berbew | ed4f1381518ff1a2ee600bd3429887cf9e65a84152d5329f6f8d6003ac341e24

Analysis

max time kernel
95s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed4f1381518ff1a2ee600bd3429887cf9e65a84152d5329f6f8d6003ac341e24N.exe
Size

148KB
MD5

ad13a40e4e771e60596e1555ca9be470
SHA1

70df5f8b89f3289905f95969cd5486c90ac8cd04
SHA256

ed4f1381518ff1a2ee600bd3429887cf9e65a84152d5329f6f8d6003ac341e24
SHA512

f1221a75ec633e23cffa3a907550e773b0093496c277a3a6af531f4cff6e1a64e339efa56b8cd19169736437f6e4a9535c5750b3bde1accff9cc6dcf59deec89
SSDEEP

3072:UcV8y+7/ylUX9IkkY5OdzOdjKtlDoNQQ9wlHOdj+UCRQKOdj+U:UcVv+7qWNZkKOdzOdkOdezOd

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ed4f1381518ff1a2ee600bd3429887cf9e65a84152d5329f6f8d6003ac341e24N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 40 IoCs

pid	Process
2640	Ajkaii32.exe
4812	Aminee32.exe
2436	Accfbokl.exe
4236	Bfabnjjp.exe
2452	Bagflcje.exe
2084	Bcebhoii.exe
3304	Bnkgeg32.exe
2488	Baicac32.exe
2588	Bchomn32.exe
4464	Bffkij32.exe
3960	Balpgb32.exe
4400	Bcjlcn32.exe
1668	Bfhhoi32.exe
4884	Bmbplc32.exe
3468	Bclhhnca.exe
3024	Bjfaeh32.exe
1044	Bnbmefbg.exe
1172	Bcoenmao.exe
3496	Cenahpha.exe
804	Chmndlge.exe
2056	Caebma32.exe
4456	Cdcoim32.exe
1432	Cnicfe32.exe
5044	Chagok32.exe
3156	Chcddk32.exe
3552	Cnnlaehj.exe
4312	Ddjejl32.exe
3824	Dopigd32.exe
2572	Ddmaok32.exe
1380	Dmefhako.exe
1216	Delnin32.exe
2496	Dfnjafap.exe
1800	Dodbbdbb.exe
3880	Ddakjkqi.exe
5032	Dfpgffpm.exe
2080	Dmjocp32.exe
1540	Dddhpjof.exe
8	Dhocqigp.exe
5080	Dknpmdfc.exe
2948	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	ed4f1381518ff1a2ee600bd3429887cf9e65a84152d5329f6f8d6003ac341e24N.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	ed4f1381518ff1a2ee600bd3429887cf9e65a84152d5329f6f8d6003ac341e24N.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2416	2948	WerFault.exe	125

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed4f1381518ff1a2ee600bd3429887cf9e65a84152d5329f6f8d6003ac341e24N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ed4f1381518ff1a2ee600bd3429887cf9e65a84152d5329f6f8d6003ac341e24N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ed4f1381518ff1a2ee600bd3429887cf9e65a84152d5329f6f8d6003ac341e24N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ed4f1381518ff1a2ee600bd3429887cf9e65a84152d5329f6f8d6003ac341e24N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 2640	4320	ed4f1381518ff1a2ee600bd3429887cf9e65a84152d5329f6f8d6003ac341e24N.exe	84
PID 4320 wrote to memory of 2640	4320	ed4f1381518ff1a2ee600bd3429887cf9e65a84152d5329f6f8d6003ac341e24N.exe	84
PID 4320 wrote to memory of 2640	4320	ed4f1381518ff1a2ee600bd3429887cf9e65a84152d5329f6f8d6003ac341e24N.exe	84
PID 2640 wrote to memory of 4812	2640	Ajkaii32.exe	85
PID 2640 wrote to memory of 4812	2640	Ajkaii32.exe	85
PID 2640 wrote to memory of 4812	2640	Ajkaii32.exe	85
PID 4812 wrote to memory of 2436	4812	Aminee32.exe	86
PID 4812 wrote to memory of 2436	4812	Aminee32.exe	86
PID 4812 wrote to memory of 2436	4812	Aminee32.exe	86
PID 2436 wrote to memory of 4236	2436	Accfbokl.exe	88
PID 2436 wrote to memory of 4236	2436	Accfbokl.exe	88
PID 2436 wrote to memory of 4236	2436	Accfbokl.exe	88
PID 4236 wrote to memory of 2452	4236	Bfabnjjp.exe	89
PID 4236 wrote to memory of 2452	4236	Bfabnjjp.exe	89
PID 4236 wrote to memory of 2452	4236	Bfabnjjp.exe	89
PID 2452 wrote to memory of 2084	2452	Bagflcje.exe	90
PID 2452 wrote to memory of 2084	2452	Bagflcje.exe	90
PID 2452 wrote to memory of 2084	2452	Bagflcje.exe	90
PID 2084 wrote to memory of 3304	2084	Bcebhoii.exe	91
PID 2084 wrote to memory of 3304	2084	Bcebhoii.exe	91
PID 2084 wrote to memory of 3304	2084	Bcebhoii.exe	91
PID 3304 wrote to memory of 2488	3304	Bnkgeg32.exe	92
PID 3304 wrote to memory of 2488	3304	Bnkgeg32.exe	92
PID 3304 wrote to memory of 2488	3304	Bnkgeg32.exe	92
PID 2488 wrote to memory of 2588	2488	Baicac32.exe	94
PID 2488 wrote to memory of 2588	2488	Baicac32.exe	94
PID 2488 wrote to memory of 2588	2488	Baicac32.exe	94
PID 2588 wrote to memory of 4464	2588	Bchomn32.exe	95
PID 2588 wrote to memory of 4464	2588	Bchomn32.exe	95
PID 2588 wrote to memory of 4464	2588	Bchomn32.exe	95
PID 4464 wrote to memory of 3960	4464	Bffkij32.exe	96
PID 4464 wrote to memory of 3960	4464	Bffkij32.exe	96
PID 4464 wrote to memory of 3960	4464	Bffkij32.exe	96
PID 3960 wrote to memory of 4400	3960	Balpgb32.exe	97
PID 3960 wrote to memory of 4400	3960	Balpgb32.exe	97
PID 3960 wrote to memory of 4400	3960	Balpgb32.exe	97
PID 4400 wrote to memory of 1668	4400	Bcjlcn32.exe	98
PID 4400 wrote to memory of 1668	4400	Bcjlcn32.exe	98
PID 4400 wrote to memory of 1668	4400	Bcjlcn32.exe	98
PID 1668 wrote to memory of 4884	1668	Bfhhoi32.exe	99
PID 1668 wrote to memory of 4884	1668	Bfhhoi32.exe	99
PID 1668 wrote to memory of 4884	1668	Bfhhoi32.exe	99
PID 4884 wrote to memory of 3468	4884	Bmbplc32.exe	100
PID 4884 wrote to memory of 3468	4884	Bmbplc32.exe	100
PID 4884 wrote to memory of 3468	4884	Bmbplc32.exe	100
PID 3468 wrote to memory of 3024	3468	Bclhhnca.exe	101
PID 3468 wrote to memory of 3024	3468	Bclhhnca.exe	101
PID 3468 wrote to memory of 3024	3468	Bclhhnca.exe	101
PID 3024 wrote to memory of 1044	3024	Bjfaeh32.exe	102
PID 3024 wrote to memory of 1044	3024	Bjfaeh32.exe	102
PID 3024 wrote to memory of 1044	3024	Bjfaeh32.exe	102
PID 1044 wrote to memory of 1172	1044	Bnbmefbg.exe	103
PID 1044 wrote to memory of 1172	1044	Bnbmefbg.exe	103
PID 1044 wrote to memory of 1172	1044	Bnbmefbg.exe	103
PID 1172 wrote to memory of 3496	1172	Bcoenmao.exe	104
PID 1172 wrote to memory of 3496	1172	Bcoenmao.exe	104
PID 1172 wrote to memory of 3496	1172	Bcoenmao.exe	104
PID 3496 wrote to memory of 804	3496	Cenahpha.exe	105
PID 3496 wrote to memory of 804	3496	Cenahpha.exe	105
PID 3496 wrote to memory of 804	3496	Cenahpha.exe	105
PID 804 wrote to memory of 2056	804	Chmndlge.exe	106
PID 804 wrote to memory of 2056	804	Chmndlge.exe	106
PID 804 wrote to memory of 2056	804	Chmndlge.exe	106
PID 2056 wrote to memory of 4456	2056	Caebma32.exe	107

C:\Users\Admin\AppData\Local\Temp\ed4f1381518ff1a2ee600bd3429887cf9e65a84152d5329f6f8d6003ac341e24N.exe
"C:\Users\Admin\AppData\Local\Temp\ed4f1381518ff1a2ee600bd3429887cf9e65a84152d5329f6f8d6003ac341e24N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\SysWOW64\Ajkaii32.exe
  C:\Windows\system32\Ajkaii32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\Aminee32.exe
    C:\Windows\system32\Aminee32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\SysWOW64\Accfbokl.exe
      C:\Windows\system32\Accfbokl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 412
        42⤵
        Program crash
        
        PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2948 -ip 2948
1⤵
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
148KB

MD5
c7059a6ff3b743885804cb37d08454e1

SHA1
03a256de73a31f24edaca6f67af4b74b7a041051

SHA256
437db800c58a10d64e6561429c0ee2b35a4334b2d22e9630c7aafdc956b0bcad

SHA512
fd9f70cb56a145550a8f44b05236cfd2fd75e5458fcf9c400b3f966db85a6edabe08b840f027fab6532cdeb7a974626fb48275273ab6d737903535d0ef5ce6b9

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
148KB

MD5
5a914dc1607504b9d3c1f89144cf334d

SHA1
4dddbe1de59818c3991889fbb33ace7ab7663d00

SHA256
19b0f4c61d9d6cb9518d9050925dcdb03b826b6815b02d82ad064d47e880b4f0

SHA512
189d43b9208c04b5352fe56ed9d55add26a893564339c510105bb0d47fec7d07abe004f932bc50490cbcf9bf52fa45c2a209616d032eb3233d0a995869ce1f76

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
148KB

MD5
584d10e9d4b0f554ee344c13f55a97b9

SHA1
b28ef4540028c5a66d827f7b2e272f7f2705787a

SHA256
0bea38abdcb8e51921649090aebea985c3a8b2b0acf0aa56e8c98fdd9530f00c

SHA512
e54809ae85af500184d5971ee7e4a4f9d3ef41d199358cf18ffac14a71f58e9a18d78519d1e20ec6e1505a7bfb11c83c78a11d7e79cef708505094342817806c

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
148KB

MD5
77b2a1753836c2aa390b3213c07983aa

SHA1
dd4f4b8aa4a91ddc31fee83ce4e7c244bf9c46df

SHA256
62fe92087a3731bbd41cc8b8cca0d2263bdc63c1b7c820934e869c92fda4561c

SHA512
4fd8f0f9522f8b2cabb6d557474b0ce95304a7004ff82860baa703df1927f133906c1a70ba56a916989fed72ac06160d5899d6ee1027d910766903aacbfc4d5c

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
148KB

MD5
c8f7c4fc07e3dd7f81a791e1e28a3504

SHA1
4f8ebf08a587137bd1e7818ffa6af649a14212c5

SHA256
efe0a5eaf0a379d309bb2ffba2c5c414fab636f55b386cf410324739a4a78884

SHA512
9beb85cb555307ef30ae32168c5a14c4f77bc885dd9decffa0457661ab19f5d319436b0f10a1fd04d77208bc9195927f1a1767a04de9beb462d894fd42f0076f

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
148KB

MD5
49ced9949906e2fb375834299d4dda65

SHA1
1a9b7b4cd48d23b641145e2a37c476778584a1c3

SHA256
622e301201d7dc48551a30cc84620a68c1dc65610e25cb3d9c2de3614205f1fd

SHA512
465358f1f80922fcf4ef01e11414c82cef435c6120ca0b4f86d7a96b89aec70085b55fa8993266a1341985a3ce87b266d1442e4ad914dce7851aa99ffc5d3c6f

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
148KB

MD5
f84a11fc20de8d15f528dfdaaaafb614

SHA1
b8db84e8908ac19d04dacf40cbcee6f9594dfbff

SHA256
8ebbc1a373c4d4f3073c27e4859c0dabe86cc7b43f96471a9ad03a5be3629a18

SHA512
8d927a0aab05c6952e129e9f17eb8a9a080d992a70a06490419faf0290efdc2a96b2063dd795a4574b855ec3518ceadc41ffcffec73c21766d49c548134390ab

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
148KB

MD5
a8e59427d296c8695a92790b88765dcf

SHA1
62fef0a2dd98f44f2188e2cb286241c9a0f7ecc4

SHA256
5e3c6a8ee76426c9c65c0ca61c19efa4e3f7458825cc251312ac718e44ab06be

SHA512
78ddecca3bbc679ad60622913caf95080f688466a12f96cc66eaba07f451acda2d1d2874d161c67f69f0457cc602b32537f172e47ea81c58eda98531340e7d36

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
148KB

MD5
b8e9d9896ef8770cdbc7626559cfa26d

SHA1
51c2cb78e1d2bcd7a54ca5eea13d98ae7c3c20a0

SHA256
506702344eefcadd99ccd1b4001afb1f2453c9274788b8b6e353f6d18a7cf483

SHA512
4fde0a19b206a0aba1b633a60582d76416c76dfd772319ede61519f59282bd74c7c1019b8e67b6133ea1e4917b8193fec98b5dfd6bfe1f792a4b190a8c1313aa

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
148KB

MD5
e263d1cfe13cdfd1a608c7e331625547

SHA1
e5f546ed878a30f2a25213e27ce68f596e321e4d

SHA256
42f9aa5f69f45b7a346ba4536aec40a4c21a2f9245a4ac4f3b924e343520b1b6

SHA512
6b74daea1f3c410886792a870f0f93abb16e756d14e00c327c02c8ab56d1141e887462bf7c170c766c5b26d08ffd5bb0e3c9fb60a96f8170fee654994b4f7417

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
148KB

MD5
676f6666d0cf24a743def6ca06072af3

SHA1
6810971d3432f09c91150e0cbb1ac23495c1544b

SHA256
ea3cafc9cb1d7314b3c421f5906019a74fe13c21533b4e4ffd610d72171ec300

SHA512
6398520fecb46fe096add8bb819b198e8a35e640bfff9a1973b8dc24309c11106e277a83a03dce503970f212a88168ce3035e550632e9f042c2a3494a12b5c2c

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
148KB

MD5
0b00a255e50424ac70601c09071365dc

SHA1
58904d63efc39e936ee271da823fec38d06e6e23

SHA256
00cd4f35a66d6e761adabd29f07c12f0eba19c449f00e28c699ca1855867f522

SHA512
8e95530d6d67875489958c3555e9c270d87119d48dcfab55b98ce5074c8de4acb8fafda23b8a7cc3f0f793ab38473dc41623008f7d5193b91d0ac4f96b169ea7

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
148KB

MD5
974448c70af95a90b1890c489742743e

SHA1
dc35bbf34d70377fcfd11f13ae746c8b252c7d5f

SHA256
aa8246ecc82cdd7f65f46e947a785be6f682126e68cdf69cbdc7c3e763797149

SHA512
9b73f29111950406a0057f8ebd45f472ca55aa946f16a40de3346f6b19f92d7b00058d3631b14a7f35cf2664a20baf79ea7ffd504427dfa1bc0f7065fb4463ca

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
148KB

MD5
3c82da1a8fb8975eae06df45a0555588

SHA1
4f51c2511f06c16f59f94f972274fc7ed95707fc

SHA256
e7bcdbd5a28b8bb65590d6c89c9f4b055a7fa0be6371fe8f6668a37202dcd22f

SHA512
e85ebd5a2c3ff5aa81ac6efde572dcff3bc2bd1413bcaabb88f502d93cbad7dd98a3b9c5db95fd3440f6ba144e7adabf78c33c38e0682bd16f0b02dedb8f2860

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
148KB

MD5
9bc6d3e2d15026c010b1ada3f0f9b4cf

SHA1
2dcc9f0592edb1456b0e0a7c78c60926d9dafd66

SHA256
71f9deca8abe1a21b38ea1e49834e0d539f9f7bee44183cf2679193db708db35

SHA512
94f115985f3b3ba88677d9d66bc6d04160ef78d9be104aae4a6ec98464520a9f3eddbdfaf5356ee0973a2fb4cd5c5dfe8d23329a9ba0127f53725492d61f59ea

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
148KB

MD5
9345a2e43daed561b25b1046d7f5775f

SHA1
07fcd4bab12bdde1a88935a889f0ed631ca2e9a9

SHA256
da83a86f0680482c6fcf0c5cd41074fe9e510c8815765f6537507b22058afee2

SHA512
b8b67b2544f4d960bf87b066059ee015c9b8d21d13aa942bfdf6a6edca363c784502b52f6913f06a74adf67d98978c1289598c653196fa5a28a020e4c3022e1b

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
148KB

MD5
8c900f00cfefa75b0b3399c4c23ee8ea

SHA1
47d01a780250f658f050573fe015b0577f0515f4

SHA256
a30b87e8e9d6ffaf65a858a2db0b42e544a1b12a469edae1e955758677b54830

SHA512
612ac9d10cb724096fa2667aec070695241fa8a66b613306ff5b19740dd5a44f2c21323bb990e63d87b15ac2c3395a00cc9dc969cb5e94fc7aec8b621ab5fd40

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
148KB

MD5
a14d189e53e0d63b0b4a8ee698b2759a

SHA1
77776b200f6d6b2f47fddd346803b6b002ecd5fa

SHA256
3272e71e79378e3d0a98608cde970605190d77cf1bfa43071782f164ee6deda1

SHA512
72fb6de94ac456e550e058d43da577c4e328159d42d271227dd5ef292efbd4478077e3967c579e2d0f683e47ae63804eeef1d3447cce09e0541c9e4b0f7516ea

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
148KB

MD5
c3f9d107f1b227543b784b38f1fc5fbe

SHA1
2729a423335bd80f0932132b3d6d775339704fae

SHA256
b646450ce4bf18fee4874011db3cedcc8d462766086d02f798db78423ea79794

SHA512
e4398682e56934b683e0375f874593d202cfd6b4b47e99376260ffb4d5350cad6fbdaea9909b6c3770deeb668726babdfa9ca7066ed67202c5d110a01df03ab1

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
148KB

MD5
f348cda88989591ef524277957a5a7f8

SHA1
f6039a89681d56d9f2acc4c32ccc233259b36e57

SHA256
de6e01dc2fca259c7cc17287500d563c8020626433077ac18a8fd78a15e71509

SHA512
bee60f6b8db3b6aa58609b250173a62bce2e8c4b28f46f771f8c6a4e482276ef6a960c67ab9c1c60d8f6fe00d0fdd29a619ffb68bd284801f2a998d87216e5ce

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
148KB

MD5
6146d975a17e43e392c10c6190cacbcf

SHA1
270a74d5d81600b7951283c900e8164a825f4ac0

SHA256
1e48f9c70d9ba480af2c7a063f5814afab3dd08b9d1a69eff069fdc99706327a

SHA512
c691f36d1e9c1f0f98ea9f14c4bdd6e8f9e2957dd75aaf98d0d228bd36694d0b9a7214257eb0dae4c72e5fcf518216d36cbc36ee093c38aa32c6dfd305b24896

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
148KB

MD5
78e037e96d5740e46f6e68f22ea5de4f

SHA1
5de2eed355b1ee002f452984bd8ec5805a68ee72

SHA256
70b5211f91ea06a40d4c0f5eb993b65890cfe4853b1d16563ad204f84d3e24d1

SHA512
2c37b99aac0ef6efb5211d7964cc3ff4a0b7e5d80dd16334345815fd25460e999f26b4c332ede0e46ec8f1ce04a26354df62587842c08274192273337a855347

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
148KB

MD5
95e7f80ed3f9073060e65a2df0f3f825

SHA1
60387409530afc939f958db159b8000e322fb9a9

SHA256
45c85b5f7c2c59b5acde39132a26ebcf137adc8e0129cad7fb8ac22038d68795

SHA512
226a60097a15c6e48f14faf06f2882ba63e1091327ed5b3a53e4f38e7c73839c9d475fc6a0fdedccc5bd276a833e596dec760962dd60e10c7635e0343ad96e2a

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
148KB

MD5
20344db995ed082359686bd49ea0fbcc

SHA1
5442550e7c0527726ec92d867d6e3c8e5344dc7a

SHA256
6edff9b64d208682481af814785713c18459090bef4c67bc942ff30ed15ffaa5

SHA512
b3ecf91b2264fb75ce0e6f38e943769c02e89e38102bd29716e9028d6d94c71dd243cf5b07704581c5079c379c7832078952f9b6000dedb8837f5df703beed02

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
148KB

MD5
7382fcdbed3fb5828942b0f6026a479b

SHA1
332d69e6dc42c139e98f1d79af32710ca39a257f

SHA256
b9c0369cde60c7f066362615d0ea2b692cec6d71d20624eb9466beb04c44d25d

SHA512
a65ad353427aea69fd49125e77121a52673a54fb5138b80028e86a0363888e840c5d33bb973d044c25c462402bfa2e2a73d906320ec15cd5127f951312893506

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
148KB

MD5
ed572fc64b01b264c726a4c0e3cc140d

SHA1
8403d1f0b2f5db05fc09c56fd13ee721021dadd8

SHA256
d0284f420197ad618491cfd02b884634479b9f22b6a43b7bf92b54d6472e7d9a

SHA512
fdb3a1e4ffdb528c63f3fb1becfa47b05734706df45fd6a00b5d1ffdfcab4e746be836c11526d4f48273d93ab85f55f3e2271e5c7cd032127ce414cc59973bbb

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
148KB

MD5
e32e58c0089d40aa588fc0fb1015c515

SHA1
ab1caf1515b3fd93defb57a631ae4f9aa61c9b8a

SHA256
e265c7d777008ac4d8e68b6ef3985739b2f5408a24b37df2aedfab13a630d1f3

SHA512
d855cec91edd85198bec0fd1bab643c4116bf00e9d4148dd0c85c083624c6c50d8fba35c21ce9d77f904b5fab110d6d01f9664c6000f18a4292ab055025199d4

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
148KB

MD5
ccaac48285c37420f68bdc335e515182

SHA1
8b94cedf13689d3ca557ac28c88e5632a3938978

SHA256
104ede4f8dd88d80d8f43090a9e6bffeb32e449b138edfa14d388ce7c3efcd5d

SHA512
a133d1c9f8f2c80c620054879eb5ee4a0270f359b1ee613e467e906ec4142f3a0dfd90fc29c235dbeecc7ddd454caa46be7b61154b6463a2812db90c5edf3b5d

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
148KB

MD5
21ef7de57d7a18a4d4837bde9c32a1b5

SHA1
7685ec2547d2ac9af2cad45e404abdec2675a80e

SHA256
1080fb8e1f284bf28057c51f4f606b1450a3a3c8701ff2f8acfdaa7ccab93863

SHA512
5fe8fdda6fd86ead8481e34d2668799b1b3c6091a5101c3ef5fba6056863b1712958bfd53a61c88a49a4b1aae5433aef0d8bcd97749384c5c076474adc37ccd8

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
148KB

MD5
f69bbe93aeca11502308daa8827880e5

SHA1
7f96ef6237d059e663ee97c8c8db2bc63e7ec995

SHA256
c7c4156fceb3a7179a88a00d53ee0dcfac4ce7008ce7c4e779d6488e994b848c

SHA512
15b113271d8834879a48886c3eaab04ca8a1625ea1d9d569c8dc3493d90fb97f4cded0b9c7bbf61030e01f3b4c58e8cad3aad1f641091b4f9b860d478811531c

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
148KB

MD5
3c59eefe03d76fa8f5f0c0b4d2071fb7

SHA1
5c8c59b9e148e7476270fb8cbdf0b83124ff6117

SHA256
73170b89cb56e5b9cbe36633b1f2f25cc67118beede53f7077a10de3e9ba1923

SHA512
5a4d798dd70abceeaf3df271b16fc2af37464e7daffc4fe40807fb544c941ea49d65acebfcf213b3ee393b223c1ce8d6a375c8c39927657ca57d877111426e06

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
148KB

MD5
0e9eef11bdc4632b353eb2b14a7b1a30

SHA1
ab694a18fa62bb1fa3e1b8fc725f8104458d06ce

SHA256
e634dfc8314abc5f03ff2138121854d781b5abdaace0c5143dfae2ebeb278ff3

SHA512
f1945e180c809fd2bbc44003285d6feed70b9cb4c537326aa32936ad81ccf42133c4683d7e87535a1478329b953cf6edc76c6ed5a447ffa527911ee4a317ac79

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
148KB

MD5
a15b9bbfa0fdf4d9e5d2d3551b2d0388

SHA1
40be9d99a67a5da767faca96f5de80c09f1aee1b

SHA256
afb304f537210570ea01a0d35067e92f4fcf8bbbc4e80ab108540d6c391642a7

SHA512
03f92f9f671ab6c6359e7c7c7ecf6eb01aa889bc800caa7ebd3aa7247f496dbe1e95647391b21515a37c7e3118df1178695ac5e7de28c896a0f0a1655a7a7d74

Download Submit
memory/8-297-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/8-311-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/804-160-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/804-346-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1044-137-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1044-352-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1172-144-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1172-350-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1216-324-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1216-248-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1380-240-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1380-326-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1432-184-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1432-340-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1540-316-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1540-287-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1668-360-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1668-105-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1800-263-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1800-321-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2056-169-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2056-344-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2080-281-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2080-313-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2084-48-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2084-374-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2436-25-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2436-380-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2452-376-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2452-41-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2488-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2488-370-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2496-256-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2496-387-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2572-328-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2572-232-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2588-72-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2588-368-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2640-384-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2640-8-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2948-308-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2948-305-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3024-354-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3024-129-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3156-336-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3156-201-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3304-372-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3304-56-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3468-356-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3468-120-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3496-348-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3496-152-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3552-208-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3552-334-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3824-224-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3824-330-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3880-269-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3880-319-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3960-364-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3960-89-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4236-33-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4236-378-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4312-216-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4312-332-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4320-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4320-386-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4400-362-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4400-97-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4456-342-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4456-177-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4464-81-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4464-366-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4812-382-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4812-16-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4884-358-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4884-112-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5032-275-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5032-317-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5044-338-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5044-192-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5080-309-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5080-299-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads