berbew | bce7dcd2ae1aefc37c345debb33f6b333ec70269b255e243e8616898750b5c5e

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bce7dcd2ae1aefc37c345debb33f6b333ec70269b255e243e8616898750b5c5e.exe
Size

92KB
MD5

c02ed43a7c923b653240ef2f90bb9d8e
SHA1

5ac31fb10681acf2632064031ff684492c14e311
SHA256

bce7dcd2ae1aefc37c345debb33f6b333ec70269b255e243e8616898750b5c5e
SHA512

26f43b143e97c13826504f008fb4631bc89991695ac4789636bf4311f6dece7b725b1c87864b31cfff32d8b666c32deb931f166ad9e011baa57ac6112fcd2269
SSDEEP

1536:rT3nsFvRJpTNVIcorxKcz1DaYfMZRWuLsV+1H:/IRnTNVDorxKczgYfc0DV+1H

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bce7dcd2ae1aefc37c345debb33f6b333ec70269b255e243e8616898750b5c5e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
3500	Ajkaii32.exe
4384	Aminee32.exe
3612	Aepefb32.exe
1708	Accfbokl.exe
2976	Bfabnjjp.exe
1008	Bmkjkd32.exe
4948	Bebblb32.exe
2032	Bganhm32.exe
4204	Bfdodjhm.exe
512	Bmngqdpj.exe
1144	Beeoaapl.exe
5016	Bgcknmop.exe
556	Bjagjhnc.exe
2640	Bnmcjg32.exe
2704	Balpgb32.exe
4840	Bcjlcn32.exe
2020	Bfhhoi32.exe
1724	Bjddphlq.exe
548	Bmbplc32.exe
1908	Bclhhnca.exe
3196	Bfkedibe.exe
3372	Bmemac32.exe
1308	Belebq32.exe
968	Chjaol32.exe
184	Cndikf32.exe
3280	Cmgjgcgo.exe
1040	Cdabcm32.exe
4608	Cjkjpgfi.exe
5104	Cmiflbel.exe
4508	Ceqnmpfo.exe
1680	Chokikeb.exe
640	Cfbkeh32.exe
1088	Cnicfe32.exe
4468	Cagobalc.exe
592	Ceckcp32.exe
2288	Chagok32.exe
1360	Cfdhkhjj.exe
3620	Cnkplejl.exe
3436	Cmnpgb32.exe
3064	Ceehho32.exe
2804	Cdhhdlid.exe
2988	Chcddk32.exe
1988	Cjbpaf32.exe
4152	Cnnlaehj.exe
3176	Calhnpgn.exe
4092	Ddjejl32.exe
1504	Dhfajjoj.exe
624	Djdmffnn.exe
3264	Dopigd32.exe
3600	Danecp32.exe
2632	Dejacond.exe
2352	Ddmaok32.exe
3504	Dfknkg32.exe
4280	Djgjlelk.exe
1488	Dmefhako.exe
3536	Daqbip32.exe
4232	Ddonekbl.exe
2124	Dhkjej32.exe
4908	Dkifae32.exe
1160	Dodbbdbb.exe
4900	Dmgbnq32.exe
4400	Deokon32.exe
1776	Dhmgki32.exe
676	Dfpgffpm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	bce7dcd2ae1aefc37c345debb33f6b333ec70269b255e243e8616898750b5c5e.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	bce7dcd2ae1aefc37c345debb33f6b333ec70269b255e243e8616898750b5c5e.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1992	1072	WerFault.exe	157

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bce7dcd2ae1aefc37c345debb33f6b333ec70269b255e243e8616898750b5c5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bce7dcd2ae1aefc37c345debb33f6b333ec70269b255e243e8616898750b5c5e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	bce7dcd2ae1aefc37c345debb33f6b333ec70269b255e243e8616898750b5c5e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 3500	400	bce7dcd2ae1aefc37c345debb33f6b333ec70269b255e243e8616898750b5c5e.exe	84
PID 400 wrote to memory of 3500	400	bce7dcd2ae1aefc37c345debb33f6b333ec70269b255e243e8616898750b5c5e.exe	84
PID 400 wrote to memory of 3500	400	bce7dcd2ae1aefc37c345debb33f6b333ec70269b255e243e8616898750b5c5e.exe	84
PID 3500 wrote to memory of 4384	3500	Ajkaii32.exe	85
PID 3500 wrote to memory of 4384	3500	Ajkaii32.exe	85
PID 3500 wrote to memory of 4384	3500	Ajkaii32.exe	85
PID 4384 wrote to memory of 3612	4384	Aminee32.exe	86
PID 4384 wrote to memory of 3612	4384	Aminee32.exe	86
PID 4384 wrote to memory of 3612	4384	Aminee32.exe	86
PID 3612 wrote to memory of 1708	3612	Aepefb32.exe	87
PID 3612 wrote to memory of 1708	3612	Aepefb32.exe	87
PID 3612 wrote to memory of 1708	3612	Aepefb32.exe	87
PID 1708 wrote to memory of 2976	1708	Accfbokl.exe	88
PID 1708 wrote to memory of 2976	1708	Accfbokl.exe	88
PID 1708 wrote to memory of 2976	1708	Accfbokl.exe	88
PID 2976 wrote to memory of 1008	2976	Bfabnjjp.exe	89
PID 2976 wrote to memory of 1008	2976	Bfabnjjp.exe	89
PID 2976 wrote to memory of 1008	2976	Bfabnjjp.exe	89
PID 1008 wrote to memory of 4948	1008	Bmkjkd32.exe	90
PID 1008 wrote to memory of 4948	1008	Bmkjkd32.exe	90
PID 1008 wrote to memory of 4948	1008	Bmkjkd32.exe	90
PID 4948 wrote to memory of 2032	4948	Bebblb32.exe	91
PID 4948 wrote to memory of 2032	4948	Bebblb32.exe	91
PID 4948 wrote to memory of 2032	4948	Bebblb32.exe	91
PID 2032 wrote to memory of 4204	2032	Bganhm32.exe	93
PID 2032 wrote to memory of 4204	2032	Bganhm32.exe	93
PID 2032 wrote to memory of 4204	2032	Bganhm32.exe	93
PID 4204 wrote to memory of 512	4204	Bfdodjhm.exe	94
PID 4204 wrote to memory of 512	4204	Bfdodjhm.exe	94
PID 4204 wrote to memory of 512	4204	Bfdodjhm.exe	94
PID 512 wrote to memory of 1144	512	Bmngqdpj.exe	95
PID 512 wrote to memory of 1144	512	Bmngqdpj.exe	95
PID 512 wrote to memory of 1144	512	Bmngqdpj.exe	95
PID 1144 wrote to memory of 5016	1144	Beeoaapl.exe	96
PID 1144 wrote to memory of 5016	1144	Beeoaapl.exe	96
PID 1144 wrote to memory of 5016	1144	Beeoaapl.exe	96
PID 5016 wrote to memory of 556	5016	Bgcknmop.exe	98
PID 5016 wrote to memory of 556	5016	Bgcknmop.exe	98
PID 5016 wrote to memory of 556	5016	Bgcknmop.exe	98
PID 556 wrote to memory of 2640	556	Bjagjhnc.exe	99
PID 556 wrote to memory of 2640	556	Bjagjhnc.exe	99
PID 556 wrote to memory of 2640	556	Bjagjhnc.exe	99
PID 2640 wrote to memory of 2704	2640	Bnmcjg32.exe	100
PID 2640 wrote to memory of 2704	2640	Bnmcjg32.exe	100
PID 2640 wrote to memory of 2704	2640	Bnmcjg32.exe	100
PID 2704 wrote to memory of 4840	2704	Balpgb32.exe	101
PID 2704 wrote to memory of 4840	2704	Balpgb32.exe	101
PID 2704 wrote to memory of 4840	2704	Balpgb32.exe	101
PID 4840 wrote to memory of 2020	4840	Bcjlcn32.exe	103
PID 4840 wrote to memory of 2020	4840	Bcjlcn32.exe	103
PID 4840 wrote to memory of 2020	4840	Bcjlcn32.exe	103
PID 2020 wrote to memory of 1724	2020	Bfhhoi32.exe	104
PID 2020 wrote to memory of 1724	2020	Bfhhoi32.exe	104
PID 2020 wrote to memory of 1724	2020	Bfhhoi32.exe	104
PID 1724 wrote to memory of 548	1724	Bjddphlq.exe	105
PID 1724 wrote to memory of 548	1724	Bjddphlq.exe	105
PID 1724 wrote to memory of 548	1724	Bjddphlq.exe	105
PID 548 wrote to memory of 1908	548	Bmbplc32.exe	106
PID 548 wrote to memory of 1908	548	Bmbplc32.exe	106
PID 548 wrote to memory of 1908	548	Bmbplc32.exe	106
PID 1908 wrote to memory of 3196	1908	Bclhhnca.exe	107
PID 1908 wrote to memory of 3196	1908	Bclhhnca.exe	107
PID 1908 wrote to memory of 3196	1908	Bclhhnca.exe	107
PID 3196 wrote to memory of 3372	3196	Bfkedibe.exe	108

C:\Users\Admin\AppData\Local\Temp\bce7dcd2ae1aefc37c345debb33f6b333ec70269b255e243e8616898750b5c5e.exe
"C:\Users\Admin\AppData\Local\Temp\bce7dcd2ae1aefc37c345debb33f6b333ec70269b255e243e8616898750b5c5e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\SysWOW64\Ajkaii32.exe
  C:\Windows\system32\Ajkaii32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\SysWOW64\Aminee32.exe
    C:\Windows\system32\Aminee32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\SysWOW64\Aepefb32.exe
      C:\Windows\system32\Aepefb32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:184
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        33⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        66⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        69⤵
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 396
        73⤵
        Program crash
        
        PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1072 -ip 1072
1⤵
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
92KB

MD5
c243fe9a1cef756c2e214309bf92975b

SHA1
aa5a5f6ac4821b235114a2bb5aa50abc969617ad

SHA256
72041c75c112da945af67708ed0a948d5ca5401afa2a030e95a146e9765a2af5

SHA512
e2dc222bebb19ece4557e467b49c2861cc93074bb3319e10bef4050dbce63737243ac61ec754f30f9da74270c989d77cb9a13a5dd3080f7217d35782d7252b11

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
92KB

MD5
a145b0950e35f6b80fa48867da5f8ab3

SHA1
b8a95e2cc1972330dcda65bca1a6303be5a75220

SHA256
41d560e86bfbfccc81169267f477dbb179aaf5ffe3388cfee3838b6c062632ab

SHA512
c7b01fc86859e9fb12dbdf5b79c3232d7fdef415681c25d4fe72809a4120f94dc7c7dc2208205946c8d9d0d5087a979a39b079a28ba1097cc5bcf6f9d85205ac

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
92KB

MD5
432d433945151043709dbc882988842c

SHA1
4c78e5419bc1086ff3e96b05eff63c6e2b658e00

SHA256
2331921fc581a0c0c56033c65a428422393b8468410accf424af9471612d81ea

SHA512
6011a779f20b8efe86b951abb6adf1e4a4ecf1996b9417cdbfa00fea8280988a19c6f16d5bf422a2d14d9f06b75bc6fd472b7a6a11d093f41f7f2d49dac801d2

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
92KB

MD5
c2399ba52865d75ae89daea8007afdb9

SHA1
ae78cff9873c205c2fd5791fe20d4f4173276231

SHA256
9c20b2124bc0567ef66e79a8d8f8566241e37279b7875c89b51159c4306a0508

SHA512
502375a1a5ee15d457f9862d41638390bfa8e5600e7c2bcfb84e9473afa65648b78575b44f76a00219c18d7d2db22ff353fa594adc50734f2ebfa483abcdaf78

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
92KB

MD5
ca1165dc52cceb62b56dde7f5a594ee4

SHA1
eaffb0bf2b729c45af89e42d4a86ab85bcf5453e

SHA256
0808aab13983e5acae4cea5d8d416b251daa46c31f36a2f66034ab9adedafdeb

SHA512
442545a551b66127d83269313541dfe4ce9c47891f7370f23093b4c9aeb068241059107b6d720db3853e1083b6492593e37e44881b67d0ac793db90a13ee94ff

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
92KB

MD5
53952f201c964c862ecbaf3b0ed948f8

SHA1
aa989755d298f615b4c5cd0073f6aba03f90c11a

SHA256
98b6e9885675cac298a0c15f98801ca8f479fb994e30c6779009239956cfbaab

SHA512
b707ee7698861633fc4d2885cefeeb9028bd342beb0a81bfbb6a124368aafbcac3d595e96c264395ece89b2cba04b8c3438b1261b075731c3966b5d79ec1d37a

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
92KB

MD5
4ccd258d12f501ba977b860158a86b85

SHA1
ef5c44633c8ddc2494acce4cd8d73bfb81009a86

SHA256
5c0543682dcb701e3eb178bafe6118a69101ad3396d9413b301d332afc356e90

SHA512
dd56f101c7dca416c2f31f405cf66d65585f88cfca55c2679b84c06a81c7a0a823ed0542bb1d60bf65c43c7d3fd02de9f02e60920b126fb2f2dd42eb8acb948f

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
92KB

MD5
5f1b7ff234477df63cfd823cc15fddae

SHA1
63a1f5ee687c954af574f3cb192c2338b653a160

SHA256
87b5f563924b3ce79ca562507b66d19806cbca6e8596d37a04cdf6a89b0cdf39

SHA512
3a196b24e3c7432fcdfe8802cf88d173cfc38bc830d067053e993b48f0e278751049bd0293d540045e1971083630e3a14982697bd81b5b79dee4f2775ed82729

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
92KB

MD5
ad54125e8ddd083659b7a21d2ee78228

SHA1
8a6e5ec53d1adb4d2fd3e88fb01e3bb57fd2dbf1

SHA256
7ce320f3adb8ae22a6cd49a9b886cdf88abfccf06686219742684ac06761b128

SHA512
e5c2837d7b78f5e85344903bf90b57143b23d0dcb9de438d9df55d92e53dbcc274a826962dddaec171d5e71e42490118b8e2f31b6d63b2653df945a5ca5b72c5

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
92KB

MD5
e024817e630a1d8ab83e42490a986a48

SHA1
0c28c630894463c9bd7caa13f61c67f7bc805b83

SHA256
9637916f053d08af43c00ff90c249dbf92b9eca1b305d98bd732cd88836e8d00

SHA512
5b7d65373b5f28d51d85c3f2e2ffdc9bcee66b3b6e74ed73462afa1d55e408df2ffbf0448bd59d58ab5c00ef38ac5934e4d6095ca35a85e3a79d48f8ab2a2825

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
92KB

MD5
fa3aa1682e7f41213172fcf1cfec5383

SHA1
05b43407209de40a9e3d74c748e6a16b828ea44f

SHA256
2b415854444621bdd931e50c44e1bf52157c61a587e06ffceadafab9f9d00da8

SHA512
788bbd16c0bc26668f80b568e108d88f20147d6b2c1ecf422171bd1a562ee901409ece1016319647fc6c1ebc41ca88e69f112ae32f8b60bd81e0d3d5e615fe69

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
92KB

MD5
4e5e75a6e91480641a4a24ca35e0339f

SHA1
d06acff50b90d05e127285ff8f53b0310cdcc505

SHA256
2ccb559884a4b6694d6a7d37731d76fa33f03945dd9821c9277b16be01d9d46a

SHA512
a2b926b3a0bb1bdd2cca216555d1384d747606f3f273daa2825c0fa1491662c141976f043e4aecfe2ce73a7f9595a43e398ef534cc7bff3f1c4ef1eca36c18d0

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
92KB

MD5
6ac999f09acba821997dd1d961545c32

SHA1
5874aea1c71c53e273044d6822ed918719b36ca1

SHA256
b4e7b92c3f2bb18d79946279f299bb5833cee59eff7c0de35c750a5ab0b06c62

SHA512
91db101bb3d77a375b8d7315683c20d9dc76e14814ca8b0f5f81f556f493cb2640c85c857afc77e3fea9db76f371b3d9223c681eccb2941ad7f968140c9e7173

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
92KB

MD5
4b82d87dff52d1391a086e2ae53c0983

SHA1
53a0ac30ffd1fbcb6428c488a1de55e9e3c9fc80

SHA256
2b0d3997aa73e2147d62317ee8c96737b0d0ab565bd4ccf54a1b2156acf3c17c

SHA512
8730bed6b554efab3e31db56e72c733224b2c77c61fd22a822091b81bc31e1b0c4a0ad1a41f6dd73aff7d49f6b137e814ea5f22265e9bdf0cb65c572ce468efc

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
92KB

MD5
9cced5fe86a8414c237cc3fe6188e167

SHA1
c1c53b9999a1845b5fa9157e3180c29742eb7864

SHA256
0bbd811deef6c0dcab3e7406b3d93969002500e0a348fba916cdfe612bc96c55

SHA512
ce16d590f32d53a188c72f197def9b165de30014da120031a8b04f452af6e250ee43bb216f5a101d984b3f9f15603cda85cf700f00c75a11b0fe7fdfbe019b1f

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
92KB

MD5
8d2639f356af5c5864fa8e3786edba36

SHA1
bc4558e36da65710548bed223d07344e3d24796e

SHA256
0ef24cef2aac78a7bf66d990170da42a23070cb03c69fc0202322fdfe614c747

SHA512
b7a1e31334073047ae8a5d61d856fc179f44d98be063cf6037b36dd06c6b8e666432e779ea21952f9ece96c6d40959c3eaeef8daa3c2edefbcbf5ef6cdcaffb3

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
92KB

MD5
441eb4e0e8eaef8cbb3c14cfc19130e9

SHA1
3562af380e0fcdafc7b9174a54b2d9aa88afab30

SHA256
e574f75c61d27f7373f6bc2de380a8ffbd0947da6cc0effb4b006997b4adeb65

SHA512
3a55eecae8c3a5dd7837555a607f5f8fe9b9f91877584ef313ea8819e7d3a2b3d5ca747798e14cb7d7eee4109b0adcc23b1827e6e1bc64a80198707d8837c439

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
92KB

MD5
ba79f3b0fafd5b7e417b9cdecf10ddfb

SHA1
0e94613fea6213fe8faa39cb991d4692b4ea84a7

SHA256
19fc6bc30a0bbe36fa850628653f876a2aed302e641d302ce22e4225598f2228

SHA512
6ab49d49d7356a2842b0ceb616495f1c183a851b31c2f7d5bbd9ecadb2b0929cb29bc03ee360509e81cb8e00c86e6355dd075ca5ab6547dd2aae57aa0ee06848

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
92KB

MD5
a5f5ec1b22c5b4e7b01d2decb49460cd

SHA1
f76068c285110bd2c8277859eb2f10186bb041a7

SHA256
86e96c3c135f82f6b3ced2506ec1b1ad1376d18ec4159c37e05e27400b345532

SHA512
29f8bf02d837cda46d03969a7a77fb8398009d7bcf6356aa45890b19ae26d80c39efd6f488772700d5fdb80922729be5ffeea7b906216e3312dd3dc55ae7972d

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
92KB

MD5
d71c65b849a173e72c4de93cacfce876

SHA1
1086822e3f59e5ddd038eb12fe8d5015a0eff8b7

SHA256
dff15d43e8feb8062b66ef275ae3115d127156c5fad0241635053d7c0c219dbc

SHA512
be6b2cc7ba4439788e8458204e25473420fd82f250fa001f180dfcbb0f3b8d0bf05a449b2b618e44d822427a27313664021ecf41f306e5cb2f1dc63884a45302

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
92KB

MD5
d4276d0f3c4a0b6ad3a06f93102c8cbe

SHA1
268c438fe5923424c14d5afb5dc00c295ef36330

SHA256
b7000b8a1652811b16ee0c3814de8bc08c982a1c4c8494c9b2a14f59d537c3a5

SHA512
4a6aebdad71c0629946eadfd0766da45992ab010008660acc5342c4106d792f55761ae27cde1dbd2576d9b475dda2415bc884b5ce353abc111b7227677874e08

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
92KB

MD5
522ff6260085e012d702e60b53ba67c7

SHA1
b3ee4d92657adc4251038aa0ea7901a2984d3116

SHA256
6610f0ecf6fbe2ad25a2211f59a75e32b019e5dc6207c890e48749b8970d4636

SHA512
9488ac3abc994a896c70ad99da46f7282df6def8b7f80656b655421e023f3b360041fedb76d02191174995dbedd3d1075bdae9c7c4cfbfcabc1bb24f0652c5a2

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
92KB

MD5
f10895db1b4fda8d8d181d53a40a6ee1

SHA1
4f1b8023fb9041ae2d86d5dbb2af865f981cd74e

SHA256
b2c87b309dbdfd655a199999652d37f458782910a87a230d1e8b9f5ecac50789

SHA512
5de57e63da5d2e1553b87fa7d08ec956be00362a79e994c5e15062ff9fa32b1ed13182f0bd72c577fc6dd7927175f94c70d7d5dca93e7a7523d0c5ab48f9e9e1

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
92KB

MD5
eeca16a0c8fa234aa74e79d5f7d302bf

SHA1
eb7640a70adae81562f6e8fba19880a69866ccb4

SHA256
b21c2c9b7da03a619954dcd93cba7d48dd1a653e3524cd535184d5edb0db7414

SHA512
f37eb4a5dd93d066c7cc1e9af9edabb4dbd42baccaafe19bc457eadcd45c5283ba2aa0eca5c56cc888ee43a2f2c6bb6432f4ce21f9c44a3129d8a6e0b3e9d40d

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
92KB

MD5
fec9abf1a2eb03ea2b36f399e69e3faf

SHA1
efa4dc6bf08cf1781d63e5c4021abc8135a0c7a9

SHA256
cbeef492f7ca114fe3eb56cedf8dec5bc107f62380fe3fb116db591658c5fab7

SHA512
cdec5760f65be7d0e2640663398ffba3aa9c896150c55f5e1e27498b025c70bc4bd09c3029eb80f3cba02e97e5129dd53f15d021464932af3957dcc1ef9a8054

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
92KB

MD5
d655ba9be12786762256fa737500c0f8

SHA1
efdba8d49fa7e9b44babfeb46d6a2608972b9134

SHA256
ad4a7b3a22afeb2f6542975077b989438d6e9a9fcab86d2c6996f1bb66c99c03

SHA512
81e1613be260b04e2d6433274ec49bc6982cbd6d8f74ba4021b00f809ac177a8aed847b64fcb45f09e5b2dba5206f0df41498aab157bbd26fd29a25e9215a350

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
92KB

MD5
17fd1899b51ad0ffd19691a00be1ad0a

SHA1
a4c30aa857f983508b4de1a46027202999a36e3f

SHA256
e4996fa10a04473968294c90894cb79d8a4f3b6bb63466c85a77cbeab5c63008

SHA512
2805cd4a08bd254aa49697f4c24120eadfeac9d97b772636f8f02b2e840a9f0a9b2bc6d2d807f5567184e6378ee640ed6da5dc0f087325d711fc74aeaa3e34ce

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
92KB

MD5
947488d07fbee78cd9a21a43d7dad969

SHA1
a15f01e898a5a35ffe3298ae2d91340fbdab22f3

SHA256
f65dc17a41d08d0f68967bfc863c4023d5daad9aad32183a60914073fa34c4b0

SHA512
d47911b8c212a0759108b04fab4f409145181cada2fdf94dac2a50250dd781c84af93a4e820df2a1f43673bb35323e72840994a12033c30db6a988a9b4307642

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
92KB

MD5
c7107ccc4d1fc6b13615bd093b71f1b2

SHA1
f6b526f976dbfae0a39819ba714be4ff1967c6b7

SHA256
5fa417d48e4d464c17edfa6da074f12a6e60345ab0b469f1d25185bfdc3f4002

SHA512
1be24da1ad38a7a7c70f627f1f7527cad2d634123dfa3ce545a66dbbaf85d5df9f6768a6249a48304793a4796492d78bf67e7449df4d21a0383c8596a9df9bee

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
92KB

MD5
4ecf0f5ed8519f1ea4292f7a1ec307df

SHA1
36773e45dab52aa89eaab6c927da37560fdf074c

SHA256
c9fa974a0ecbffe27cd1794baa939a873480bb8acd5d5db461ccc3620333290b

SHA512
0111a080a7d78d67395af51ddcb47a08c8c77b17256164fc63d32ad44e190a28be4e908dd30bc09642d46452f427bac5d6825670d6a9c70ab09d335ffc94ed1e

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
92KB

MD5
7637daab0724f5f599ff17835b5be988

SHA1
b9ec0529707cb0ac87b8e8bf36a2084ea20eeff9

SHA256
461c7bc51312fdd9f6eaec3ba06137d48de27d2e67a980d98a2724e4679b1f2d

SHA512
adfb8405e357d676b5079874f35c0785b8b24dd3a40395c2f095a0c411aaf2f2529d62f106621f84b2aadee5c9224cc7da3172b5ad68eba8f4947bccb25f0fa8

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
92KB

MD5
69a93cd4147c84834b537e0c0b7d2850

SHA1
9666717b8029131a745d50f5a96fe9aef5d28acb

SHA256
895aa7a68df2b56c3e7582db2c8afcf315b89aa8e65db9adbc012783e7428b04

SHA512
e09aa821ffe84210c50de73d9f91a7cdc659a45d77808812e2a71297468d54ae458b18f0abd7193870f38c355ba6270f8d7cd24398ec317603e2a8ca5da8b546

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
92KB

MD5
4893c934f9e0ad4b8febc45b6c8ea5ee

SHA1
f8a95f8259e98bdeca310e133893d2ee118df402

SHA256
5a6294867b68cb2f7e194aaa7e944929405cc248f54940777b67c3a4ad93c60e

SHA512
a088b2addc356500ef53dd2a3bbb2bea8dd8c77ee71d3354bd4056c0c215ee9e5cb9b122722a93152b8d531d91995c2c6571710062d4b83ead1987d37064d81b

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
92KB

MD5
866f3f12851af48f184147311494ba60

SHA1
bd3cf9aca4f13cbfc708f6dfc5ea0405c083bd2f

SHA256
7c51cb3237e2c6301bb08ed618e120d157b7cc6819fcb3d5ceec07f344241b4e

SHA512
ec22e32738217fe85bbe87aa75feae93b68d360c3946e4e1d6dcb5084a8a1880a7af496509ef1bcb33fdaa1a7cc6348bd2989d484e86f480a6ead48de1e6adac

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
92KB

MD5
369de2cd752433f492286cfaabbc0898

SHA1
74489d275902d046ec18e6446df5f07b75c61501

SHA256
0e2c2e01e148853efca2060d97c0f646912aaf4998c516099805c12ef0d05101

SHA512
babda82491f929b1ae3404eada0056fca777072b55d4108b198d5cd8be6cde5ba47bc736a83c1106c05de912b86cd474468b48d6049df22240037bd068a5c63f

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
92KB

MD5
6770a2dc1fc288129bd930835d875678

SHA1
a598bcd2a67aa7944be733c4ab2b2aa1d91988ef

SHA256
aef92a1658d55e12aec44ab79a239d783ff63ef812854d2f086e53706324fe89

SHA512
f6988bffdac882303dfbfaa0b787671dab19f041f6c2cc08290bc388dd994586770b1750981b8f1e458100f64a7caeb9168452d33111feee6096589ba77c7ab6

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
92KB

MD5
6dd3aaf4d8b8b187739df7075d7aca8f

SHA1
61cad195cfd91f05b4c57a8ae8b678a448e84a61

SHA256
9f8b7f100a92af09f33c4b414c92e05e4b56308faffc670fd3ead7c32caa0d92

SHA512
daa4d4139235a8c03ae897dc2bdb794b80c6e4dc8048df3d777acfc201a1355f017c02c053f0e9efc9798651a747dad323bb1b54d68e6f1d4dc59c58062978f2

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
92KB

MD5
c2d773e9dcc47a921261f8c527223d06

SHA1
cff27eba170810a408848861ca082ee088f67fb7

SHA256
c54c36511e01c627702df9556140e24e74f5178bab28461018bf7bcf09142bd3

SHA512
3081de2cbb8456d2fa6d05b1f3523461e78b78b00dd21054e8193705f7e519acd2174d98992f039182707b393be23d7932d155c725b96a5ce1c8737cd401d94e

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
92KB

MD5
22fe60a173fd366d73006deb9fb6a482

SHA1
99b9fe8575dac98072dba2b6dfb5ebd621706f79

SHA256
f333384096c0625b2d078224d8b9ef5d930d0ee56dc77a64cdb6cbd2d2a59ad1

SHA512
80f4ff52399ab3aa7fca4e11c8135e4f10dc60bc39477ac7694e65a6a90b12411e8c40b044c4644cd198b8a8563caede6d886a376bee4a5ac9f9d2ec9435fdfc

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
92KB

MD5
d5d2c9a3acff31fd6b7ccfef1bc503f8

SHA1
6dfb8955c04e6c7cda07053655ec160cceb0aae0

SHA256
3a2b7312748bc3de7372f435142dbb6a71cca510fd2db541edec5c686fea5746

SHA512
4291307def68897876f166190fb6884f5021675931602223f78850975f194fe0160d54e201d7ae40209cb21b1b8dfe092c16bd42caf0cae23774800972805ed6

Download Submit
memory/184-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/512-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/592-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/676-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/676-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads