berbew | d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84

Analysis

max time kernel
136s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/10/2024, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe
Size

163KB
MD5

cdabc207d692ac58aa85465b709fab41
SHA1

f39f069b885af3dd03211c9d3965a1196454ba22
SHA256

d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84
SHA512

74911f3a992a46265a1b4092f766e97ad69971ab94d1eb995ad23b7d9bb596658ebeb6744ed5c3285de951bbdc9f2c78902c246b6b63b68b5a02589d6e7e96d4
SSDEEP

1536:PCsWUXM0fGg/SZOGOVZKSoeK7MbklProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:VTGfOGWK+dbkltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 19 IoCs

pid	Process
4620	Anfmjhmd.exe
2468	Agoabn32.exe
1292	Bnhjohkb.exe
3892	Bebblb32.exe
4612	Bjokdipf.exe
4048	Baicac32.exe
812	Bffkij32.exe
4292	Bcjlcn32.exe
5048	Banllbdn.exe
2888	Bjfaeh32.exe
1416	Chjaol32.exe
808	Cjinkg32.exe
3940	Cabfga32.exe
5052	Cfpnph32.exe
5044	Ceqnmpfo.exe
3984	Cfbkeh32.exe
2792	Dhmgki32.exe
3012	Dmjocp32.exe
4100	Dmllipeg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3176	4100	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 4620	2280	d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe	84
PID 2280 wrote to memory of 4620	2280	d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe	84
PID 2280 wrote to memory of 4620	2280	d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe	84
PID 4620 wrote to memory of 2468	4620	Anfmjhmd.exe	85
PID 4620 wrote to memory of 2468	4620	Anfmjhmd.exe	85
PID 4620 wrote to memory of 2468	4620	Anfmjhmd.exe	85
PID 2468 wrote to memory of 1292	2468	Agoabn32.exe	86
PID 2468 wrote to memory of 1292	2468	Agoabn32.exe	86
PID 2468 wrote to memory of 1292	2468	Agoabn32.exe	86
PID 1292 wrote to memory of 3892	1292	Bnhjohkb.exe	87
PID 1292 wrote to memory of 3892	1292	Bnhjohkb.exe	87
PID 1292 wrote to memory of 3892	1292	Bnhjohkb.exe	87
PID 3892 wrote to memory of 4612	3892	Bebblb32.exe	88
PID 3892 wrote to memory of 4612	3892	Bebblb32.exe	88
PID 3892 wrote to memory of 4612	3892	Bebblb32.exe	88
PID 4612 wrote to memory of 4048	4612	Bjokdipf.exe	89
PID 4612 wrote to memory of 4048	4612	Bjokdipf.exe	89
PID 4612 wrote to memory of 4048	4612	Bjokdipf.exe	89
PID 4048 wrote to memory of 812	4048	Baicac32.exe	90
PID 4048 wrote to memory of 812	4048	Baicac32.exe	90
PID 4048 wrote to memory of 812	4048	Baicac32.exe	90
PID 812 wrote to memory of 4292	812	Bffkij32.exe	91
PID 812 wrote to memory of 4292	812	Bffkij32.exe	91
PID 812 wrote to memory of 4292	812	Bffkij32.exe	91
PID 4292 wrote to memory of 5048	4292	Bcjlcn32.exe	92
PID 4292 wrote to memory of 5048	4292	Bcjlcn32.exe	92
PID 4292 wrote to memory of 5048	4292	Bcjlcn32.exe	92
PID 5048 wrote to memory of 2888	5048	Banllbdn.exe	93
PID 5048 wrote to memory of 2888	5048	Banllbdn.exe	93
PID 5048 wrote to memory of 2888	5048	Banllbdn.exe	93
PID 2888 wrote to memory of 1416	2888	Bjfaeh32.exe	94
PID 2888 wrote to memory of 1416	2888	Bjfaeh32.exe	94
PID 2888 wrote to memory of 1416	2888	Bjfaeh32.exe	94
PID 1416 wrote to memory of 808	1416	Chjaol32.exe	95
PID 1416 wrote to memory of 808	1416	Chjaol32.exe	95
PID 1416 wrote to memory of 808	1416	Chjaol32.exe	95
PID 808 wrote to memory of 3940	808	Cjinkg32.exe	96
PID 808 wrote to memory of 3940	808	Cjinkg32.exe	96
PID 808 wrote to memory of 3940	808	Cjinkg32.exe	96
PID 3940 wrote to memory of 5052	3940	Cabfga32.exe	97
PID 3940 wrote to memory of 5052	3940	Cabfga32.exe	97
PID 3940 wrote to memory of 5052	3940	Cabfga32.exe	97
PID 5052 wrote to memory of 5044	5052	Cfpnph32.exe	98
PID 5052 wrote to memory of 5044	5052	Cfpnph32.exe	98
PID 5052 wrote to memory of 5044	5052	Cfpnph32.exe	98
PID 5044 wrote to memory of 3984	5044	Ceqnmpfo.exe	99
PID 5044 wrote to memory of 3984	5044	Ceqnmpfo.exe	99
PID 5044 wrote to memory of 3984	5044	Ceqnmpfo.exe	99
PID 3984 wrote to memory of 2792	3984	Cfbkeh32.exe	100
PID 3984 wrote to memory of 2792	3984	Cfbkeh32.exe	100
PID 3984 wrote to memory of 2792	3984	Cfbkeh32.exe	100
PID 2792 wrote to memory of 3012	2792	Dhmgki32.exe	101
PID 2792 wrote to memory of 3012	2792	Dhmgki32.exe	101
PID 2792 wrote to memory of 3012	2792	Dhmgki32.exe	101
PID 3012 wrote to memory of 4100	3012	Dmjocp32.exe	103
PID 3012 wrote to memory of 4100	3012	Dmjocp32.exe	103
PID 3012 wrote to memory of 4100	3012	Dmjocp32.exe	103

C:\Users\Admin\AppData\Local\Temp\d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe
"C:\Users\Admin\AppData\Local\Temp\d3c8de1e28b10f2b2875e37e2b523a3c1ec93d8bf45ddb84f730bd2859b26a84.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\Anfmjhmd.exe
  C:\Windows\system32\Anfmjhmd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\SysWOW64\Agoabn32.exe
    C:\Windows\system32\Agoabn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\Bnhjohkb.exe
      C:\Windows\system32\Bnhjohkb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
      - C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 396
        21⤵
        Program crash
        
        PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4100 -ip 4100
1⤵
PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agoabn32.exe

Filesize
163KB

MD5
77cf8886519baea6d5236093d35e0026

SHA1
98c36e7be5f60e05698511e8607540b7a591909d

SHA256
8762c6e49d3e3bada82634c2e050134118ced540557de9ca9369ed8d6931a217

SHA512
a23a02cc47524538636abc076c5936f30bd0f01d10bd225e7cdddfca881d95184bc5064c05efd79c9e17c4abc96671fcf840c4bc435ef295f6000e9827f98c56

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
163KB

MD5
b328641bd0deee07a826ff90834c6413

SHA1
c6a52ce46c151246d5ff78583777e3c9fc4a2080

SHA256
d84127918d0fdae3c0c386fb6867574fe2014842e941aed87419a74f8c8b57bc

SHA512
dfa0ea9ce6c19117af95bd320eecd21214b4686f6f1ddc01f51f660af45b7624353316cfcf372acbcd415f5fecb336bfb7bbf51a8c3da26671d6391b122a9abc

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
163KB

MD5
973242c5a923a1f7b610228530bb851e

SHA1
f0ed1927cf8d6c72c19e965e1bc1cfe4ab050f7d

SHA256
a07ff408a2fe0b967a9349a4620067f2e8432498e07b8f81e8e8c00b1b5cdfef

SHA512
64777f1ec65d5932f92f1250b53b02b5cc1f80eea0b0b27bdd8e805c749df8a6e277f5758f24538fb68527ad765355776656521d67818cb9a9b7fbc11e1ef215

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
163KB

MD5
77290c770e6694601e63890480a61b15

SHA1
773eb86c69ac92d1b89e6e96045820cce9838e25

SHA256
85bc1a0e9bba32b8a656bc5de4ed9717f0f96d51331fbe002ccce3f1700830ca

SHA512
78807b151d18565881c4293bd874b641ca4e1e7c488969937eac27aceb6611b2a081a618826311dd63c4ee42902025ea9171f6590f4555d97890ada6c5d3eef1

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
163KB

MD5
f60e4b4ff338ebdba26a5fc05dc3c1e6

SHA1
7ca64f724a6970bf881c4e79bd5dbce5396c3727

SHA256
b34501cc3473c548d1ef9f6a8fa4158c313b11a1b5f04dba6bab55d44d90027c

SHA512
85482024a44c451a32f8248e8f8cad734de8db9f9376c9bd527e656b704ef49f4748e45713c35b1e755bd7cb7ddd2da36ec61529095dfd80a780d284beae22d5

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
163KB

MD5
5c4b4125f20107674c55ebd08c201613

SHA1
b1b9ce4b4cf1ebc9b7ed2fcc43e67f8025ef98cc

SHA256
3d8758dda0f544d89d9258a4231f78121787354c881ddff9fbb4d28d5f4023b6

SHA512
87ca3933d562305b22ea432628d725b8958f69ace2ed710791ecd53e74c3059f82f39f422bfb5e847345dee3392e75242cfa783be9958bd63ca1b72fd95adc87

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
163KB

MD5
3053cd837bb4891c16a30cec67f1d092

SHA1
8fa32d738eed2329da6b16cc4e6e3691b3939681

SHA256
0da6689ab19c0830e895e2824608beeb63f21d4c382c2249831cc620e0260aac

SHA512
d9a221470602a0aef4e9ef4a32c96626cb94e552c91afd3af72e7857533a3efc1b3b7f05a4b776ebf036e7a776843fff944b6114a24de0f7469fe50a59253cc1

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
163KB

MD5
18453d91c3b7ad4134849b40edf61c6b

SHA1
bef8a281c72f45a081c6a3a8f29199f5a87d81b8

SHA256
0435422b136306a9f6c60deb04144e2f099e6106ab829a5f4e93f0361e4ddd9c

SHA512
0cb2c001f21204ae5c189b4707dcf0627b31dc0d370f8416ea01e5d46edb76ae5133024a1c07d7fe8859fa8300b706040b7fdda4efbf13a4c2091a180914cc1f

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
163KB

MD5
6d779bf8d1548d3af672920787b696ec

SHA1
52135bf7e8e0413a4e5ee859a5fc028aaf29ce8c

SHA256
645c288e348476cc8b6eb8792642430266f81085169b7e20ceaa7538de7f9266

SHA512
2ba020070d345054cc3a72453b1e6141b333f55a3db15a7df5878aa11f3deee7856e8dd191cbf0686465b7012da857efe2eeb5283b51f3578219ce531b2e456a

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
163KB

MD5
ed9a908c9229866f2765b1d25cc09f6c

SHA1
f73642e5aaf6bea30404ac13bbf2c06802115ab1

SHA256
0fa89c7835bb0f9eaaab5b898e03c6bc6f1d8065870a06fba5c9465278863cf1

SHA512
cc8b05b32e9d08a4b1d7bd5d9d4348458433f6b3a9120df5de6a92dd4094bfd352ce3abe3d8b79963c4e6e0638a08fb073b2f5fb302b05aa6d7a325cd8e6f0f8

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
163KB

MD5
cf213715b8db2df1d7ace305a562de90

SHA1
159c333e0a7d3c95a557c4652c154904d67768bf

SHA256
49094541ee57cbcbab8ebec1219b55f5da1e99530b8011b34287584b786c7df6

SHA512
bcb2485df58d068f722011869498cfd2a7079f8dc68ea49231628bd7dff88f34fd3eb18c42899945a24feb6c50e420ef3875ffbc6eaac3ed5758e0705b14c497

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
163KB

MD5
b8f043587134620116012819a0b1fb7a

SHA1
f8a988885e80b36114b79c56ec26331a251b191a

SHA256
ebb3faf6d0021a16cd552ce91f67517cf68d4c2a810db1ef78e3540d9ce67837

SHA512
191cb548c03c7d8de0f9da79f81fbf5ec0255c45fc70744378353715fcfdc5e304bf248f8d9dc0039da740af1a7c7b07e2d115a5572f11415e418ab35dc0ca2a

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
163KB

MD5
4fa434c6cd38f406616f5c113049a332

SHA1
1ae9369c05c737e7077c8d3898707b3b4856d498

SHA256
c32d65d49a7e63fc4847c068d809e539741389f594e6f2ff39d8ceb8cb10a9b2

SHA512
3a8d7afd672247c282b51f6f459ce7f6650a87b8b0a25461378fe95aea418d4ba194111c0a1cc59474e80f99382aec992bd725e8037b476c1b5a16d1ba21db83

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
163KB

MD5
9ac177ce7ff2544151df633e56b8e520

SHA1
58a157aec8b4370dc90288b1aabc5ee8df6f00a9

SHA256
5cba2c3bae7ef5f796bfde18284d0f49e03eb0e02d70573671353dcefa690f87

SHA512
d40e1f90ea58c4e33e8b16009ed1d30078195f13c06944c2f6c2050b2a491ee0a83cb8064133f6340ec65a4571558d18e98bdc7798295c999340312062472294

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
163KB

MD5
8e200c7a4106f3c857d9ecf17f2bad3f

SHA1
0f6dc4d4511a2b5338503c10ddd3f9acdae7c192

SHA256
33dc71c498e5c9ae56badeddc5daca0f3e4727523f01914a5cc33dc5d3d8992b

SHA512
bb30e2e17c4526ca9264f904514dabbaab35237095077acc0315b855033bc97aeaee0904ff3eeef640ba2492d129da17fd5108289cb0bce1db60a552b48c5819

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
163KB

MD5
ee80dc394c568134179472f9cbb53ea7

SHA1
a7018561d028a35840ab5cd6a7e6fe228eec2ba8

SHA256
bf558328aa2f994a9573a9cf32c1fa98e28764856191504ce4e9d374832b15db

SHA512
2f799b8e0a4dadcd1e003bac90049acae5a519319788837453f90186a38ee9b34c5061b0677e2eaa962da407dcc274216bfea6fb2384787b23eb2062b9ef6fb9

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
163KB

MD5
93eff08036fcd765f4adfc4fe3c53015

SHA1
9aa1a74f33cf38f8585c79cb7c3eea52d5b00ac1

SHA256
b5656e2aa8deb30e3ccae10af4ddda7863bd5611278bb9556afa6bf56143c830

SHA512
d838276f8c4bdbbd5032122e73855ba80cee1a7d34d96bd64b068129c55ba73f9a7cc59b3b103793dd15efacec08f4624cd69cde8d543d296fce3cc772064e33

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
163KB

MD5
32d015a8af75a73b07d8db3a626ffc86

SHA1
0d9260d226625a2b9ee93f002e83fc824aab25a0

SHA256
fdcce321119c577175fbe9a6c613f27d7e0e7c9306be5e0941a05425581d4409

SHA512
bf3900612178f759ae1670370e5ef7a01f2997e8814a02d4df1fba1e521987912b4fd8da962630c7b1e812e656a5c69d03c36d1098d19f1c29bbed84ff7a763c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
163KB

MD5
04c328efe0c2d1c0a8bff2c82bcb957f

SHA1
cd6ac540e1146f8b489f78c6dbf8286dd39cf1d2

SHA256
e676fc36e45f023c6977b9865e60fb1b93043a2be7a5b813551e1e65b0eddfbf

SHA512
7c2a89e58afc594ee19838f4125770990542dc5715bd5cf98fe3a1880144473591e604706d72deab4709cf77ac3b7505c867eeedb0db30ce88c3224d66fc52b0

Download Submit
memory/808-170-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/808-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/812-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/812-179-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1292-186-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1292-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1416-171-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1416-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2280-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2280-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2280-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2468-188-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2468-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2792-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2792-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2888-175-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2888-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3012-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3012-157-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3892-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3892-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3940-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3940-167-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3984-133-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3984-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4048-181-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4048-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4100-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4100-156-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4292-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4292-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4612-183-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4612-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4620-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4620-190-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5044-163-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5044-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5048-174-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5048-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5052-165-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5052-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads