berbew | 83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f.exe
Size

448KB
MD5

bc888aa8dd66273ffb662bd69a2616ed
SHA1

cb94f5d5ce1477457ed61251bc05a6941ee60552
SHA256

83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f
SHA512

b41ffb70e2013265feb90886d3c69d62f3d1c824d32b4cee2b658db6c41cf032f6ded6cee3d6dd54d323702181dd8fc4f4dd5417c63b1b8585acd57b66243ab6
SSDEEP

6144:Jiu+hulQrdQt383PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5fjlt01PB93GxK:P+huLr/Ng1/Nblt01PBExK

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 32 IoCs

pid	Process
3668	Ajhddjfn.exe
424	Aglemn32.exe
1760	Aminee32.exe
3436	Bfabnjjp.exe
4856	Bagflcje.exe
676	Bjokdipf.exe
2296	Bmngqdpj.exe
3028	Bffkij32.exe
3740	Bfhhoi32.exe
3808	Banllbdn.exe
1412	Bfkedibe.exe
3340	Belebq32.exe
3704	Cjinkg32.exe
3628	Chmndlge.exe
2036	Caebma32.exe
1532	Cnicfe32.exe
4136	Cdfkolkf.exe
1928	Cnkplejl.exe
1056	Ceehho32.exe
2928	Cnnlaehj.exe
4860	Cmqmma32.exe
4904	Dfiafg32.exe
2672	Dejacond.exe
64	Dhhnpjmh.exe
2228	Daqbip32.exe
3284	Dhkjej32.exe
2520	Dkifae32.exe
3604	Dodbbdbb.exe
3648	Daconoae.exe
3196	Deokon32.exe
5052	Ddakjkqi.exe
536	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bmngqdpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2912	536	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cmqmma32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 3668	1648	83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f.exe	82
PID 1648 wrote to memory of 3668	1648	83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f.exe	82
PID 1648 wrote to memory of 3668	1648	83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f.exe	82
PID 3668 wrote to memory of 424	3668	Ajhddjfn.exe	83
PID 3668 wrote to memory of 424	3668	Ajhddjfn.exe	83
PID 3668 wrote to memory of 424	3668	Ajhddjfn.exe	83
PID 424 wrote to memory of 1760	424	Aglemn32.exe	84
PID 424 wrote to memory of 1760	424	Aglemn32.exe	84
PID 424 wrote to memory of 1760	424	Aglemn32.exe	84
PID 1760 wrote to memory of 3436	1760	Aminee32.exe	85
PID 1760 wrote to memory of 3436	1760	Aminee32.exe	85
PID 1760 wrote to memory of 3436	1760	Aminee32.exe	85
PID 3436 wrote to memory of 4856	3436	Bfabnjjp.exe	86
PID 3436 wrote to memory of 4856	3436	Bfabnjjp.exe	86
PID 3436 wrote to memory of 4856	3436	Bfabnjjp.exe	86
PID 4856 wrote to memory of 676	4856	Bagflcje.exe	87
PID 4856 wrote to memory of 676	4856	Bagflcje.exe	87
PID 4856 wrote to memory of 676	4856	Bagflcje.exe	87
PID 676 wrote to memory of 2296	676	Bjokdipf.exe	88
PID 676 wrote to memory of 2296	676	Bjokdipf.exe	88
PID 676 wrote to memory of 2296	676	Bjokdipf.exe	88
PID 2296 wrote to memory of 3028	2296	Bmngqdpj.exe	89
PID 2296 wrote to memory of 3028	2296	Bmngqdpj.exe	89
PID 2296 wrote to memory of 3028	2296	Bmngqdpj.exe	89
PID 3028 wrote to memory of 3740	3028	Bffkij32.exe	90
PID 3028 wrote to memory of 3740	3028	Bffkij32.exe	90
PID 3028 wrote to memory of 3740	3028	Bffkij32.exe	90
PID 3740 wrote to memory of 3808	3740	Bfhhoi32.exe	91
PID 3740 wrote to memory of 3808	3740	Bfhhoi32.exe	91
PID 3740 wrote to memory of 3808	3740	Bfhhoi32.exe	91
PID 3808 wrote to memory of 1412	3808	Banllbdn.exe	92
PID 3808 wrote to memory of 1412	3808	Banllbdn.exe	92
PID 3808 wrote to memory of 1412	3808	Banllbdn.exe	92
PID 1412 wrote to memory of 3340	1412	Bfkedibe.exe	93
PID 1412 wrote to memory of 3340	1412	Bfkedibe.exe	93
PID 1412 wrote to memory of 3340	1412	Bfkedibe.exe	93
PID 3340 wrote to memory of 3704	3340	Belebq32.exe	94
PID 3340 wrote to memory of 3704	3340	Belebq32.exe	94
PID 3340 wrote to memory of 3704	3340	Belebq32.exe	94
PID 3704 wrote to memory of 3628	3704	Cjinkg32.exe	95
PID 3704 wrote to memory of 3628	3704	Cjinkg32.exe	95
PID 3704 wrote to memory of 3628	3704	Cjinkg32.exe	95
PID 3628 wrote to memory of 2036	3628	Chmndlge.exe	96
PID 3628 wrote to memory of 2036	3628	Chmndlge.exe	96
PID 3628 wrote to memory of 2036	3628	Chmndlge.exe	96
PID 2036 wrote to memory of 1532	2036	Caebma32.exe	97
PID 2036 wrote to memory of 1532	2036	Caebma32.exe	97
PID 2036 wrote to memory of 1532	2036	Caebma32.exe	97
PID 1532 wrote to memory of 4136	1532	Cnicfe32.exe	98
PID 1532 wrote to memory of 4136	1532	Cnicfe32.exe	98
PID 1532 wrote to memory of 4136	1532	Cnicfe32.exe	98
PID 4136 wrote to memory of 1928	4136	Cdfkolkf.exe	99
PID 4136 wrote to memory of 1928	4136	Cdfkolkf.exe	99
PID 4136 wrote to memory of 1928	4136	Cdfkolkf.exe	99
PID 1928 wrote to memory of 1056	1928	Cnkplejl.exe	100
PID 1928 wrote to memory of 1056	1928	Cnkplejl.exe	100
PID 1928 wrote to memory of 1056	1928	Cnkplejl.exe	100
PID 1056 wrote to memory of 2928	1056	Ceehho32.exe	101
PID 1056 wrote to memory of 2928	1056	Ceehho32.exe	101
PID 1056 wrote to memory of 2928	1056	Ceehho32.exe	101
PID 2928 wrote to memory of 4860	2928	Cnnlaehj.exe	102
PID 2928 wrote to memory of 4860	2928	Cnnlaehj.exe	102
PID 2928 wrote to memory of 4860	2928	Cnnlaehj.exe	102
PID 4860 wrote to memory of 4904	4860	Cmqmma32.exe	103

C:\Users\Admin\AppData\Local\Temp\83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f.exe
"C:\Users\Admin\AppData\Local\Temp\83fe1d3cd5b32eae066a61e53398d6cb30bb8b883e4270b2300ccd94a3aa7e1f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\Ajhddjfn.exe
  C:\Windows\system32\Ajhddjfn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\SysWOW64\Aglemn32.exe
    C:\Windows\system32\Aglemn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:424
  - - C:\Windows\SysWOW64\Aminee32.exe
      C:\Windows\system32\Aminee32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
      - C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 396
        34⤵
        Program crash
        
        PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 536 -ip 536
1⤵
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aglemn32.exe

Filesize
448KB

MD5
362af74a9889213fe47988e4a235685b

SHA1
e7de234173fd4ba4fc3beb99d88b0121345c0f48

SHA256
876e78e2c3da308cdf6999174180796039220c2da1fa7fb931758ed4c5918152

SHA512
ed9afcd787025f7cdd394555ac4f2620f097eee61fa6a1ae1326a2b53398adfa08ad612d5308a2a7e19f89b8e3ac2707fce71a484a2a3a67562d335e858ebcb8

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
448KB

MD5
5f2f49cfa4217863c925d32fcdf04b44

SHA1
73f43deeacf0fad520b0972d8ada68b3af2a16a0

SHA256
c21980199a4a17c4f10faeb9114a98ae4a02d4a66c69a34511c9d4027ae25892

SHA512
8051217879d71c66cd406a829f15d5ae0ff46fe3050c12d225538933017bb4be2b81843471a89f8b29dcb3368612f5bfa5770aef1aad4c143c290ec6b8fab426

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
448KB

MD5
dc651727fcffa0881781f92a2d76cf8f

SHA1
1d63434c2e84c68ce3f5288c80a58ae27c83c6ee

SHA256
af6863d030712b49fb3ed02e4c1ec84a210816a4fb72474b7f6c3a3759e74123

SHA512
9c2ae8b6b8d1a2cf7c0fe356a1673ab4423012249fef623dc1332207338b4ae9bd44db81f4e6e0d60d33be24efe51bdd26f81b6551b51dce562b7113f9233b4c

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
448KB

MD5
cc0330f894287570b0d9862bcc64fb9d

SHA1
107ef21c8012367bc33da14de6401090ae65be53

SHA256
f3d68297192259b079a107ea9ba4c3fb504bfbd97b4c22dab1164caaa21e3802

SHA512
b28cf44a44cadb4b7343811f2b88d4d66a6957472beacc1277e6d6f016790e6b9473ddafeee90f2f0ad1c8c525f97e870e2472e2634297795ab44637131da3de

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
448KB

MD5
aa7a3a8328d1f72cb19e37c80d1992c6

SHA1
a22436189f44c0c5af4c9609c95d02c9bf9bcc67

SHA256
49419710b5aa7596f8370effa5fdbf5f167b5af1544295d555ebcf45c05e5695

SHA512
fd5221d4cf6275d777b715f14126a2c3c238c8773738e8a5fb134b0d9257c40de2260aa7518314d087e72a0fa5ca55757d51dcdbf36d3251c1c495056f3ceda8

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
448KB

MD5
aaf03f71a402170c7455af7979db53be

SHA1
14deba576c3549ca435821968645ca35cc6bfafa

SHA256
02f0b59f29c6dcf4a5115d74f45dbdd1cc04119066797c3f39bd6dc021dfb8cd

SHA512
5c594e7694250be5f8f88732f9f52bf609bde7979b482220fa5d5ef459a600b24d6f6c8f1ca6611c2ae06aa37cde8596de413857a37b7981ec28123ca4def231

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
448KB

MD5
0a55a5d94b5478516a9c6cc5b6a653b4

SHA1
db735ed84b3885a4f231abeed8dc8bd24233d88d

SHA256
0add4e97bbcfaa948a7ab34c4e109724533cf867a0957dac5d6489f876834d3c

SHA512
3b9b6ffe55c4f9b9278e728b2209c301ce41d1b0732c61c9f63b392dcb5f221c8965149831748dbc206ba4aeb667403230d20e7ada6043bcaba45e5644a10498

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
448KB

MD5
1993d5a95b102b622a3392f2d2c3f001

SHA1
d357f824de76a236f77af33ed0fc306487808999

SHA256
7a9b5ed386c7f8e2d9dd38ca26b8147e9aec06a86a5b20d88e569c1618b9f515

SHA512
baabb2cd1b23e2c98f989c53beb15f53aa631b44a6b329fbfa28905a35460d29d2425697d7b3913a98e994aefcf47c35906cb743c02fe5bc3f0e399187c8227e

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
448KB

MD5
8bcc29f13f1dbf26673028542d177377

SHA1
8b4f9c0dc4d41881cf9b67a5658247f399a4675f

SHA256
3e105b50eedc2c7877789cab8ba462ecd6a7ae179efb330e8905d20882816bac

SHA512
878a2770b600722b66f0a17920213d5b0f27a6ffb899a41c40ee522a8b05f70bc9a5a977496e888935ab46a503e4d88c544d3fc1ad0fb16f159f2a180711fe91

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
384KB

MD5
cb8f2bf2d8295e426c32e50f4f0a7ffb

SHA1
6e5c340ee2e4a1e039cbf49cb672c0d46aabe56b

SHA256
021210e544d519b15753c6960a98263b42665794aea1e32929a8af46d210cc00

SHA512
b1862c194fc2ddf268a2346763575cb83c2aff8c298769db6be3d9ca6e8bd1355dd628937ee36fdae0e66b89a8e993f83a32b117b8fbc9a77ee0a035ca5889aa

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
448KB

MD5
be0a363bba772f56a651f9473d6d7440

SHA1
b9bb1c2b5d0c9f235b0ecc2806247cd1535b40f8

SHA256
d382fa0b38fb57be34bc79cd636bf5effb1d1d695b93783725e2aaa49c5f31dd

SHA512
a54c398b60bd6731ba7d758752aa04822166f5307eaf5d3ba1e553cab519791f5825439575a9c367492be537b87254f0ac77ada53b854447dba3a3bc089b5cc6

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
448KB

MD5
21f83b8901983e50adf90f015e74070f

SHA1
9f3894e04afb4f778cc41b906baeaee1e0a2e815

SHA256
419cefcd490b2b3d8241f07163e32d8711bf2d1bfc14389f1d3ed32882ca3b89

SHA512
c0e7a9c75f96d1b543a67f37f11bc0f00f7f6887ec373976f23e8d74427684584b1d1cf90305a4c8dbd4ab85650a5c28533810ff6a22b1263ce52f6cf29e8931

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
448KB

MD5
66153cbec925e1e706654c9a3776bf91

SHA1
14479a0e2e76ffda63ba6922f221de504e8e598f

SHA256
29d2b2fae6f1aa4e6e86723819d3fe42339a6a353dfe3e6e4580af8f7a2cab9b

SHA512
57ce98f9f4e40e743b0821e1da1c2581e1796f79b2fa4c749b4f4a32946a4db5fb30d1df0021e2946aa387b528a1bc0e8327ce19ad5d13644f611c7a0b028913

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
448KB

MD5
02df35f4e3b7e1a35b6e5b06068ee421

SHA1
5cd20b55ce31b8b071b8fc43da0d0642fd5cbaf1

SHA256
d1653ed0f5a2d9cd4716c3dc1fcb962df335795f872a94d7c95c06fd2a28e46f

SHA512
7bc0f0d21e68f8a14a2a25c3ea595fe6e9d5a8db5917d32d945ef636f3dd5f783f408bd750d416f538a7aacd6f1e4e331bffe78cd46bb4c2de43f1f091694fb9

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
448KB

MD5
0dc5e64658998608bbfa4a26dcbb7b05

SHA1
a990e7f75a399f01b7962eacd70552d3d1973fea

SHA256
8284a5951862e5608bc158a15aefc8fb4c02de37c562d65bf074146115aadab1

SHA512
7b312d2ae9919d17bf9516aa958c0f02adf431a6cffe8c9b341855506bf303a58be8aa10af5cde8bf85a80a89b004933ed32fb261892494a4884ce3bcb5ce956

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
448KB

MD5
38e51d639f9fdfeac28d718f38c7914d

SHA1
00492bd5ba7335094d5161dc9e77295c9663771d

SHA256
1e425a99f242a56d15e2af57fa2fec6ffaf473a95da7605c45599b6155229b13

SHA512
cc6865c94d39b87147c05bb8384c762d0d6b2eb5d20bfecd14a512a21d306d633c70c3e635fd1950f72cee756b89acdfd846683026397558ac13c39d3eb76b83

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
448KB

MD5
8256ca8128cab857deaa90f78c757722

SHA1
6616dafc333ab005c922d58fa136b36eacb2ac78

SHA256
6748d9bc35463fc77a666560cf4cbeff47a85b9c993504e5b0867bea6afce247

SHA512
91b86d458b3e8e65a8b1813d23c967806eee060db255641c0ce9b7b86bcd9638b70a8a650ec2a488dbfe48648cbaa7d87597a600f2c1f08d196e02ac3cb78d37

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
448KB

MD5
569d95130261226fe5aa1b2aa6a6f948

SHA1
c3c3736d0209a25a12d64e7518a83eb93edd15cf

SHA256
21694f5058e4042afef2119de421284535b48f635d579a7d077b1d9bba4fb59f

SHA512
bc9a239a534724285ed691ed83f4c286fc4d303d3cae314d3727d69fa81899a2d6147ef6bebde008cdf4f53a5d3b48321d07badcee69aee1c3a324e06376cf9e

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
448KB

MD5
7ac6688c8dd8270099e2fc366bfd1882

SHA1
3fc7581c6e3b970523649e0d9d6af00ac4c28ba7

SHA256
78dd80b65d704f17f7898ad328baa31ec6325e42f0c262c53d559156b586cc6a

SHA512
f1e40257f6ccc7795cc25c465cca2c0272417d18bfa067f0dd96fad4f8694d9a9edf687d4f859c47d254ccc0b5302218f82dd5333b768a3d6d7b491567cb3b7f

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
448KB

MD5
531a07b7d91589eff718cd789c64a5dd

SHA1
e5c4475eee8f23ce857b01728da27e57b9197ade

SHA256
2c3cec9c29b91157d26bbee4af6632441d5b57fb192393849a30086fe985d2cc

SHA512
4425a788ef99ffff18bad3e12dab6164abe9b342d7a61a2d56098130ff2f8f3e560c70b06e406d11f0272491ce053f1e1b8c66e637b115a5b5389bba87e1afa7

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
448KB

MD5
1cacb5b5d6466ec3dd18903bd898d992

SHA1
c629c0027336e7ecbc27c2325d6d56e4d16c68eb

SHA256
e75bd9b07176edcc08ef8ee609cdecd3523d3f994afacdab3a89e659548835d3

SHA512
4ce381aa6f4adfae3e824882e421bc58af62834a9c6a4a6c057f3420c4063de526741693ba1f4ad51a7818500fc6375708c4cdbf7ee2334aed24427bfabce30b

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
448KB

MD5
122b398f88e47d85fa25d2ba4ddc1eb9

SHA1
0a1b417dd1085b59b12d5734dd1292fae9ba6815

SHA256
009d8183292d4876d03c72ec2d7281e9f868ac844fa722465a713ea7a5ffcf24

SHA512
bf90b92b56f0b2f56db5a74d78a38199a4e705a4cb215565397ff89f7c561d499ff3f63bcd21877c98882ed3882234595d4febc4141ecaac987903b8cfc9845b

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
448KB

MD5
55c4e1db8329131e3d3a20abc614e310

SHA1
0a487dadfda29cc8bc5d41539e26e2cae342429b

SHA256
cba2d999c0e8230dd0ddb3c6ce77ee8e13cc0e2f0cd4674eac5ccf5c1fdf73c6

SHA512
0d6a57cdfce652e7d1cf6f75216f46af8983dbf64d78b8a50e37c57fd4adba97c23b7412a553b609484430315ebace9dcbf0c510db499f6d3dc1ad483f149607

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
448KB

MD5
f8c8a42f9f250eb2967c29a2415a3c94

SHA1
55129039ebef921e607210bfd4b07cfd4b6c8f2d

SHA256
c3e21ca1946256b3f864e131a3b94fb63f4795e44aa9e67496b9e10eae6e9254

SHA512
a340bcc7f9945623e0ef8b83c45d5b84bb592376f206f9df07cb466daab332cdecab21cb9d9236dd5974809b909a4f0e8b33fc47c71548ce183fbd18cc3fe288

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
448KB

MD5
ce2aff872dda0a4b09621878bc41a464

SHA1
d28706158c999c27a90f1a955af72bb708f54e3c

SHA256
7762c769ab8fba4fb794dbe1d85c1f511b865ef14226db2c2b6dfec3b37a119b

SHA512
e163f419afe1682dc6a7a1a5c1aa92a1c80aa218757c0c2730159bb228e98f86835060ff271740fe0c0d844a726c6451469f0f8337d56ad22efd468a43dfbe48

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
448KB

MD5
7d28c92b1b1bce94c7263e1ba92056dd

SHA1
b700cce7d4ae3c0e09ccbc4d41cc89d8f3c9140a

SHA256
bc32e562f597c0d7742cf1f218a6241e5cf1c5dbb43f944671fa538e0a52760f

SHA512
a0233151e57eff94e14d5c506c7c289fdb2c5a8803e839a707a499d6f0263e91d47c1d698e5824311f74d87504d372d1ca8e2b28cb39907680d58c9b18dbfee5

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
448KB

MD5
360231e96c14d1438247ba76e8d6a35e

SHA1
7094e6e67f2c6327f9214e24d9baccaf11c2beb2

SHA256
7f917a0edbf18108cb787c3216d3b90518d532e18e3447dfaa552dfd00afbae8

SHA512
2f9b5d08f32f37963bc8f5dfe96da611ebfd2cb5f2779c5e0e98670c48320c06c83cfce15964a4c420748a8bf324a7a211774d143d0826b4aebd67ad5948cb18

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
448KB

MD5
0d5333d209b2165f0a795fba3dd89f64

SHA1
009acafef4d10406412498b95aacfab0895857a0

SHA256
c330f5321a2a0a873ec1e222aae123a758979083942fdd9808957bc94c106e15

SHA512
654c545260750b58e639565adb88abfef3123f145eb2b222f76b458db32d158fcab6d0f8a1a6a09945222fb1033c30c44cb3077e97b60652627e9b687b176073

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
448KB

MD5
4d98d9442a58328be84414f5194df111

SHA1
a2ddb652b9050d6c04d92fe1c3a3f81cfea5d358

SHA256
a6edfb55aa0d01034199c1c1292d403681e599753d1557bd47682505bc3ab0c3

SHA512
6049128de378b8fc8cb82192e578ad485d8b6dd25f7b358fab2107e1ee82898851ec57cff31c960abeb42eaf2bfc8ea9121b7896345a1b8f81d80507d5542f13

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
448KB

MD5
86bcf998c3068b7d30107a8a88bdb685

SHA1
7a05b0753bd8bcd6ffccb8b5e604c2d71e7e3f88

SHA256
00a3b44ebbfdb09c88c95e41bef3f146eafb0e9a5a120a075e82a3c7a0eee554

SHA512
29232258c2a7c1f193cfcdca3a7a9de2b74fd7d1d371b364ebe36d24ff6f131d405c1d42151c638eb5ba0950d5d3bd7ec0da44a8e8570d11712de0a3e71f1827

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
448KB

MD5
1dbd224bed2b1dde42bee570a9a74c4b

SHA1
f8a2a78441150176019371d5f2ee7908699738b2

SHA256
215fcd20700d2663ca623a24fd7a4aa52ecb5b507d48f27bb256a62f3e3cb586

SHA512
e553f9e29de85b69b014c11348fd9b1ca359e19e22fdb8c6d34589b392c6bc79b863ae0b697c0bed9959d56f036285d761b58e922dffa97e5b63c0c468f0747c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
448KB

MD5
8f1e21a26937053ddb8982d794991a29

SHA1
bd57c0f5fe653e2c0362de444756e208b548b3dd

SHA256
5c6757f927ec7f9a6ea26380a4f639de99fab5a314f48c9125e445581c88050b

SHA512
04c598e599b469a2856702cdade7adf9b5e371a3309ecf5b63183213269c72f3c74317975509c742d9da357d307dfcba9388abc02bffa5228c9568390e789536

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
448KB

MD5
207f0cf87f8b8075a2d69aa71c45f967

SHA1
08bf11c58f7d3790d5b1fff47a1e9c96235abb58

SHA256
67ae2da69402459f5bd736309cb3fdc8c4dba3fd64fc2721a8d577aaeb8d9ff8

SHA512
730a9c5bf595de48c1fccd85d14d5f90dfdd1acf04f6ae4c188fe38ff844ebe7ddf3ae12e808d0facb0cdd5583a7e2ca7a244e8d5789dc709dda71e639e68749

Download Submit
memory/64-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/64-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/424-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/424-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1760-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3808-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3808-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads