berbew | cb1e76875789fcf12498cb126e9530876afad32bda59914274f4c6e3dda9030e

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb1e76875789fcf12498cb126e9530876afad32bda59914274f4c6e3dda9030eN.exe
Size

92KB
MD5

71fca92977e8633e253541acd062f730
SHA1

864af2c967850ca56a306fd73065aa7bcbeba343
SHA256

cb1e76875789fcf12498cb126e9530876afad32bda59914274f4c6e3dda9030e
SHA512

80fa1dad7def65466c961aae33ab451d49fb5498874a90202f47254a06f5058a4d76bec27c3f7ea26c91aa152987673b31c41492514213dcafddcfe3cfc1752a
SSDEEP

1536:EOyBNr8kDgcIKE4Mkoc4EI84MwkocA04sQEI8gUYMwkocA04sQEI8gUYMwkocA0O:4BJ8/KE4I9Z24j6+JB8M3

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqinhcoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebockkal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbchkime.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnpjkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhhge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlpbna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddppmclb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceeqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcjjkkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebockkal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Einebddd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfjkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhndnpnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhndnpnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgjgol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdngip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgnpjkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djafaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcemnopj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blniinac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdinnqon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Camnge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhhge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfhgggim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhpejbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlpbna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhgccbhp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceeqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blniinac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bakaaepk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bggjjlnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bggjjlnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eifobe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecnpdnho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fipbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epqgopbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebappk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpena32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbchkime.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cojeomee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dklepmal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbfjkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhgccbhp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkgldm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddppmclb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efffpjmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqinhcoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfahaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdinnqon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clilmbhd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clnehado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfkclf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faijggao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cb1e76875789fcf12498cb126e9530876afad32bda59914274f4c6e3dda9030eN.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 51 IoCs

pid	Process
2676	Bhndnpnp.exe
2760	Bbchkime.exe
2716	Blkmdodf.exe
1496	Bceeqi32.exe
1516	Bdfahaaa.exe
2228	Blniinac.exe
1804	Bakaaepk.exe
2940	Bdinnqon.exe
2160	Bggjjlnb.exe
3012	Camnge32.exe
2864	Cgjgol32.exe
2312	Cncolfcl.exe
484	Cdngip32.exe
2360	Ckhpejbf.exe
2964	Clilmbhd.exe
2988	Cgnpjkhj.exe
988	Cnhhge32.exe
296	Cojeomee.exe
2248	Cjoilfek.exe
1232	Clnehado.exe
1928	Djafaf32.exe
1532	Dlpbna32.exe
2500	Dcjjkkji.exe
2244	Dfhgggim.exe
344	Dhgccbhp.exe
2552	Dnckki32.exe
2108	Dfkclf32.exe
2660	Dkgldm32.exe
2624	Ddppmclb.exe
3004	Dgnminke.exe
1148	Dcemnopj.exe
2272	Dklepmal.exe
3060	Dqinhcoc.exe
2880	Eddjhb32.exe
2648	Efffpjmk.exe
2152	Eqkjmcmq.exe
1732	Eifobe32.exe
1672	Epqgopbi.exe
3040	Ebockkal.exe
2416	Eiilge32.exe
1604	Ecnpdnho.exe
3032	Ebappk32.exe
916	Emgdmc32.exe
1096	Elieipej.exe
1392	Einebddd.exe
1640	Egpena32.exe
1784	Fnjnkkbk.exe
2476	Fbfjkj32.exe
2936	Faijggao.exe
2688	Fipbhd32.exe
2432	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
880	cb1e76875789fcf12498cb126e9530876afad32bda59914274f4c6e3dda9030eN.exe
880	cb1e76875789fcf12498cb126e9530876afad32bda59914274f4c6e3dda9030eN.exe
2676	Bhndnpnp.exe
2676	Bhndnpnp.exe
2760	Bbchkime.exe
2760	Bbchkime.exe
2716	Blkmdodf.exe
2716	Blkmdodf.exe
1496	Bceeqi32.exe
1496	Bceeqi32.exe
1516	Bdfahaaa.exe
1516	Bdfahaaa.exe
2228	Blniinac.exe
2228	Blniinac.exe
1804	Bakaaepk.exe
1804	Bakaaepk.exe
2940	Bdinnqon.exe
2940	Bdinnqon.exe
2160	Bggjjlnb.exe
2160	Bggjjlnb.exe
3012	Camnge32.exe
3012	Camnge32.exe
2864	Cgjgol32.exe
2864	Cgjgol32.exe
2312	Cncolfcl.exe
2312	Cncolfcl.exe
484	Cdngip32.exe
484	Cdngip32.exe
2360	Ckhpejbf.exe
2360	Ckhpejbf.exe
2964	Clilmbhd.exe
2964	Clilmbhd.exe
2988	Cgnpjkhj.exe
2988	Cgnpjkhj.exe
988	Cnhhge32.exe
988	Cnhhge32.exe
296	Cojeomee.exe
296	Cojeomee.exe
2248	Cjoilfek.exe
2248	Cjoilfek.exe
1232	Clnehado.exe
1232	Clnehado.exe
1928	Djafaf32.exe
1928	Djafaf32.exe
1532	Dlpbna32.exe
1532	Dlpbna32.exe
2500	Dcjjkkji.exe
2500	Dcjjkkji.exe
2244	Dfhgggim.exe
2244	Dfhgggim.exe
344	Dhgccbhp.exe
344	Dhgccbhp.exe
2552	Dnckki32.exe
2552	Dnckki32.exe
2108	Dfkclf32.exe
2108	Dfkclf32.exe
2660	Dkgldm32.exe
2660	Dkgldm32.exe
2624	Ddppmclb.exe
2624	Ddppmclb.exe
3004	Dgnminke.exe
3004	Dgnminke.exe
1148	Dcemnopj.exe
1148	Dcemnopj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ifhfbgmj.dll	Cojeomee.exe
File opened for modification	C:\Windows\SysWOW64\Djafaf32.exe	Clnehado.exe
File created	C:\Windows\SysWOW64\Lbogaf32.dll	Clnehado.exe
File created	C:\Windows\SysWOW64\Bafmhm32.dll	Djafaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dqinhcoc.exe	Dklepmal.exe
File created	C:\Windows\SysWOW64\Mqpkpl32.dll	Eifobe32.exe
File created	C:\Windows\SysWOW64\Ckhpejbf.exe	Cdngip32.exe
File opened for modification	C:\Windows\SysWOW64\Ckhpejbf.exe	Cdngip32.exe
File created	C:\Windows\SysWOW64\Faijggao.exe	Fbfjkj32.exe
File created	C:\Windows\SysWOW64\Qgfhapbi.dll	Dcjjkkji.exe
File created	C:\Windows\SysWOW64\Dcemnopj.exe	Dgnminke.exe
File created	C:\Windows\SysWOW64\Epqgopbi.exe	Eifobe32.exe
File created	C:\Windows\SysWOW64\Akomon32.dll	Ebappk32.exe
File created	C:\Windows\SysWOW64\Cefllkej.dll	Blkmdodf.exe
File created	C:\Windows\SysWOW64\Acnkmfoc.dll	Cnhhge32.exe
File created	C:\Windows\SysWOW64\Bbchkime.exe	Bhndnpnp.exe
File opened for modification	C:\Windows\SysWOW64\Eqkjmcmq.exe	Efffpjmk.exe
File created	C:\Windows\SysWOW64\Malbbh32.dll	Dfkclf32.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fipbhd32.exe
File created	C:\Windows\SysWOW64\Cabcdq32.dll	Bhndnpnp.exe
File created	C:\Windows\SysWOW64\Cncolfcl.exe	Cgjgol32.exe
File created	C:\Windows\SysWOW64\Ikggmnae.dll	Dfhgggim.exe
File opened for modification	C:\Windows\SysWOW64\Faijggao.exe	Fbfjkj32.exe
File created	C:\Windows\SysWOW64\Fipbhd32.exe	Faijggao.exe
File created	C:\Windows\SysWOW64\Bedoacoi.dll	Blniinac.exe
File opened for modification	C:\Windows\SysWOW64\Cgjgol32.exe	Camnge32.exe
File created	C:\Windows\SysWOW64\Ienjoljk.dll	Clilmbhd.exe
File created	C:\Windows\SysWOW64\Fhoedaep.dll	Emgdmc32.exe
File created	C:\Windows\SysWOW64\Cdngip32.exe	Cncolfcl.exe
File created	C:\Windows\SysWOW64\Clnehado.exe	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Dhgccbhp.exe	Dfhgggim.exe
File created	C:\Windows\SysWOW64\Olahgd32.dll	Dqinhcoc.exe
File created	C:\Windows\SysWOW64\Bdnnjcdh.dll	Epqgopbi.exe
File created	C:\Windows\SysWOW64\Mgaajh32.dll	Bbchkime.exe
File created	C:\Windows\SysWOW64\Cgjgol32.exe	Camnge32.exe
File opened for modification	C:\Windows\SysWOW64\Dkgldm32.exe	Dfkclf32.exe
File created	C:\Windows\SysWOW64\Eddjhb32.exe	Dqinhcoc.exe
File opened for modification	C:\Windows\SysWOW64\Blkmdodf.exe	Bbchkime.exe
File created	C:\Windows\SysWOW64\Bdinnqon.exe	Bakaaepk.exe
File created	C:\Windows\SysWOW64\Djafaf32.exe	Clnehado.exe
File created	C:\Windows\SysWOW64\Dcjjkkji.exe	Dlpbna32.exe
File created	C:\Windows\SysWOW64\Ejnbekph.dll	Dnckki32.exe
File created	C:\Windows\SysWOW64\Ilpcfn32.dll	Eddjhb32.exe
File created	C:\Windows\SysWOW64\Nelafe32.dll	Bggjjlnb.exe
File created	C:\Windows\SysWOW64\Ofoebc32.dll	Cncolfcl.exe
File created	C:\Windows\SysWOW64\Kjkoop32.dll	Camnge32.exe
File opened for modification	C:\Windows\SysWOW64\Clilmbhd.exe	Ckhpejbf.exe
File opened for modification	C:\Windows\SysWOW64\Cgnpjkhj.exe	Clilmbhd.exe
File opened for modification	C:\Windows\SysWOW64\Cjoilfek.exe	Cojeomee.exe
File created	C:\Windows\SysWOW64\Aiheodlg.dll	Cjoilfek.exe
File opened for modification	C:\Windows\SysWOW64\Ddppmclb.exe	Dkgldm32.exe
File opened for modification	C:\Windows\SysWOW64\Bakaaepk.exe	Blniinac.exe
File created	C:\Windows\SysWOW64\Ghbakjma.dll	Bakaaepk.exe
File created	C:\Windows\SysWOW64\Camnge32.exe	Bggjjlnb.exe
File created	C:\Windows\SysWOW64\Ddppmclb.exe	Dkgldm32.exe
File opened for modification	C:\Windows\SysWOW64\Eifobe32.exe	Eqkjmcmq.exe
File created	C:\Windows\SysWOW64\Kfadkk32.dll	Fbfjkj32.exe
File created	C:\Windows\SysWOW64\Ckpmmabh.dll	Cgnpjkhj.exe
File created	C:\Windows\SysWOW64\Dklepmal.exe	Dcemnopj.exe
File opened for modification	C:\Windows\SysWOW64\Clnehado.exe	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Ecnpdnho.exe	Eiilge32.exe
File created	C:\Windows\SysWOW64\Kmcjeh32.dll	Cgjgol32.exe
File created	C:\Windows\SysWOW64\Doejph32.dll	Ckhpejbf.exe
File opened for modification	C:\Windows\SysWOW64\Cdngip32.exe	Cncolfcl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2556	2432	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbchkime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cncolfcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djafaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhgccbhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgnminke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddjhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddppmclb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dklepmal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb1e76875789fcf12498cb126e9530876afad32bda59914274f4c6e3dda9030eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceeqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdngip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhpejbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhhge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlpbna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjnkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpena32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fipbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgjgol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjoilfek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clnehado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfhgggim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkjmcmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elieipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkmdodf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdinnqon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cojeomee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkgldm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiilge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bggjjlnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Camnge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcjjkkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcemnopj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epqgopbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebappk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfahaaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clilmbhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfkclf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Einebddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhndnpnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blniinac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnpjkhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebockkal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emgdmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfjkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakaaepk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnckki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqinhcoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efffpjmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eifobe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecnpdnho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faijggao.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfahaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhgccbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfkclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdkip32.dll"	Dklepmal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dklepmal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akomon32.dll"	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdfahaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmaonc32.dll"	Dhgccbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgnminke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efffpjmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efffpjmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccjdobp.dll"	Ebockkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emgdmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkmnp32.dll"	Elieipej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdinnqon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnkmfoc.dll"	Cnhhge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eifobe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecnpdnho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefllkej.dll"	Blkmdodf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqinhcoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacgio32.dll"	Efffpjmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Einebddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdinnqon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhpejbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doejph32.dll"	Ckhpejbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlpbna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kabgha32.dll"	Ddppmclb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclemh32.dll"	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgjgol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdngip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhpejbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhgccbhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfadkk32.dll"	Fbfjkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjeh32.dll"	Cgjgol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnhhge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddppmclb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnqe32.dll"	Dcemnopj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgnpjkhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cojeomee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoedaep.dll"	Emgdmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egpena32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnckki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcemnopj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmiha32.dll"	Ecnpdnho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljfocan.dll"	cb1e76875789fcf12498cb126e9530876afad32bda59914274f4c6e3dda9030eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blkmdodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bggjjlnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhfbgmj.dll"	Cojeomee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djafaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cb1e76875789fcf12498cb126e9530876afad32bda59914274f4c6e3dda9030eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbchkime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdojnle.dll"	Bceeqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blniinac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiheodlg.dll"	Cjoilfek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clnehado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpcfn32.dll"	Eddjhb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2676	880	cb1e76875789fcf12498cb126e9530876afad32bda59914274f4c6e3dda9030eN.exe	30
PID 880 wrote to memory of 2676	880	cb1e76875789fcf12498cb126e9530876afad32bda59914274f4c6e3dda9030eN.exe	30
PID 880 wrote to memory of 2676	880	cb1e76875789fcf12498cb126e9530876afad32bda59914274f4c6e3dda9030eN.exe	30
PID 880 wrote to memory of 2676	880	cb1e76875789fcf12498cb126e9530876afad32bda59914274f4c6e3dda9030eN.exe	30
PID 2676 wrote to memory of 2760	2676	Bhndnpnp.exe	31
PID 2676 wrote to memory of 2760	2676	Bhndnpnp.exe	31
PID 2676 wrote to memory of 2760	2676	Bhndnpnp.exe	31
PID 2676 wrote to memory of 2760	2676	Bhndnpnp.exe	31
PID 2760 wrote to memory of 2716	2760	Bbchkime.exe	32
PID 2760 wrote to memory of 2716	2760	Bbchkime.exe	32
PID 2760 wrote to memory of 2716	2760	Bbchkime.exe	32
PID 2760 wrote to memory of 2716	2760	Bbchkime.exe	32
PID 2716 wrote to memory of 1496	2716	Blkmdodf.exe	33
PID 2716 wrote to memory of 1496	2716	Blkmdodf.exe	33
PID 2716 wrote to memory of 1496	2716	Blkmdodf.exe	33
PID 2716 wrote to memory of 1496	2716	Blkmdodf.exe	33
PID 1496 wrote to memory of 1516	1496	Bceeqi32.exe	34
PID 1496 wrote to memory of 1516	1496	Bceeqi32.exe	34
PID 1496 wrote to memory of 1516	1496	Bceeqi32.exe	34
PID 1496 wrote to memory of 1516	1496	Bceeqi32.exe	34
PID 1516 wrote to memory of 2228	1516	Bdfahaaa.exe	35
PID 1516 wrote to memory of 2228	1516	Bdfahaaa.exe	35
PID 1516 wrote to memory of 2228	1516	Bdfahaaa.exe	35
PID 1516 wrote to memory of 2228	1516	Bdfahaaa.exe	35
PID 2228 wrote to memory of 1804	2228	Blniinac.exe	36
PID 2228 wrote to memory of 1804	2228	Blniinac.exe	36
PID 2228 wrote to memory of 1804	2228	Blniinac.exe	36
PID 2228 wrote to memory of 1804	2228	Blniinac.exe	36
PID 1804 wrote to memory of 2940	1804	Bakaaepk.exe	37
PID 1804 wrote to memory of 2940	1804	Bakaaepk.exe	37
PID 1804 wrote to memory of 2940	1804	Bakaaepk.exe	37
PID 1804 wrote to memory of 2940	1804	Bakaaepk.exe	37
PID 2940 wrote to memory of 2160	2940	Bdinnqon.exe	38
PID 2940 wrote to memory of 2160	2940	Bdinnqon.exe	38
PID 2940 wrote to memory of 2160	2940	Bdinnqon.exe	38
PID 2940 wrote to memory of 2160	2940	Bdinnqon.exe	38
PID 2160 wrote to memory of 3012	2160	Bggjjlnb.exe	39
PID 2160 wrote to memory of 3012	2160	Bggjjlnb.exe	39
PID 2160 wrote to memory of 3012	2160	Bggjjlnb.exe	39
PID 2160 wrote to memory of 3012	2160	Bggjjlnb.exe	39
PID 3012 wrote to memory of 2864	3012	Camnge32.exe	40
PID 3012 wrote to memory of 2864	3012	Camnge32.exe	40
PID 3012 wrote to memory of 2864	3012	Camnge32.exe	40
PID 3012 wrote to memory of 2864	3012	Camnge32.exe	40
PID 2864 wrote to memory of 2312	2864	Cgjgol32.exe	41
PID 2864 wrote to memory of 2312	2864	Cgjgol32.exe	41
PID 2864 wrote to memory of 2312	2864	Cgjgol32.exe	41
PID 2864 wrote to memory of 2312	2864	Cgjgol32.exe	41
PID 2312 wrote to memory of 484	2312	Cncolfcl.exe	42
PID 2312 wrote to memory of 484	2312	Cncolfcl.exe	42
PID 2312 wrote to memory of 484	2312	Cncolfcl.exe	42
PID 2312 wrote to memory of 484	2312	Cncolfcl.exe	42
PID 484 wrote to memory of 2360	484	Cdngip32.exe	43
PID 484 wrote to memory of 2360	484	Cdngip32.exe	43
PID 484 wrote to memory of 2360	484	Cdngip32.exe	43
PID 484 wrote to memory of 2360	484	Cdngip32.exe	43
PID 2360 wrote to memory of 2964	2360	Ckhpejbf.exe	44
PID 2360 wrote to memory of 2964	2360	Ckhpejbf.exe	44
PID 2360 wrote to memory of 2964	2360	Ckhpejbf.exe	44
PID 2360 wrote to memory of 2964	2360	Ckhpejbf.exe	44
PID 2964 wrote to memory of 2988	2964	Clilmbhd.exe	45
PID 2964 wrote to memory of 2988	2964	Clilmbhd.exe	45
PID 2964 wrote to memory of 2988	2964	Clilmbhd.exe	45
PID 2964 wrote to memory of 2988	2964	Clilmbhd.exe	45

C:\Users\Admin\AppData\Local\Temp\cb1e76875789fcf12498cb126e9530876afad32bda59914274f4c6e3dda9030eN.exe
"C:\Users\Admin\AppData\Local\Temp\cb1e76875789fcf12498cb126e9530876afad32bda59914274f4c6e3dda9030eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\Bhndnpnp.exe
  C:\Windows\system32\Bhndnpnp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\Bbchkime.exe
    C:\Windows\system32\Bbchkime.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\Blkmdodf.exe
      C:\Windows\system32\Blkmdodf.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\Bceeqi32.exe
        
        C:\Windows\system32\Bceeqi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Windows\SysWOW64\Bdfahaaa.exe
        
        C:\Windows\system32\Bdfahaaa.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Blniinac.exe
        
        C:\Windows\system32\Blniinac.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Bakaaepk.exe
        
        C:\Windows\system32\Bakaaepk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Bdinnqon.exe
        
        C:\Windows\system32\Bdinnqon.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Bggjjlnb.exe
        
        C:\Windows\system32\Bggjjlnb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Camnge32.exe
        
        C:\Windows\system32\Camnge32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Cgjgol32.exe
        
        C:\Windows\system32\Cgjgol32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Cncolfcl.exe
        
        C:\Windows\system32\Cncolfcl.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Cdngip32.exe
        
        C:\Windows\system32\Cdngip32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\Ckhpejbf.exe
        
        C:\Windows\system32\Ckhpejbf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Clilmbhd.exe
        
        C:\Windows\system32\Clilmbhd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Cgnpjkhj.exe
        
        C:\Windows\system32\Cgnpjkhj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Cnhhge32.exe
        
        C:\Windows\system32\Cnhhge32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Cojeomee.exe
        
        C:\Windows\system32\Cojeomee.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:296
        
        C:\Windows\SysWOW64\Cjoilfek.exe
        
        C:\Windows\system32\Cjoilfek.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Clnehado.exe
        
        C:\Windows\system32\Clnehado.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Djafaf32.exe
        
        C:\Windows\system32\Djafaf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Dlpbna32.exe
        
        C:\Windows\system32\Dlpbna32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Dcjjkkji.exe
        
        C:\Windows\system32\Dcjjkkji.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\Dfhgggim.exe
        
        C:\Windows\system32\Dfhgggim.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Dhgccbhp.exe
        
        C:\Windows\system32\Dhgccbhp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:344
        
        C:\Windows\SysWOW64\Dnckki32.exe
        
        C:\Windows\system32\Dnckki32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Dfkclf32.exe
        
        C:\Windows\system32\Dfkclf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Dkgldm32.exe
        
        C:\Windows\system32\Dkgldm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Ddppmclb.exe
        
        C:\Windows\system32\Ddppmclb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Dgnminke.exe
        
        C:\Windows\system32\Dgnminke.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Dcemnopj.exe
        
        C:\Windows\system32\Dcemnopj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Dklepmal.exe
        
        C:\Windows\system32\Dklepmal.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Dqinhcoc.exe
        
        C:\Windows\system32\Dqinhcoc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Eddjhb32.exe
        
        C:\Windows\system32\Eddjhb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Efffpjmk.exe
        
        C:\Windows\system32\Efffpjmk.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Eqkjmcmq.exe
        
        C:\Windows\system32\Eqkjmcmq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\Eifobe32.exe
        
        C:\Windows\system32\Eifobe32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Epqgopbi.exe
        
        C:\Windows\system32\Epqgopbi.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\Ebockkal.exe
        
        C:\Windows\system32\Ebockkal.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Eiilge32.exe
        
        C:\Windows\system32\Eiilge32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\Ecnpdnho.exe
        
        C:\Windows\system32\Ecnpdnho.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Ebappk32.exe
        
        C:\Windows\system32\Ebappk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Emgdmc32.exe
        
        C:\Windows\system32\Emgdmc32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Elieipej.exe
        
        C:\Windows\system32\Elieipej.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Einebddd.exe
        
        C:\Windows\system32\Einebddd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Egpena32.exe
        
        C:\Windows\system32\Egpena32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Fnjnkkbk.exe
        
        C:\Windows\system32\Fnjnkkbk.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Fbfjkj32.exe
        
        C:\Windows\system32\Fbfjkj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Faijggao.exe
        
        C:\Windows\system32\Faijggao.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Fipbhd32.exe
        
        C:\Windows\system32\Fipbhd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 140
        53⤵
        Program crash
        
        PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cgnpjkhj.exe

Filesize
92KB

MD5
607775c26a8017735685c00e5ed0313d

SHA1
cbb819a07f0e68eed01c159a6fa2b1b068762e5f

SHA256
8baeb35ae8c102b50e0e1f05fa42c883c25ee3e3bf26e0debbbb4d6a5406630f

SHA512
2c3f3a85044da43b7eeda58248f5796488d3976035f81889b4e136beb45e664783b38f9f32564c59ee9f84118e4d6812d894047e18214c0bc3549dd392fec60b

Download Submit
C:\Windows\SysWOW64\Cjoilfek.exe

Filesize
92KB

MD5
24d0aff3723c3ede7e9d47c90436e04e

SHA1
9198cd6101cc84f7211d88b9c80dfe9934db9bd6

SHA256
41c7a1299b82c544197129a9ee6397338d23ddcd789676454efcdc04d2df90bc

SHA512
bf7ed587e862015ae58a8fc74445ede4509c4ef5ec414ec41d34feebc7f3866d335982c0e3d5fe1097f5941fe43f7f4b2aee1bef3d7e47e30bcf7a4570b41842

Download Submit
C:\Windows\SysWOW64\Ckhpejbf.exe

Filesize
92KB

MD5
911e59e3878cbfe563670084136d4287

SHA1
c9bf1ff104e3c5aba02def7b7109ac65001ae109

SHA256
1605acb01234812e924f5f55610d4497f4279ed1641d32e841c50c26e71d9773

SHA512
070942539ab7b2bc931dd1c6a1a61a3f7580d8a27f8a84976038b02e8ca9decb0d6520bcfa90db3ad64507d07433726e17578208250f8c2c201c5555e31e2168

Download Submit
C:\Windows\SysWOW64\Clnehado.exe

Filesize
92KB

MD5
c88bc48e8820166ebdbe313b32dfca25

SHA1
8cc7c6be369dc9e0e7fe3e8bcad99a5c7e43f958

SHA256
24ce5a9601a86f0899860137bb7865f072a899e020ade4f9ed3ea2336a33447a

SHA512
79655fc0d1687d83707ff0ce937fbf7b532ac5df6935daf0774f7070820267af5e83a23241f5b57b3540fbb173ffa503039c7caa92df391d63afbd590e73a978

Download Submit
C:\Windows\SysWOW64\Cnhhge32.exe

Filesize
92KB

MD5
c38480f578c06ccc3616cbd6f8beed8e

SHA1
d78cdab2ce4b967a0ea7aed91f9ca4473d18d1dd

SHA256
4b932fb6868cfadf00cbb2b1f9d47da822260118aa720a8c4029c608b4809f99

SHA512
80824ec8ba81cea5afa45f685e2f7bd60661a582cda4ccac11e21391cbc13e7967541b808b8eedc1a40efb0c9387aa5f9eecd46cd674433b42855c6b8550e35e

Download Submit
C:\Windows\SysWOW64\Cojeomee.exe

Filesize
92KB

MD5
7f44ad995f573361fe02a31bf5083ddb

SHA1
44b7c3329eb4fff7b4df73362ad555230a998821

SHA256
5a0b5c251c2a9d3da518a711397d36dbe39090f0aa94804da4088e350e872355

SHA512
ac53b7c5520a789ff15a7326c9becf1f30d2d230cd53bd409acd284f55092ff0b1f785bfc10c56ddb45964b04a894ac3a88dfda553aeeb6ad85433927b442a31

Download Submit
C:\Windows\SysWOW64\Dcemnopj.exe

Filesize
92KB

MD5
22baf69fe5d30bcea0ad52ebc8cb944c

SHA1
f3f45cbbf49201bd14a48b0a3fe2839aedd4f4cf

SHA256
b478f2963a9a28fd9df84f9e32a1928fd1b507e702e472a5b20d4ba30b8a3836

SHA512
a39d9567b2cce7f77b6d2f97e02691584eea2516aac156392313b538324876042840f6451d4da8d9191cd7d2b7dbccb9ac51968feaf0bf2f0153109e12550fea

Download Submit
C:\Windows\SysWOW64\Dcjjkkji.exe

Filesize
92KB

MD5
b902c396b2c30cacfc8e42cdc0a325a8

SHA1
4c7e1aaef6ba1acc986be6519237721e802c40b4

SHA256
6521e19ab377e5478ea1d9dbaa641c638d52e5f44eab898c5cd3b9be41c12fd0

SHA512
9b3887272c8c43bd9f7373612f6bbf81220beafa2fc171ba521103382cbb28a5a894e8611b2c956cb69f9d760258c7268df7f10c78c253d441be261503710514

Download Submit
C:\Windows\SysWOW64\Ddppmclb.exe

Filesize
92KB

MD5
c606d0137bcf61134c5a3d201265ae38

SHA1
157e1bb4278ef508f5613e207cdad7aa2d28f664

SHA256
ed5969c33b4bb05297dc27d431aee081bef6a320b72e46c9b7b0dd5cc6fddbe6

SHA512
1f85f8e7a54dbd461129a19e2ed8bdc4057711206324909be7db7d1300635b843a96c6782aff45684e8755cc26620fb0124e4dfee79b50be87ab9db725556502

Download Submit
C:\Windows\SysWOW64\Dfhgggim.exe

Filesize
92KB

MD5
73f7e1d130d2768aedca45c44e305953

SHA1
f83c002966158683969c36ddebef1fe5659ff06a

SHA256
61f6db167e63252f60de3f16ccd2cdb5db896978137366e494655091b16aa9d7

SHA512
2e5672d60937f5b5b91d00d8bce464d2ecb33fb6c8877007952c0cee7c41f3d64229c6798d5f52c728a8e816c772804281d0c1df698cddbceddbab88dcf28b79

Download Submit
C:\Windows\SysWOW64\Dfkclf32.exe

Filesize
92KB

MD5
86d28cc22531f8b5482a4ab2ab5ce667

SHA1
3441384dfd0bc2112bf568f148d6085af50a674b

SHA256
6db4cdea6b3fc4e7e945547323479c48888fdd31e1d22de4d6a1300fc613b475

SHA512
33702e8367cde0ba4e63e74e11729f783a7bd7de6bcbeacb16ae36c8c334c6c4b0202bed14607e6de6ab21510a443e2a44730dc6982063fa1f974edb0e24acf4

Download Submit
C:\Windows\SysWOW64\Dgnminke.exe

Filesize
92KB

MD5
a982656dea1f2dbe8d744893c9fc7524

SHA1
c396f34d40ff32b4e54dafeaf3a5d9f8610ff219

SHA256
8914f2760d7d27c9286a848a873237295d9073d052b51e4ff99e688bcb96a09a

SHA512
c876607a6fb8c89ebd604e95b13975cc8e816b3f4e055dd798826e4b10737586d4352d4820d5752d484b9d3934aaf1b1530e860b1238171ff09f9bafc6c60d86

Download Submit
C:\Windows\SysWOW64\Dhgccbhp.exe

Filesize
92KB

MD5
eb1e2ef6a2abd80bd2b424e8365b1f19

SHA1
28e7e04705779bfdee85f19049dc02af3ec39c71

SHA256
22a43caada93088ee72a13e8f6d4e37b145849c928b7bd23cf06388aca54f2e4

SHA512
d4b48d4cf13811ddd1af99278fa07d7257b8033b736507edf2d2ff6f8954d4bba1f9d543df50f6de0ff332381176a73897cc3d2b2fc52b8ecf107a758ffc7bdc

Download Submit
C:\Windows\SysWOW64\Djafaf32.exe

Filesize
92KB

MD5
1a6599ef119e3d8380dbf56475313631

SHA1
05b7679790da0bee071102aabd1d1a87323f0b5f

SHA256
fd5abb0a8f6ed7915ffc940c3ce21140be5de3c10186b151a5bf452e4e661b95

SHA512
25a9834c663ed39555de9ddfb042025f2197ea3ec4165d960c1b3b56d1025904bba81dfb9a303cddeacaf8ee48f702694a55cf1764f3b7991d0333b9b2290a27

Download Submit
C:\Windows\SysWOW64\Dkgldm32.exe

Filesize
92KB

MD5
4e95957efe7698855d6989b53d691bda

SHA1
2f75ea47c2b8cdaf4d2ef89b2513835cca000a87

SHA256
c4f0c5599a765ec78c475df3d66af61d0ebd6c9822bc7aca04cad611262bc764

SHA512
dd8bc079c518e811fd635253edd895fc30aaa3d8e06578bac8e958e526f4ac2b40de23663cdd9300cf6a27a542b97cd5e0ffe3c11f4cc5b580a0dc398b62b9db

Download Submit
C:\Windows\SysWOW64\Dklepmal.exe

Filesize
92KB

MD5
707ff93020bbe414f72ab50813d802b5

SHA1
548456a6eb0c08198f0e12413a3b2c26fb484949

SHA256
2830c3f16723f91f3113be9c804548ddc45993a4630a0db2ec73e6f1a9e7e3c6

SHA512
bc108ef2200397f7fc20b167223bf5649dcffc4f6fe0e7d534e069184e208399627a9ad133c04291921ac68be77b964021b1aca1e3a63c54d4d99968afd55382

Download Submit
C:\Windows\SysWOW64\Dlpbna32.exe

Filesize
92KB

MD5
0ebb86fb7f7c71521142d5eea482aaa3

SHA1
c7b8aa3c24f12fcbcdfcd38ccb039450aef3da2f

SHA256
5bef250a11910cc4fcfb6f14611fa8b2a7f8041519cc2fd2f5295d5c738f3877

SHA512
0006c9127105c51fbc1c6d015d5d0c4e3f8c9d148ec088a9527c1aec6fefa95831dda2ffd4564ce63910c68769f8a55c04157ad489e3cf9ead964da3a864a957

Download Submit
C:\Windows\SysWOW64\Dnckki32.exe

Filesize
92KB

MD5
04c4f3a277fdb06c641ea3516a4b9a97

SHA1
63adf0ba139733553714cc47a26d0947ed26f1eb

SHA256
f94e9c88979b0fdd0a417cc81ca784c2a597ff65d7c158070dd288734535836e

SHA512
6a38bd45877a0794fb39bd708f808255f51eef51e82a24a2ca5bc7300607fb58f98d9a68a87f0aeb7f42f538af2fa71b26f82b63c4c819b98923c72b8dde78cb

Download Submit
C:\Windows\SysWOW64\Dqinhcoc.exe

Filesize
92KB

MD5
130c89c502628359abef218b73394d49

SHA1
0739512f5cbf49a2be04b8b3918bb5888b911d8c

SHA256
6d00fd61aba5edcb74851e9c617f6c5bccac058c24ff69ce99bd7ab2f1529ede

SHA512
861c7d19bb142dd4e892b9e90c1cb5a8aecf6747e9c261f13f9c4760f185d46333edf1e07b775aedee625fc4552e2179997f797eb38827dffcc5872be380f0e8

Download Submit
C:\Windows\SysWOW64\Ebappk32.exe

Filesize
92KB

MD5
18e10be207b9d54139c2070e3ab24766

SHA1
d3a0e2a12589faa4cf1395bddd8aecd74814c514

SHA256
ad29a4ad3d8c8eeec2e9f80a47682ccea90e2c4565d08b71d0aa14edc5be3928

SHA512
e1e41c431c31925090baee436d192e02603ba213df34d107bb53f2921bb5150bd8a1c45ffa1d7cb7960217461a6535ea2fd36dc32a472f31d790142fe81e116e

Download Submit
C:\Windows\SysWOW64\Ebockkal.exe

Filesize
92KB

MD5
dfcbe347ee1d297eade7f938c268882b

SHA1
4dd442f79c90c791c5b92f0afc38aa8b59ec4d6c

SHA256
9257b4f299e6028b30d4a6367fbc1b4ae8e805b7320e49c9a48dd94747d637a2

SHA512
f45eac944069a6f3d670e52d7e3e746e8b29d7d899ffa95f28337318d7c91129e35866423e627293742603dd8ec7e67cae438953f1c3ec054677c6de7e88af06

Download Submit
C:\Windows\SysWOW64\Ecnpdnho.exe

Filesize
92KB

MD5
475a852e37b7fcc2521b6c225f784d17

SHA1
40a0243b3bc83c026023959ac7c51505d52c2ce5

SHA256
0ba40e3cb5312c22b92b31ad7cc12ee66586ebfb6b7bbf80f85bea2707910bd1

SHA512
a6d37faa81b074cfcf70d37cc1a510ffecbabededdb138e55896bed13fae4e99a3b58c410c9282795ccb68ecb18d64fb73b024071dc334d9146c1716f8a16abe

Download Submit
C:\Windows\SysWOW64\Eddjhb32.exe

Filesize
92KB

MD5
b6fa2fcfd0b8a666cb65f84539250099

SHA1
607757c0a231cb907e51fa372fcaabab40eb05ef

SHA256
ea72232ecb2a85c99be7ebd1ebf5259947732fc58bb313ffbe658df5a76e901f

SHA512
bad3f4046f9ca3ede03ef8b05aa53a714457f85d843aea5e909bb72158a30785e391a9c3d9a79e99a641f2e322aebc68548b80fc9f4304df7c8e76c7b61151a2

Download Submit
C:\Windows\SysWOW64\Efffpjmk.exe

Filesize
92KB

MD5
851ce134d6ecd79badbc82f7ade57087

SHA1
4c5bee1c5c817d10acbd357bbcea82f9251d7d23

SHA256
da949b2c5b0b369dbc0f20761b6a0ef9a2d39ab3ecbf3b07cfea30916c3208d2

SHA512
a27d1db68b7d5559495aa534e41fbadd9c158ac7130d85849e36ba83776ab09fc680440fedd37e23e48877cf733132980c0bc13ef3feb5d6ba8c76b7a6530dd2

Download Submit
C:\Windows\SysWOW64\Egpena32.exe

Filesize
92KB

MD5
50803f12769f2c7f879b2e4b1d755074

SHA1
9ba9c3a78befe05e358f14a3515580c8bda82946

SHA256
9dc9071b196c29d085f7622b1f0c13b239a869825c4645bc3f8ffa06a8a851db

SHA512
bf46afb9ca2d0dbba5a9ad6d743bc8867cdb149db8b7a4275e446be785e980893368db2a5ce119e875897d7fd4555e522ce961de324069b06df47f788dbb6e43

Download Submit
C:\Windows\SysWOW64\Eifobe32.exe

Filesize
92KB

MD5
f30b5e51e53d0bc69488b8aab4de1648

SHA1
cf2b2286562105780e34b7c31171472eee462ff4

SHA256
35e3345999fde439036710ee6ecb2c97e0c4e044adbb76ad105d7be5e7fd6809

SHA512
da2b58384cfd4ab943fcfb9f54cfff2d7baea44210b039194e60b2d8869e28d7d86a929c56776b1ec78645ad7155305864e21bdd0096d270404c2855636e3ded

Download Submit
C:\Windows\SysWOW64\Eiilge32.exe

Filesize
92KB

MD5
046084e4c5fb952528709355af7cfddc

SHA1
3e6dbff20b06503a4370e778fbe6c980636f8c98

SHA256
afa53bd4a21ccbc20adbbd114878c49ac328aa4862e710396a6dd35e7962d752

SHA512
bb880d13a8d45fce754672b5f3fefc582cd130c1274e72cf49f596695f6203beec7741cbb0741c304d59b406a680e67cf564b999d8357c8b4f3ec417d47df319

Download Submit
C:\Windows\SysWOW64\Einebddd.exe

Filesize
92KB

MD5
f0d7ed57b1cdcce716e6e0d4adcd1625

SHA1
bd6cb493b9477a9daeb2fd983bd07b2a306f862e

SHA256
967b46a95a176ce37e7bf4ded7d85d4475a90340b761120ec493082bc86d322f

SHA512
6d3bf749ae0fe3e60488f4320439f514bd1821c77a572cc22040387e6fde24e9449f736b08182fb3146f5c4d3f74061d79c5ce931f479e7d5ecb98322441838e

Download Submit
C:\Windows\SysWOW64\Elieipej.exe

Filesize
92KB

MD5
7b1fe0cca4e98e010b304837d5a3cb60

SHA1
fa80730d4b86aa640d37b18ea034b99a857310f9

SHA256
54c563bd9fcb13bd0a1863214a4a1604a765b9a6621a233ce39a2bbb371b48bd

SHA512
5b0e6e9662a7e3fb47d3fca75d1f2a48a177405c6b5cc101d5006f862491b60e26d6747e851da6ffb1468ab13ac60f6315cbbf5ade2223a447923ea37100e651

Download Submit
C:\Windows\SysWOW64\Emgdmc32.exe

Filesize
92KB

MD5
5dc574ee628d169e46c61cef8ab5fbd7

SHA1
e49db492021353e18a083b1b47d30cd9bbe4e706

SHA256
28213a0a523fbe63f039eec6a0600d5a5d050bb6b4214d959f57b5d5028cdb90

SHA512
c2b11833f14570e264abc4b3fa67b37e4ab7dc964435a1bc3a33da96b406eec50cad60236736adf7ca096b2cf35d05099ac5d5268718380605d6fa906301ee49

Download Submit
C:\Windows\SysWOW64\Epqgopbi.exe

Filesize
92KB

MD5
218fe921e71f7a36158f886cc9479316

SHA1
febe91f9eb80f286afa646a37d8ab23f7a82da1c

SHA256
e23f206a489ec9069918c1fffd61845426a6043113ac22dbe9e8c8d3a34f24c4

SHA512
317d9011d7fb4931dff261a0cecb94fd859e4dec5737509da18db97a043392e1ad407db9dd0a9c480e502ebca7891eabbebe1f0c809e5b0d7d22b5e98720b1b5

Download Submit
C:\Windows\SysWOW64\Eqkjmcmq.exe

Filesize
92KB

MD5
771d2ff8d1ae111692a3d30ae803b7e0

SHA1
2cf0e8ad204ef4ba2e6f56b05e0c2b6652b86911

SHA256
be2372e4fe354560e103ec45cb62874437e315d6818875368794d2fa15eebcbe

SHA512
a6daae5748a3814c4a29f3cae14cd0a1a744de208033503ec08dabc6f4c5d36c25249349fb3a76fb429384f98465b64a2664167fed9db72e4f397a6070a48bf1

Download Submit
C:\Windows\SysWOW64\Faijggao.exe

Filesize
92KB

MD5
8b33b6a0de3022050d513eae5e047763

SHA1
091c30f3bd94c570825ac9b8532d3315aec38148

SHA256
251a3a6c293d201ea622e54169d63ec2fa9f8b632de0e3cf39fbeca3ddda2ef6

SHA512
5c7424cdccbf73347825e6571e15698212ae6d51b31c003541eda72f77687c0b273d608426a2f2a29a673714181602c390fd158ee6c09ac7eede9a6da62da9cb

Download Submit
C:\Windows\SysWOW64\Fbfjkj32.exe

Filesize
92KB

MD5
ae1c4ea7095b4a4fbb323c1b9c909699

SHA1
32ebb26c4ad8c75d4f14457eafd13edcf04d9886

SHA256
3aca4168718e1d8509d4e885a858914ecd6b6354c1793aacd19e70b5676386d2

SHA512
33305c85c1c6f910d587b179f8a3ec84118937e91a78e9419998090ae8a0ad6e29c32080b65a6c1751df061212b90718799d2e818e8e21ad6e3b7db3b7067e52

Download Submit
C:\Windows\SysWOW64\Fipbhd32.exe

Filesize
92KB

MD5
3fcbb41c1dc777b9c73d45e4fdc7665d

SHA1
cb476fb2c2905ea59e2b845a03de109933b47b7c

SHA256
28764998e64ec682ed8252eebf884d2510730f4b35b7c00069962217b0ec60d3

SHA512
012c5a171522f586e84c135aa43662c039f3f79ed2ab883a36dfb9390756f321dc0cc7e605c5a2627e305f5aad5bee4d52aac781dcb20b137ee966b7c4b2516a

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
92KB

MD5
10d4c7b60ac1458467698ce90ad82bfa

SHA1
3d961f5b274c9508eca7784a5226272e9ca665e7

SHA256
2b57ba823ed381120963e2bd7b5d90f418128a3eb03a10b72881aca95698d101

SHA512
ba8f64ccb275d300e7e16722b2a7fdae5db84f6a3febc201b88817a8ce64f111a471cd32ad94df50e0d05165fa34747aafc6b9de9781ae1fb5748ddf40755a5a

Download Submit
C:\Windows\SysWOW64\Fnjnkkbk.exe

Filesize
92KB

MD5
623168747dd65f40d6e91298a322572a

SHA1
bc9912257942b29657d056204a1ddfbd7a415aed

SHA256
c4bbc1beefbe703d73137a3586e08ef4cf9689d5aa10d87eaaa24094b3dba154

SHA512
cabadff75e37782734e79d211f69c39ba8dd4fbf424bd6889d987dad674c1b8293f9c00a62af8ae38e1c520dd9c217339fb23075fa853d5eba68343e743107ff

Download Submit
\Windows\SysWOW64\Bakaaepk.exe

Filesize
92KB

MD5
c2d73d6edb603bb8522cb45069016168

SHA1
344f62bd1b52ad81822216bb1dafad35c82af0c3

SHA256
612c4cbe77a7fddfe2b6202952b5512da9a72a8cb3ea1d705ee8095fa657fac0

SHA512
57eeddc20f65ed04e94f66c31ee1242ee3fa89cae24d4d3fe5e862d3a5a28ed4f122cdd5638d539b675c8f064282c07d7cc83ceadc47e44a80a7bed6e469d81d

Download Submit
\Windows\SysWOW64\Bbchkime.exe

Filesize
92KB

MD5
aca569746fa4d2ca0035203e0c28bf6f

SHA1
4f118481103a899281bc98f7e1ca207e7c80dd13

SHA256
f496772244d8027f9541991c86d2468dd2681974e19b757d9cf9d2de2b312812

SHA512
bb14a8800cb3896594ccebaa7594bac4242f48d91b61cc9ec207498862a97fb256778404d03bd21ed28e7df846e895814b4f3c1ee32ed49d46007b49a08b02f1

Download Submit
\Windows\SysWOW64\Bceeqi32.exe

Filesize
92KB

MD5
3cb05cf091099e8a053e8034cae4e5ec

SHA1
eb800c58b7372c36e2f57fcc8884b6930b38a0bb

SHA256
2880f43ba37a1160f9c6608223dc174d75d9eaf578f857cf5142cd57a823ef3e

SHA512
d0bbb2f8172347ee11128c0bafec4ce8ee760ee5f0cf53d6b4063c90aefe2fc9aa689ab4300274397183b66a4e1a42608f06df1d85022ebeb02b0c3e28889350

Download Submit
\Windows\SysWOW64\Bdfahaaa.exe

Filesize
92KB

MD5
caad657f65c1c59f46d789a13699ced5

SHA1
a9fee5426bdf9dabc87a3cc1e6bb7d10bdf7e2c5

SHA256
ab3bb036680f694722f1e21d87046785cb31ddcaa1137699bb8592310a4cd34b

SHA512
837a104f2376cba13636187cf100a3d07c0d1b45e8454f80f6b1d2103fe895caba0ca1b0743967a95a3b108ce248009a95b1dbe0be612ae09e08e3a555e51e9a

Download Submit
\Windows\SysWOW64\Bdinnqon.exe

Filesize
92KB

MD5
301fcff3447727d4a659a7ad006b84e6

SHA1
bc087c38d542137f9b919d3c888647ed3ef4e55c

SHA256
672425c4409ab9b822608a254c8da1a73bd2f21f62771106105d88a0d4803afe

SHA512
88eae9f7d88736819ab55334aed0aa881f2ef6a54325d9aa9cd492bb4f538298499f0376b8b4cb51e649c7ba32339521d2f476d7ab2395445177d84658398a33

Download Submit
\Windows\SysWOW64\Bggjjlnb.exe

Filesize
92KB

MD5
0b41d30fab9d9c54b1f53f0bf0495d47

SHA1
7b6b815439603919e5b8dc7f5717f658de056e60

SHA256
e627a3dda8755bf1639ef95bca69359285e443c40afca9ff89bf840b3e5b34d8

SHA512
dec4767238fdcb2ef69696b4db61af91b4d13b3181f23d14773beae1505b4a13874dd40cc837e55d4551c369050acba4749fd99133b864b931030daba2f0a318

Download Submit
\Windows\SysWOW64\Bhndnpnp.exe

Filesize
92KB

MD5
fae714faec8b19e950953bb8c37c8d46

SHA1
aee5132478836c894c986ae2a25cd2cacd1c3dca

SHA256
bf25d574e2f7eb6a6340725315c32217f2e6ee5aac00ca3938725ace974975da

SHA512
a570f378e2c0b86b0890cf6f3a34ebdc384849598b9c9bd02341887e0ee86357a4cfa15583b19328ccf1686579c61a67a424b05f467f4a9590b69b24f8b30948

Download Submit
\Windows\SysWOW64\Blkmdodf.exe

Filesize
92KB

MD5
4691c83b99e2ec0911ede456289bfb97

SHA1
3d6a65cf25a1dac4211e4256dbc2acb885163ce4

SHA256
fde3d55c9cdee1f8e5f48976c8bbea783a08bbc85a1d61278b307fb446e5598f

SHA512
e56753981ac2f942d4dea5c63efc0163c96a8a1150b7807d9f58281351742166ff9d80e80fe7133b80619258c8b4b0d9d69122829d2b42e6e846ea2d41f12637

Download Submit
\Windows\SysWOW64\Blniinac.exe

Filesize
92KB

MD5
d5e978e436f01c84b10273f77708c456

SHA1
8df2a24b41c6968e2a9cb5b5935d0cbce89d2f95

SHA256
4b42286b9738658968e613c87bdd125ca2ae12ea4156802220f6c595a20de0b3

SHA512
86dfccba3437ed744a374ca3f35092b948f07c64dfd96e463c13abb0dad5a46efc8c433a32561aaf2c3b412f56ec564a5d604b4d21ed96f2956c2418286ef24f

Download Submit
\Windows\SysWOW64\Camnge32.exe

Filesize
92KB

MD5
62793bc38db23e261614317dcec228f3

SHA1
a384d56343b8a543e3cee20b7f1e9d7ff0533302

SHA256
4f92611708d2710f10fba1f131e7166d13005bf5393e8bf7f3e1d3d3235c25d8

SHA512
d350b52f827276fab7704a3a122e75f2c2dcc91a9bfa48648d6b030734554b778b06d18c3cf0baadb4ebb94c33fe9e4d582ef14235a9aa20d0a1a7031e42988f

Download Submit
\Windows\SysWOW64\Cdngip32.exe

Filesize
92KB

MD5
9ed5f42cd9de2240bcb243edadd7d248

SHA1
1a3747aa89dad413014e970a5c118ed47657267c

SHA256
d2d5283592df49b2f08d30cba87ff1455e4898ec418577ceb38ff3947eb0bf33

SHA512
f17f6f49c9dc9e5a4d981884e33a7ee98e307ea9c1f01b39bff03d66020aa7807212bb9b11e7feb94b9af2236a0d5e39dfa61dd24d4c282552d21005a79cdcff

Download Submit
\Windows\SysWOW64\Cgjgol32.exe

Filesize
92KB

MD5
d6f938958c53ac8c1d56ce73c8e26ae0

SHA1
7ffe29ab5295df4ce84bdb61127266b7f12d3b73

SHA256
2f3f6ef0cd136a04379c6d2db9ca9be6d85ad0dd31418ae64a3edcfc8a9a51e9

SHA512
772ec74174f448d581bc15f56a2c8609eb73a1ad958ea51b834fd21d3c387c6d582edb29a9decc1ea885e9892abb06004cdd5e9aeb72312d1d233bd87080941c

Download Submit
\Windows\SysWOW64\Clilmbhd.exe

Filesize
92KB

MD5
efb6ecd0c6418339e461d7de84666b74

SHA1
29190be5178c0e95dc304402368b48f34a0280a7

SHA256
371cd40236a68011113b955e4c9ecdf8cf7005db266bcbb28b69ceda9a3198c8

SHA512
0514927b3ac86e143cb63eca8f5f8da98dd2160135aa3557a8bb93f09ed6a47ac15c39c56ee7bebe04b7a4f512dfc6386f00146529ff3a3380aa65a40012a7a0

Download Submit
\Windows\SysWOW64\Cncolfcl.exe

Filesize
92KB

MD5
3231f8310c18e2349a7d54dacc2f5bf9

SHA1
1a2cd1525dfc3b3b26d44c6785d894a37228a72d

SHA256
8999e04964b85db71b9011599b7756acaba20063b2e0736772e1f2fb23532033

SHA512
e74fae0fa7a8cd2fb2509df7ecbbd9b4a50726a79938a831980e75923e36160611a73a858358c3768f12d9a00123c3b39b6d88483a800e0ae8918568640265df

Download Submit
memory/296-242-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/296-239-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/296-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/344-317-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/344-318-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/344-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/484-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/484-184-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/484-486-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/880-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/880-357-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/880-11-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/880-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/916-506-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/916-507-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/988-230-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/988-231-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/1096-518-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/1096-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1148-379-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1148-385-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1232-264-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/1232-261-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/1232-254-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1496-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1496-405-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1496-59-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/1516-415-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-284-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/1532-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-285-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/1604-487-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1672-447-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1732-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1804-426-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1804-433-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1804-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1804-100-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1928-273-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1928-274-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2108-339-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2108-340-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2108-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2152-427-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2160-451-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2160-126-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2228-86-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2228-421-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2228-78-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2244-306-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/2244-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2244-307-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/2248-253-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2248-252-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2248-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2272-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2312-165-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2312-157-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2312-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2360-192-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/2360-497-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2416-468-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2500-295-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2500-300-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2500-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2552-329-0x00000000002A0000-0x00000000002E3000-memory.dmp

Filesize
268KB

Download
memory/2552-319-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2552-328-0x00000000002A0000-0x00000000002E3000-memory.dmp

Filesize
268KB

Download
memory/2624-364-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2624-363-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2624-362-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2660-351-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2660-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2660-350-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2676-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2716-391-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2760-26-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2760-33-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2760-384-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2880-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2940-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2940-112-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2964-513-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-203-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2988-211-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2988-523-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2988-218-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/3004-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3004-374-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/3012-139-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/3012-457-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3032-488-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3040-463-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads