berbew | dd5b840ef5f6a9d8240d52c17ed39d518c81550ea5549201a7cf052446284c98

Analysis

max time kernel
31s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

dd5b840ef5f6a9d8240d52c17ed39d518c81550ea5549201a7cf052446284c98N.exe
Size

80KB
MD5

c9132cf2c45e4053818eb7aa7d31c8e0
SHA1

0d157d40b277dd7a05a60918bcc0cf31a6881a6a
SHA256

dd5b840ef5f6a9d8240d52c17ed39d518c81550ea5549201a7cf052446284c98
SHA512

9feffaf95630b3c794d405716ed29213e9fc85cfa91f5197a6ba923f87a13b71e2f51f7362cf9c5bcf2f1a0460348acd97dc378092b4bb5b8e2a80e53827446d
SSDEEP

1536:A8qPq3vRSFWTjW9UfZiD10E7zIzLjRQAARJJ5R2xOSC4BG:9ZS89fZiD1V7UzfePrJ5wxO344

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	dd5b840ef5f6a9d8240d52c17ed39d518c81550ea5549201a7cf052446284c98N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dd5b840ef5f6a9d8240d52c17ed39d518c81550ea5549201a7cf052446284c98N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 40 IoCs

pid	Process
4288	Aminee32.exe
400	Accfbokl.exe
1872	Bfabnjjp.exe
3204	Bnhjohkb.exe
4136	Bagflcje.exe
3400	Bcebhoii.exe
1416	Bjokdipf.exe
2804	Bmngqdpj.exe
4364	Bgcknmop.exe
3296	Bjagjhnc.exe
3080	Balpgb32.exe
1628	Bgehcmmm.exe
3340	Beihma32.exe
1364	Bfkedibe.exe
3012	Bapiabak.exe
4336	Cjinkg32.exe
404	Cabfga32.exe
1568	Cfpnph32.exe
3932	Cmiflbel.exe
4676	Ceqnmpfo.exe
1332	Cfbkeh32.exe
1240	Cjmgfgdf.exe
3580	Cmlcbbcj.exe
4432	Cdfkolkf.exe
1964	Cfdhkhjj.exe
2404	Cnkplejl.exe
1004	Cajlhqjp.exe
3784	Cdhhdlid.exe
3440	Cnnlaehj.exe
1436	Calhnpgn.exe
2856	Dhfajjoj.exe
676	Dopigd32.exe
1724	Ddmaok32.exe
3008	Dmefhako.exe
940	Dfnjafap.exe
1640	Deokon32.exe
868	Dkkcge32.exe
1056	Deagdn32.exe
2028	Dgbdlf32.exe
3084	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2440	3084	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd5b840ef5f6a9d8240d52c17ed39d518c81550ea5549201a7cf052446284c98N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	dd5b840ef5f6a9d8240d52c17ed39d518c81550ea5549201a7cf052446284c98N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dd5b840ef5f6a9d8240d52c17ed39d518c81550ea5549201a7cf052446284c98N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aminee32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4288	4376	dd5b840ef5f6a9d8240d52c17ed39d518c81550ea5549201a7cf052446284c98N.exe	82
PID 4376 wrote to memory of 4288	4376	dd5b840ef5f6a9d8240d52c17ed39d518c81550ea5549201a7cf052446284c98N.exe	82
PID 4376 wrote to memory of 4288	4376	dd5b840ef5f6a9d8240d52c17ed39d518c81550ea5549201a7cf052446284c98N.exe	82
PID 4288 wrote to memory of 400	4288	Aminee32.exe	83
PID 4288 wrote to memory of 400	4288	Aminee32.exe	83
PID 4288 wrote to memory of 400	4288	Aminee32.exe	83
PID 400 wrote to memory of 1872	400	Accfbokl.exe	84
PID 400 wrote to memory of 1872	400	Accfbokl.exe	84
PID 400 wrote to memory of 1872	400	Accfbokl.exe	84
PID 1872 wrote to memory of 3204	1872	Bfabnjjp.exe	85
PID 1872 wrote to memory of 3204	1872	Bfabnjjp.exe	85
PID 1872 wrote to memory of 3204	1872	Bfabnjjp.exe	85
PID 3204 wrote to memory of 4136	3204	Bnhjohkb.exe	86
PID 3204 wrote to memory of 4136	3204	Bnhjohkb.exe	86
PID 3204 wrote to memory of 4136	3204	Bnhjohkb.exe	86
PID 4136 wrote to memory of 3400	4136	Bagflcje.exe	87
PID 4136 wrote to memory of 3400	4136	Bagflcje.exe	87
PID 4136 wrote to memory of 3400	4136	Bagflcje.exe	87
PID 3400 wrote to memory of 1416	3400	Bcebhoii.exe	88
PID 3400 wrote to memory of 1416	3400	Bcebhoii.exe	88
PID 3400 wrote to memory of 1416	3400	Bcebhoii.exe	88
PID 1416 wrote to memory of 2804	1416	Bjokdipf.exe	89
PID 1416 wrote to memory of 2804	1416	Bjokdipf.exe	89
PID 1416 wrote to memory of 2804	1416	Bjokdipf.exe	89
PID 2804 wrote to memory of 4364	2804	Bmngqdpj.exe	90
PID 2804 wrote to memory of 4364	2804	Bmngqdpj.exe	90
PID 2804 wrote to memory of 4364	2804	Bmngqdpj.exe	90
PID 4364 wrote to memory of 3296	4364	Bgcknmop.exe	91
PID 4364 wrote to memory of 3296	4364	Bgcknmop.exe	91
PID 4364 wrote to memory of 3296	4364	Bgcknmop.exe	91
PID 3296 wrote to memory of 3080	3296	Bjagjhnc.exe	92
PID 3296 wrote to memory of 3080	3296	Bjagjhnc.exe	92
PID 3296 wrote to memory of 3080	3296	Bjagjhnc.exe	92
PID 3080 wrote to memory of 1628	3080	Balpgb32.exe	93
PID 3080 wrote to memory of 1628	3080	Balpgb32.exe	93
PID 3080 wrote to memory of 1628	3080	Balpgb32.exe	93
PID 1628 wrote to memory of 3340	1628	Bgehcmmm.exe	94
PID 1628 wrote to memory of 3340	1628	Bgehcmmm.exe	94
PID 1628 wrote to memory of 3340	1628	Bgehcmmm.exe	94
PID 3340 wrote to memory of 1364	3340	Beihma32.exe	95
PID 3340 wrote to memory of 1364	3340	Beihma32.exe	95
PID 3340 wrote to memory of 1364	3340	Beihma32.exe	95
PID 1364 wrote to memory of 3012	1364	Bfkedibe.exe	96
PID 1364 wrote to memory of 3012	1364	Bfkedibe.exe	96
PID 1364 wrote to memory of 3012	1364	Bfkedibe.exe	96
PID 3012 wrote to memory of 4336	3012	Bapiabak.exe	97
PID 3012 wrote to memory of 4336	3012	Bapiabak.exe	97
PID 3012 wrote to memory of 4336	3012	Bapiabak.exe	97
PID 4336 wrote to memory of 404	4336	Cjinkg32.exe	98
PID 4336 wrote to memory of 404	4336	Cjinkg32.exe	98
PID 4336 wrote to memory of 404	4336	Cjinkg32.exe	98
PID 404 wrote to memory of 1568	404	Cabfga32.exe	99
PID 404 wrote to memory of 1568	404	Cabfga32.exe	99
PID 404 wrote to memory of 1568	404	Cabfga32.exe	99
PID 1568 wrote to memory of 3932	1568	Cfpnph32.exe	100
PID 1568 wrote to memory of 3932	1568	Cfpnph32.exe	100
PID 1568 wrote to memory of 3932	1568	Cfpnph32.exe	100
PID 3932 wrote to memory of 4676	3932	Cmiflbel.exe	101
PID 3932 wrote to memory of 4676	3932	Cmiflbel.exe	101
PID 3932 wrote to memory of 4676	3932	Cmiflbel.exe	101
PID 4676 wrote to memory of 1332	4676	Ceqnmpfo.exe	102
PID 4676 wrote to memory of 1332	4676	Ceqnmpfo.exe	102
PID 4676 wrote to memory of 1332	4676	Ceqnmpfo.exe	102
PID 1332 wrote to memory of 1240	1332	Cfbkeh32.exe	103

C:\Users\Admin\AppData\Local\Temp\dd5b840ef5f6a9d8240d52c17ed39d518c81550ea5549201a7cf052446284c98N.exe
"C:\Users\Admin\AppData\Local\Temp\dd5b840ef5f6a9d8240d52c17ed39d518c81550ea5549201a7cf052446284c98N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\SysWOW64\Aminee32.exe
  C:\Windows\system32\Aminee32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\Accfbokl.exe
    C:\Windows\system32\Accfbokl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\SysWOW64\Bfabnjjp.exe
      C:\Windows\system32\Bfabnjjp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
      - C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 220
        42⤵
        Program crash
        
        PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3084 -ip 3084
1⤵
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abkobg32.dll

Filesize
7KB

MD5
eadf93a1654d0025b02149099d97198c

SHA1
1fedeacb526886694ce73ac1739c732893d25402

SHA256
bbf336cb777c4a83fc64c8b5dc8b9dd19b89bc9a54de60fbe581af552f035658

SHA512
7ee38674e57d998e21098518d7a12bac6de9abd4d1ce8ea61b54f8aeab1a8a5227a29800ad9d5fb4d522f232826c90afe08ee946ac092d6cb8f951fdd0346ea6

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
80KB

MD5
a28acbb030f929f5bb37cdbe5bbc3253

SHA1
dadc03edf3fb8cc5ba36855a6313d55d7cce1e45

SHA256
d881e8a4bf2347941024bf5053be5656ae4cbf1b4e809a8a1eb015261b6050fa

SHA512
73f56491c02f95ce709301cce8151d80306ae0bddbb5c558dbe5b8fc9beb1257f0a57768ddf8b1562cd0d79af83f807c55f183d67fd813153b060652cf1f0266

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
80KB

MD5
112088a70d6cd438ce2d4b879f61464e

SHA1
1bd95efbb777af7cb4bf5bd64f32d63b1127fb0a

SHA256
907ce9556285b405b428f5278c47945241afef3edfc03cfe98db0c9937ba0f6a

SHA512
f22ac5b066042314237c8ca5ec3ab545b79ca41f7a0e5f0ccd2d315370848abf1fb5d2596b2c947dd4b246a463034029e39ec3afbff10858e57b5cbfdcdd1dbe

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
80KB

MD5
7eaa149d67543b1b1c22fd7eae456aaa

SHA1
6deeccafd9a153bae41bd11bb6e20d51a4e03772

SHA256
bc27240b28029ad8edea941520b5da36c1999f3df195388dae7e01dc145ba15b

SHA512
78ef87161485be08bf97cb9064d57457bb49ec0978a4f50a9e92fb9f19baf33a1e3e85f93c2e9ea33710f49f8c86806d34268dd0f7e7198b841010b7fce5c7ac

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
80KB

MD5
c28b432096eebe6931aa103ad26d3243

SHA1
55a65fd2b09b86fbbfa23d81ba85ed217fadedfe

SHA256
cc9a7ce208f41209369cfdd07680a36275db628c99801a0ca2e7f834f5fd35d1

SHA512
6510e9284be3111e3e1e13a41eb80ecea653e745956ac25e022b039925b63ac2fd1394c058dd69ac8a87b70265fc237dfaf7c6ae572fbd0c6bc1b1431a45ab12

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
80KB

MD5
51b2c4dda9d45e768ad113bc758d1c6d

SHA1
8b52e641ee99f7a420e23e4176915fca5f36be64

SHA256
edf29372c5342ecf9ec7af2346f8d2f76fa9051345c355570a6e77ba4f3c0b38

SHA512
25fdcd67481624d6a8584dd15a61c9095741d03ec3e0ee018893f842bbbd4e9d081880d2c37734e9c57c3874b301d0a9194ad517227394401f909ccb7fdcc856

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
80KB

MD5
5a337b6abc39bacac0c9b24b11e094b0

SHA1
69fc693d0bad7eb226c80d150c5f22f3e43ba37c

SHA256
ade310b43b41c366bf56b35363ce3cd0511fa34b883d7a3646ccc5eeab7b05d6

SHA512
c951c892061d8bab0cae206f50c69dc44b5a41876cafb738a514d522f3c5ebcc2cf5bd6a6cf6962383a7905315ad7620b8318a377aa82801e52996b7fe62bb5c

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
80KB

MD5
197e9e1ceb9296a3777e7937e46ccbea

SHA1
625ca71c4a43b31e02b1338b6dfcc9d28f406af9

SHA256
bb62ec165361ad431a5a0e7d304193cf7fb6cceb682844b30fae38149d770bb8

SHA512
ea4af293404c196bbd3dc2bd5dc89fec32def356e8ae24a2c42764fb57eb604a62238b7dd3916e1e646631af9a87c8c732b1d3d75b377f5c9022b7b6d4b9cbc3

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
80KB

MD5
6e776dc0eaacc0db60326ae74fb04668

SHA1
55f385fab89fc9ebade9d104e6911c2a19ac6711

SHA256
c0561e7122b8fea8086ed9057004c70925bbbdc6989035f11a663f8b836f29f8

SHA512
0825333e243006fa70f26475434b837291bc50d77f17fcd00b62b3a20c9e703497d0b9a49e6d5535818bbf9607686aab854629a47154bbcf3606631a635e7356

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
80KB

MD5
268a931b7ae04280030aae39e8e329c1

SHA1
afc0c4495e12f91db89eb8d347cbe86e75cd6608

SHA256
1f0ece7a611ed7c939176a663ecc3ad80f483e107fd7413bd3751329f0194c3f

SHA512
7576f3a57c77c894212fe6b13501301bcf6f48895c12577f0e4b646eeb5a9645c7e3cd1cc2cb5c891ef4baf8fe502a39650405b602cf233e68d50a014a36ca84

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
80KB

MD5
cc4cad939e6c417afb10a5a7db368027

SHA1
16bf5cbc02d45ddedd25e0a94609858c59573f32

SHA256
4a8db5cedcadd35f094b9f467a1652f3f57cc3885f0e46bd2c723be8ad06c7a6

SHA512
4634038604f9c93f18fe6f503ae9d4833cff4fe831cbf1c9487b12d5c959d0b767c0ab0521b6e1d925d39b81020b3030556ce178fb1a5eebac7d81e7c47cbce4

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
80KB

MD5
b32b096fde7b91fcd9f3bac3dd407e76

SHA1
4c7c2d95c90ac38c7a38409223a3d9a46cc56f83

SHA256
9f3b363b756d5b5cb52b7fda80d082f4c141d8cd7fd437c3bc4683d4a7ba5f89

SHA512
864dfceba52e7dfc55df585226901110b5f0826ca3a0c817e770231cfae678be665dcbb2a34e3a1bdff1431570a901701e468fa7176651fef3fddc7fe51bdb4a

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
80KB

MD5
b5bd13eb90853be44867ad9688e57a76

SHA1
8382e6ef0213928065c8aa40810e6f4816955293

SHA256
aae1fb8c5bd35a5c9324bee1450650676daa39fcd513c852a66fcafca69c9bb6

SHA512
b3e47a5ce47cda18256cb4633549f3201b2d9541a2ebe73e5385b3f706609f87a147f56ec3b815644ce1e1b3612eee52f563060b879afa96bc7a338333ad831d

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
80KB

MD5
cccf6f5b75cf75cb3799a395339180e0

SHA1
fbb4313ba960fb442fcef3b6e38b9f81a7255a39

SHA256
48cad2541318bdb517347e68acb575a0a11aa6adbab764e0fea899e4ac0e57a0

SHA512
da00f9b494d3c69c10c997c36ce400d7fd8856d745bd64e3f0199a6dff0a8ab750c21f2018830222fa34f884b7637ecd9b41889034ec61be031769f29e5488c8

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
80KB

MD5
2b84fe27cfc6a6a6ee5a1bb2634ae969

SHA1
6f94cec3c534817ce13f8cca56a8d3a11f8db70f

SHA256
74d54f395d3b0bafc7c31318f147317bc7554bad35d1e55466937574f03a8a39

SHA512
585ac66243cd7cf439866f1b64f78a64df6975c8774dd260e67b6330bdb8cbece0ceb8dc7527bd4a2cc4867b5d4b94f4376fb7b4e377f3cf0175ffc54f471117

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
80KB

MD5
edf9e8524b2616049f955614fdae0783

SHA1
0dee3f983565659d15b11282694fc89ccf229354

SHA256
ee8199af1c0880f8a9382cc04d2afccdefd5017f37ef1e475b78a60c0de5be58

SHA512
71910211d932379908f03037f6d6729842f41a86c96a3e2e01905d9dca5ec092f4c01553a62dc64c0fa7f072c9977f166495fa3de6990c41812de661a4e76b56

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
80KB

MD5
9583a04be1709dbe3b78b67f7c2a6969

SHA1
0b5e75277314a3316b052675111556099d54a91e

SHA256
8565ccd928214ce0fc6e2bed12125ef651bb980c29a186ce1c84ee81e9dd92e5

SHA512
691e0e25a97198aca009f1ad124a90ed85da34b65b3be9e8d356ca0be2d27b3783b320da75750ddc0a457634df9a6c25595b44fe21f2de3960dd22c7634a2422

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
80KB

MD5
5e68a5c5b6d9296d05d37c33b9028d9a

SHA1
fa4b8c1b2ab57b68b95618a2b77232407e61f1ff

SHA256
a9d4956c9c57e0d84bb5f32e06a71022b20ae447460cfc4d3fa61eafe5e5ffa8

SHA512
646abb001eef861fbca78a8d91018b0717c760a04ff3b57bde9cab3c69542afcc39ac599f09b485ee77ecaf0ad361a526dda03c215bac9896382d3916857f1d8

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
80KB

MD5
454eb783af414439fe4d5196d04d3d10

SHA1
b14b46c320156f933bb7d6cbdfbd0851914276c5

SHA256
9ca973b1cb3ad50f4036c3440244db400e378af636120fcca88ae9214203837f

SHA512
dfefc446b06639135bf1d8d60b9d52c106bebb9fe8e860c071a5c1debcf04d153d7084a4401f113f210e823af1d7b21feafb96b32b11616ef4b0827465bf6350

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
80KB

MD5
57314bec07e0214e7361d4b575899286

SHA1
c4a1c0de4b8b1c0acca38cedc2dbf52cdfe0ad91

SHA256
b182b95e229a1e6b1048174c23d958b13fc8c4269dfd546c0e18451c1a09c96a

SHA512
2deda3ef9840954cdaca3948fd610ab11057a5a09ceeaa194e644e07ab27c975924011d9fd23bce4ccb170f7a453008f5dd7075968bfbe9639715153f2cb6937

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
80KB

MD5
037bc054e0a7b4373ae2c4ae687cc54d

SHA1
1f408bd73f90ad3587051fb3b5cfd66f7df958f5

SHA256
f0ef2fa2986ed5bca1a7e5c943c3306afcfed1a4addf644f66223c7d395c3e44

SHA512
15c6e5b6f7fb9dddb7a654a1ac4ba121e64846bdce1c0cfa5b9b472c8d15c44205930fb667acc3c7318c8ca9de89b80e3726fee764393a65bde3b4453091b019

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
80KB

MD5
3c815d86c327f76e2317cd5f40e035cb

SHA1
9883c1d5acb9c6a74ddc45d2e7edab970b893e39

SHA256
22a29e2da38d1e32f524f730d7c3eb3a94b92bf4bad3072a4937731d993f86c1

SHA512
856e8ea36d2d21a7f1b65d1d7b5ae8a83e6e2fa9d97a54274283d210886a77430dc6803a4d56c5f018c2540cfba1d8aeb7d86752e258f082f694cecff43f3006

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
80KB

MD5
f15370e966ab0b2cbd2fed631f15b6a2

SHA1
a51ce77792cb6e1734856c544cc415cdb7c5df79

SHA256
e5147016b41248e461ca6a646230c271b13f56601a6d6d4bb984e81b67d753a7

SHA512
0248cd338321c7e84867af065e433431ede55ba03a64eb1eac8581f1d868287174133872908f320cf074c015795d0d82ae122e14361ef9b7e6400e722d15ca62

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
80KB

MD5
5b97d874029a8e47469c099482c7d5f1

SHA1
e2d530e62a29311aa559279e1ef3d8cbc0ddddb9

SHA256
2b69bbf407d4d5faa470d95755c4073a7c22675f5e65de2deba21313a6ffce5b

SHA512
a399a21a707b209280b261a6d86af64361a8ee78b707c18cc396455e2ccd51e4da9e2469cb06383a2d783e49b4050b8ea52f98a25ea0913b154087f8f7261900

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
80KB

MD5
b9d28c8916cdeb8c79f61a0a2ef97361

SHA1
801f86a18cdf069ea504fd9f89ae497f22a5cf1d

SHA256
13d5ba8c218b339ada4fdc1c5884c329f4c93fc0bec4747ebe94f8d0821f1ba0

SHA512
021a92b216c3d7c9e27b1aaa91691490568a67b138d7c7d257dd9e05247670342d7bc4a0ed74cabb7b1cadeb3b60e16e246bbae21ac89678f091cd8d598b447b

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
80KB

MD5
03da3eecbb3370a8795c5476a81496a5

SHA1
7ee9dd07d686ecc8d971eb10956aad714df14529

SHA256
51ecc804c24a8a0b83db3e17f0cd44b18837b4045cda970686a2519cf4339fe5

SHA512
8931ed0fa8d80c289082c950d7b6482f2cbd23f3437a31150e170adf47088230b7f2a7c4d360b203d98a0059fa40dd05d407f619751bea5b2943618f494d28d1

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
80KB

MD5
9912d25624db8523a8be065163aacaea

SHA1
d1a7cc83dbca6b4fdd0539ba429bda2cae1e6536

SHA256
ff2c7cd21e36106cb7151dfdaa97f39f11c9fcbe0772ecdcceae565f1ec78404

SHA512
33b3a2fabb2d5ffd0db2386cecf1aa6f23dfb121a5d918327f862568f85911e6bab5a05dd6a90e6f7629e4663ae55f5e2b90da63c0d17eed426a756dbdecd71f

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
80KB

MD5
0e17304836fb6b5a88f1fef7a6f5d581

SHA1
4de475d14588135256b3c50c64bf943f505e0f08

SHA256
181a7b5cce78a2e179493bbc34c036ea07125ecb8d87baf8a2274651c8fd7910

SHA512
8c3709daab714ff68840a0eabb267487dbe54db90aa193221b121a6acfe2cce0b02cf3d4ec9cd65111d221fa3b0a9c21833e324728d6b4df3049d487a36ab0be

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
80KB

MD5
91b89b8a18d35a8f02605725a833e553

SHA1
c615cc690164ed74e09b8c23dd09cd26d96e0037

SHA256
542267dcb4a5c33a837adbb5b4d92b4cc063fc6456a599aac6123c9d6164b9a4

SHA512
88690aee712a552f6fcd0b91ec9ee7a018b36d8ded87f77d12757d9a384372de793426f79e019214eede9a856d07f9dafca3979bdadcddc7a0f10345b0f3e02c

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
80KB

MD5
80d23328da2ca504175754297408fe0a

SHA1
dab3a964024d069fdb6038399af3afb039b43177

SHA256
1d164375cb6d7871cc1006c5e45a6b82a3a315c8593a5d0911d0a5d419d1334d

SHA512
5d4bb74f3e053dd83da7fb31babdb14c063a650b04e85878714783d39bb2d0a88fed25fc6f1b2353a576fe8d1a07a1f2501ebbd62eafc15bdb98d8020bd557e9

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
80KB

MD5
77367a3043f930857f20380f59dd14df

SHA1
f94df55fe6160a60ec982d67ad5d7e70b4f1fc98

SHA256
0186928a36305a1aebaf17c935292d5e498623174644fee0bfc1ca6bdf728fe1

SHA512
e9d036b3f522312cffd3d296d4b14dd96e8fd302192100235f8277600d403066cd9cb1778f8af5b7e79cee0184d050eeb885d1d641067c220b89562bc39afde4

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
80KB

MD5
e4066a5a497552d077f582134c90475f

SHA1
c8e38b7f1602792eb1c02f7da3f55270e3248a3a

SHA256
cf308fdbc5bd5ddcc5ba8b3707f2ef1f507d30a41e30c7a1a6ce63d3f9397c49

SHA512
92653d35c644ae1d5f2de3fab57edd8a98cbab30b8aef6ad47ee66bc134b0be09ceaf7c04e741566a8a8ce67124693014ff6fd04542c99c1aa0b5fb8a3937275

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
80KB

MD5
c9abaaa09716a9d1bfa6d330cb81f534

SHA1
88af37a4d92c27c6ea0da8e8da9e6c51addda75b

SHA256
3f8d4afd6547ba1c96a1b2721f7a62d03a23104d3145af7a42fc1c05b3b5e1b4

SHA512
fb834de2fb696b296c2b6f6ba68a31bab7039e59b226dc44e5229fbe81bca81d47172eaa8facb1153be25e32805c8bfbdc80dbaee20d9c682d89a69f8c16f90c

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
80KB

MD5
53314aee86153e2830d59e7cd0b0abae

SHA1
cc6dc7f79a20c0620c2c122f545d6b524cf42e80

SHA256
64145f4a2c7e5dbc3ea0a9ec8c2cef5557b2c9768288a9a040caeac506bc1b58

SHA512
6f56d46c0c7f75dcd821bc241bb7adfdf059aae1d5e60c5a7cf6ba7ac008d67c268b3c5f41432e1c0e6087117fddd42e76188dadebe0ca729af3a3ccc317360c

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
80KB

MD5
b59aa4cf2dde09020b0bbabfe16b5b3e

SHA1
d5cb5319e75ebadea204cfcf3eae5dbcc97dd8f4

SHA256
98e164018cc68bf3c24738b15b0a0a09e81263338af96bb64ec6b048d828e04a

SHA512
25ea4f8733c41460883af47e44df67de58af8fe5eccee651138ee7b87a23bcbf1fd135d696e354ca022c05c0fce1c4f4f65f94ed4cc177cbe288c95103c48bdf

Download Submit
memory/400-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/400-97-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/404-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/404-237-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/676-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/676-343-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/868-338-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/868-313-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/940-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/940-300-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1004-238-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1056-337-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1056-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1240-189-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1240-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1332-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1332-180-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1364-206-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1364-116-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1416-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1416-142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1436-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1436-333-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-241-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1628-188-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1628-99-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1640-339-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1640-307-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1724-342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1724-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1872-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1872-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1964-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1964-299-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-327-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-336-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2404-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2404-225-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2804-151-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2804-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2856-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2856-344-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3008-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3008-293-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-125-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3080-89-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3080-179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3084-334-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3084-335-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3204-115-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3204-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3296-169-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3296-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3340-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3340-196-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3400-133-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3400-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3440-256-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3440-326-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3580-285-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3580-197-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3784-242-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3784-319-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3932-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3932-161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4136-124-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4136-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4288-88-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4288-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4336-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4336-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4364-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4364-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4376-79-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4376-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4432-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4432-207-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4676-259-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4676-170-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads