef04d91291d7a

SHA512
e0ff46dd4bbf2c88136d27c5cd7a96d3dfe41b20fb9758284a011473dc978275a9a125230cf5e92a77630a2991268a2950e03d918c922653c2667f0c88392e44

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
371KB

MD5
b8c6174363a26171dbb702d5e4de1d55

SHA1
be104f8a7fa98bfbddbb6add632d49476b9e7728

SHA256
6966b4f85dd7fae7abe818dc8f07ada53ae96ceb40dc02c44de3e833c172676a

SHA512
8a81e8bcc91a06456d997ad7a0de1dd022ef37e2585623e5acf0ea83fd99e21dc8415e42da94744ee9c50bbfcd8c0ef3ef81e0f24642f700727f853cacb354d0

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
320KB

MD5
25a7102cc21e64ab0ecefd43dd2f7a0c

SHA1
9f883e1a8215c472d64e11c5432fd4c44bca5b43

SHA256
d885b6c21ee627ec203e7eee6704e3d2665cc9d8d464583bb7f40548d6d22823

SHA512
86d33b7dca04bb8e7a4a28ac74244fda7d5990783f428b8b97eb263e560c1a73bc7dc7d7325c0e89e1d3bb28234787df605e77a38be094091465fc7d11c150bf

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
371KB

MD5
f5adccd5119998de4c00b2cb5d163024

SHA1
d7053963e76d62941294f3648c2dc1e965ea0aa2

SHA256
be40d97f58c8ab1d74f84abcdafb265c80b3ff8ecba59024510ee0e96103b2dd

SHA512
9c87342f2a69a73d11881770163bbcfe6920ee503262bb42bc63753dcd167ccec70f153390385abe5c65e073d836291342c1f637662044e93cba001a85ddaf4a

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
371KB

MD5
ff1cabe89e9d3b9a4b1b2133c461e6cb

SHA1
d62aca678897d6c7a8d9637a36d047136c99bef1

SHA256
9a613600d6300720e2c2e06d08c6c75b52b8e07b2e41f7edd990e0c85dfed52b

SHA512
365e81ad7fdc2cf1dd906d45f304dde8f731e81486c6d698c94dfbcf61fea0a91035a227c1bec993536cbdd30476ac1bc08e45b22365e86ec33b462473756b95

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
371KB

MD5
52be7132c0404656a193854a682d535e

SHA1
ce84a79e07fe93e14cc6166d3da5aa2da62ab102

SHA256
9a1327119a85a3bf9c1a2d62f210138d919bc70321e1c02f21ff30106c82a774

SHA512
3adbb674472c2c08e39ff80a0cbe2cf50b21fb702f9305a7629b5b81116156b55395be9fe7187ebd025e341371353c2e09c1eee267be01f60db967c70da9315d

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
371KB

MD5
f3eb038e224a602ef58a1e8754d74b42

SHA1
898aef3fcd70d344ab6cef66423ef5ae51dd3e25

SHA256
39ebe79602f1bf65585ff24207d78f0ab994f94272ca6c17d17f7c993e933984

SHA512
212559840200d668a2390e0653854bdd81c208b02ab5478d33b924d55666a602d5caf5331e896a3473700c86063aeee3fca714dd8abdb78eb99c236db2d7b3bd

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
371KB

MD5
8078281b748f0bb9f06f8fedc0816c12

SHA1
470f30a643d020030e58d1f3e84ab1f70483da91

SHA256
77021a0e563908689dd753a1e4c18b6b69a810c68524f9574aa9ae7876659dbe

SHA512
f61e75be732b35fe880f775675b68e6605f6100112cf574aab52d2b128197cec33d0e95a06590325b8ffd729904635a740e7993a31a0964d1b8bfa66bd31a168

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
371KB

MD5
bb8accefe0cde8383e898da467dc02f0

SHA1
e4006ab6a00247078e02272655bd80d1390b3c12

SHA256
0de31d92e458ed9412ab98d953faa3267b8c61575f9763328febf8482b18ff83

SHA512
962c7973e07c6faf532ee31bb1d583d47f937aeace31be8934ceab79495473b8af790b141f8e93fc68096400cfdc80a958d0fa66d11d934e665e3f5825c9557c

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
371KB

MD5
6bcadf288711cd79a5754e0ce1452a20

SHA1
d96c51922715705699197a16f5c0213268ee506f

SHA256
78c69d3fd7f0dbcdb1698ef79061fbe4d57733c0e381076c3d36700aa2dcecc6

SHA512
15f26116f32492159fa6a18b17ec6b12a470c25f290879f7b0210f2e68411768bd42d6307f98b10001d863fd1eeecd323788bbfd9380fff3221990ba704b0618

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
371KB

MD5
776a752327d43f9ce038c0e842851eda

SHA1
4d119feb6ed03b2951d6d7982f9e0b3768ba3e9a

SHA256
0975e0920161a24d3bc6c85aa90d6fc53d587816d66ca989f644d50ab0e43064

SHA512
9a6d853b0dfc46a8995d5a78fa31bc2581326e7c9b2b8ae4b6224cace88557210591d66d6dea858108437b3a790add981d4a5685631a2e0342f3858be85b4f16

Download Submit
C:\Windows\SysWOW64\Eiojlkkj.dll

Filesize
7KB

MD5
23cf246bc1071c822e5369441649244b

SHA1
bcc3882af318bed20e9b4d463997929ee99fc076

SHA256
103f5dbcf8e00f17205ddd8d2079753f90958452d0018bf1af2af78dcbb89806

SHA512
7898559a4c1d3a1a4c5e662af5510ab48803a472824423f1f331b6f0a2876ec6639538ae26ae8a0d786b314edcc990cd7366af65110a6b21ba2bf5412cfd19cc

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
371KB

MD5
6789dbd2c44f89a77c6230071eae722d

SHA1
73e60e5940782b00d90ab11ba5b5c7fc59291d8f

SHA256
e22e6848077e826535f7c0399d80211d9df633b57448010d2547f819c41e80eb

SHA512
c0a7bdda2eef63d807fbfc88176f0407f6af3f92f3ad9e914bc767d6048523f82a8de1a0e715162c7090b4a96f1c80162240abeab73391e12fdbadbad83cad84

Download Submit
memory/336-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/336-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/892-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/892-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads