berbew | dccbe14ff7afc6df3956c41d1f217d88a51159a651faf93a5458f7eeadcd7686

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dccbe14ff7afc6df3956c41d1f217d88a51159a651faf93a5458f7eeadcd7686.exe
Size

2.7MB
MD5

bf1c57bc3532dbc67d31edfc204fcdbb
SHA1

21606478b461e21fb73193a402907084916ce996
SHA256

dccbe14ff7afc6df3956c41d1f217d88a51159a651faf93a5458f7eeadcd7686
SHA512

f39d26d847c833d2019f40f87865de436f07e307188a0603006e2824a07ed451af9dc7db09fc915a3fee6439401186137a571c110962a25e0dccf38f1529dcfa
SSDEEP

12288:ipqvQqpCtRwKA5p8Wgx+gWVBmLnWrOxNuxC7:AhqEfAL8WJm8MoC7

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	dccbe14ff7afc6df3956c41d1f217d88a51159a651faf93a5458f7eeadcd7686.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 42 IoCs

pid	Process
3200	Pcppfaka.exe
2556	Pcbmka32.exe
3684	Aeiofcji.exe
952	Aqppkd32.exe
3512	Afmhck32.exe
2100	Amgapeea.exe
532	Bmngqdpj.exe
2108	Bchomn32.exe
3952	Bffkij32.exe
4372	Bmpcfdmg.exe
1464	Beglgani.exe
4868	Bfhhoi32.exe
4772	Bmbplc32.exe
3464	Bclhhnca.exe
460	Bfkedibe.exe
2320	Belebq32.exe
4632	Cfmajipb.exe
3576	Cndikf32.exe
1140	Cenahpha.exe
1696	Cfpnph32.exe
3532	Cnffqf32.exe
2344	Ceqnmpfo.exe
3180	Cfbkeh32.exe
1984	Cmlcbbcj.exe
3204	Cdfkolkf.exe
2508	Cfdhkhjj.exe
2676	Cmnpgb32.exe
4748	Chcddk32.exe
3976	Cnnlaehj.exe
4852	Cegdnopg.exe
4464	Dfiafg32.exe
4352	Dmcibama.exe
3400	Dhhnpjmh.exe
4440	Dmefhako.exe
2532	Ddonekbl.exe
4880	Dodbbdbb.exe
4904	Deokon32.exe
4716	Dfpgffpm.exe
4408	Dmjocp32.exe
4536	Deagdn32.exe
368	Dgbdlf32.exe
812	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	dccbe14ff7afc6df3956c41d1f217d88a51159a651faf93a5458f7eeadcd7686.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Ddonekbl.exe

Program crash 1 IoCs

pid	pid_target	Process
3816	812	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dccbe14ff7afc6df3956c41d1f217d88a51159a651faf93a5458f7eeadcd7686.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	dccbe14ff7afc6df3956c41d1f217d88a51159a651faf93a5458f7eeadcd7686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dccbe14ff7afc6df3956c41d1f217d88a51159a651faf93a5458f7eeadcd7686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	dccbe14ff7afc6df3956c41d1f217d88a51159a651faf93a5458f7eeadcd7686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 3200	2468	dccbe14ff7afc6df3956c41d1f217d88a51159a651faf93a5458f7eeadcd7686.exe	83
PID 2468 wrote to memory of 3200	2468	dccbe14ff7afc6df3956c41d1f217d88a51159a651faf93a5458f7eeadcd7686.exe	83
PID 2468 wrote to memory of 3200	2468	dccbe14ff7afc6df3956c41d1f217d88a51159a651faf93a5458f7eeadcd7686.exe	83
PID 3200 wrote to memory of 2556	3200	Pcppfaka.exe	84
PID 3200 wrote to memory of 2556	3200	Pcppfaka.exe	84
PID 3200 wrote to memory of 2556	3200	Pcppfaka.exe	84
PID 2556 wrote to memory of 3684	2556	Pcbmka32.exe	85
PID 2556 wrote to memory of 3684	2556	Pcbmka32.exe	85
PID 2556 wrote to memory of 3684	2556	Pcbmka32.exe	85
PID 3684 wrote to memory of 952	3684	Aeiofcji.exe	86
PID 3684 wrote to memory of 952	3684	Aeiofcji.exe	86
PID 3684 wrote to memory of 952	3684	Aeiofcji.exe	86
PID 952 wrote to memory of 3512	952	Aqppkd32.exe	87
PID 952 wrote to memory of 3512	952	Aqppkd32.exe	87
PID 952 wrote to memory of 3512	952	Aqppkd32.exe	87
PID 3512 wrote to memory of 2100	3512	Afmhck32.exe	88
PID 3512 wrote to memory of 2100	3512	Afmhck32.exe	88
PID 3512 wrote to memory of 2100	3512	Afmhck32.exe	88
PID 2100 wrote to memory of 532	2100	Amgapeea.exe	89
PID 2100 wrote to memory of 532	2100	Amgapeea.exe	89
PID 2100 wrote to memory of 532	2100	Amgapeea.exe	89
PID 532 wrote to memory of 2108	532	Bmngqdpj.exe	90
PID 532 wrote to memory of 2108	532	Bmngqdpj.exe	90
PID 532 wrote to memory of 2108	532	Bmngqdpj.exe	90
PID 2108 wrote to memory of 3952	2108	Bchomn32.exe	91
PID 2108 wrote to memory of 3952	2108	Bchomn32.exe	91
PID 2108 wrote to memory of 3952	2108	Bchomn32.exe	91
PID 3952 wrote to memory of 4372	3952	Bffkij32.exe	92
PID 3952 wrote to memory of 4372	3952	Bffkij32.exe	92
PID 3952 wrote to memory of 4372	3952	Bffkij32.exe	92
PID 4372 wrote to memory of 1464	4372	Bmpcfdmg.exe	93
PID 4372 wrote to memory of 1464	4372	Bmpcfdmg.exe	93
PID 4372 wrote to memory of 1464	4372	Bmpcfdmg.exe	93
PID 1464 wrote to memory of 4868	1464	Beglgani.exe	94
PID 1464 wrote to memory of 4868	1464	Beglgani.exe	94
PID 1464 wrote to memory of 4868	1464	Beglgani.exe	94
PID 4868 wrote to memory of 4772	4868	Bfhhoi32.exe	95
PID 4868 wrote to memory of 4772	4868	Bfhhoi32.exe	95
PID 4868 wrote to memory of 4772	4868	Bfhhoi32.exe	95
PID 4772 wrote to memory of 3464	4772	Bmbplc32.exe	96
PID 4772 wrote to memory of 3464	4772	Bmbplc32.exe	96
PID 4772 wrote to memory of 3464	4772	Bmbplc32.exe	96
PID 3464 wrote to memory of 460	3464	Bclhhnca.exe	97
PID 3464 wrote to memory of 460	3464	Bclhhnca.exe	97
PID 3464 wrote to memory of 460	3464	Bclhhnca.exe	97
PID 460 wrote to memory of 2320	460	Bfkedibe.exe	98
PID 460 wrote to memory of 2320	460	Bfkedibe.exe	98
PID 460 wrote to memory of 2320	460	Bfkedibe.exe	98
PID 2320 wrote to memory of 4632	2320	Belebq32.exe	99
PID 2320 wrote to memory of 4632	2320	Belebq32.exe	99
PID 2320 wrote to memory of 4632	2320	Belebq32.exe	99
PID 4632 wrote to memory of 3576	4632	Cfmajipb.exe	100
PID 4632 wrote to memory of 3576	4632	Cfmajipb.exe	100
PID 4632 wrote to memory of 3576	4632	Cfmajipb.exe	100
PID 3576 wrote to memory of 1140	3576	Cndikf32.exe	101
PID 3576 wrote to memory of 1140	3576	Cndikf32.exe	101
PID 3576 wrote to memory of 1140	3576	Cndikf32.exe	101
PID 1140 wrote to memory of 1696	1140	Cenahpha.exe	102
PID 1140 wrote to memory of 1696	1140	Cenahpha.exe	102
PID 1140 wrote to memory of 1696	1140	Cenahpha.exe	102
PID 1696 wrote to memory of 3532	1696	Cfpnph32.exe	103
PID 1696 wrote to memory of 3532	1696	Cfpnph32.exe	103
PID 1696 wrote to memory of 3532	1696	Cfpnph32.exe	103
PID 3532 wrote to memory of 2344	3532	Cnffqf32.exe	104

C:\Users\Admin\AppData\Local\Temp\dccbe14ff7afc6df3956c41d1f217d88a51159a651faf93a5458f7eeadcd7686.exe
"C:\Users\Admin\AppData\Local\Temp\dccbe14ff7afc6df3956c41d1f217d88a51159a651faf93a5458f7eeadcd7686.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\Pcppfaka.exe
  C:\Windows\system32\Pcppfaka.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\SysWOW64\Pcbmka32.exe
    C:\Windows\system32\Pcbmka32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\Aeiofcji.exe
      C:\Windows\system32\Aeiofcji.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3684
    - - C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:952
      - C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 396
        44⤵
        Program crash
        
        PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 812 -ip 812
1⤵
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
2.7MB

MD5
e408c2737c5599472153eb013ff15153

SHA1
a9599e69ee6ed65a433ac4339b20379e24510f1b

SHA256
7ca9e6450674cd6d376ce17accf3e1c001879b2070b700fddafccdd0aed51fc0

SHA512
31882f9adcaf74ca01fbf9abaa9b0d616a7026a61c84fa339794db6e739464abaeec11fd7a40320a1e67b77356ad896e8d39b17a3ba1fa462a320947fd5d5b57

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
2.7MB

MD5
fa09b1f224a5b355343f5c185bb07056

SHA1
d8ef7848a615e1606abcf5a3270ea91635397a7a

SHA256
6874d5ab3ef9b5353e06f1f7067102895bcb6d3378ba52c97f431d3b6ec81d93

SHA512
6bac79c0e29e2571812cfd722a715c32c6c3aa8560db50074f91aee59f1ba9737b369c051d4a04a255fd3dd5bc9562ea2244b8232f11f688af34820e3d1a1d16

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
2.7MB

MD5
92998daa11f654eec482722db0210572

SHA1
49f81ce922f4ba051d40cbef17e83b3742562c8d

SHA256
b599223533670ec6e52bf402ce5b51ad02551b4beb98d7b0991fe8ba5fd23ebf

SHA512
9083738f33eaa2bf23beb01c9c8a2b3f27dacc3489e9e90c477efd739984dee232f9f9513707a5a6144201bc7c53cbc05f13e1fb9963742ac80d8c2c3f0c0a72

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
2.7MB

MD5
4ae964e5d8590076df596eef9a015816

SHA1
a9d46ba60c0e897fc9f9111540757feb910a24e0

SHA256
4ebecdbf86b1c6043f15284546a92ec8fa6f5294320170c09317d423b1f2024e

SHA512
1cc64061dee952b4139189f4e456a3d5ec9ac356b2821123f0787abef51ca71dc79469d98c4c69f7dfd3f2980a48974d6f8c927073d3fbe80da9f0169bb00cd4

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
2.7MB

MD5
3193d1e49ca7983b4001cebf94573826

SHA1
3d6cddc167f8c608569c58f5521d87352e278965

SHA256
a342bffbb4afeaced072dbd3ca7e9f82bac84d9f4f13f895282e2afed2586deb

SHA512
cb489bedf81b6e8cee0332222de1bb7072b6519f00c4ea9e2d8be7c5cb2e49d094ce39a1f697fbed3b03248ae63d8d8e096cac1b6f2281ffb04426ab5577d75a

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
2.7MB

MD5
fa579a675dcfa08a7aef526b40527adc

SHA1
34ff9fb16b5d6f9e01b75b25ba5a7f7d7385ddb7

SHA256
5becccb9e1b6da664a79e4c643e710018dd6066ec412fee593eb308e66239ff2

SHA512
f0c3f9a8480487d17ce62f23a51e4a4a714e7cac1420d09e8c79a53b58414261d3a32b23782aa93f7a51f032fef14a9a019a36fed7cc58ec938daa8794122c2d

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
2.7MB

MD5
c5289f2f5fb0520841d84fc51b4b6ee7

SHA1
4adfe807c552c59c0dcde739e1911b897e26a704

SHA256
3ccfa61fc1eda9b0c67360599026d4d58b503753dafdb02ce9eedb5da2c187a3

SHA512
e679f0398591ae9f0bb4d5b822169eac4d411120e809b908c484fcecfd5b57579ff70151837c172f802a09224d398a9934a0e637eb75e748e0bced79dec41e35

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
2.7MB

MD5
fc4cdb8226d9b29b2ebb9fdc9dfe90dd

SHA1
695c99de4ee01209c2c66631736c93db630c0202

SHA256
9a5bf8e4474fe11d7e93a049eb01a90c392af9d82c5a0f4e31a6bfa6b441674d

SHA512
f69f9489c39eae09812a87e471e5cc109704e814925110c1304601a90faa9e4a26e715c72b07d82eab28abffb5b23e8170471f8a63da1e9def668b64c7dae0d6

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
2.7MB

MD5
b9c6e57b8568c69ec6f82fccb655d2b2

SHA1
8e595d2c487374b38bb6e21cbfb3cbc81d7195c1

SHA256
d35ae5b0d18352a9e9b84c504c99362b13fbf9344d68dfba4d1cdd67f676a406

SHA512
6eea2ea1c4185fa99bc5d2da591d2cf05bdb960ba1c97a826d3ff75fab23dd7022fc803ac3b3b6fe1450d50ff76152bb0be0a76c874d92f48fcdb26296b589d1

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
2.7MB

MD5
6ee9f4062f798cb8a60875c22f26b0b0

SHA1
c0a116734c853e5f533f90f9d2bad6727c3da1cf

SHA256
9a7a6ecb6612a3d239a6f10d92d4b63f788cb86afd07cb98e1d65faa2cf4258e

SHA512
e21688800cf0c27c6c4ffbb8406359a39c19179a40f3fac4079ba8e1312fb2253b686f760500bbb04eb5435a9012904f90a25ffc7cfc79d66eda07d81a537bdb

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
2.7MB

MD5
436155cd44efc2208f51b3d5f9bcc0f3

SHA1
5bb713c1a685fca4694ab9fa0bdf4ca0cc43c985

SHA256
accc54f600311ebd1eba88aff09c796853a2b6cc812967702cab7d6549641215

SHA512
a5f99c1b01e3241c0f010336e82506b6d61a99ec2a5f7a44eae8f65c5b40444aa28fe0084c5f38d309f6047ba4e75aeffecef90ed3442ab26885b8c161336c20

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
2.7MB

MD5
7ce5c1a227eee2578b30b245f2b3d1af

SHA1
5396357403b9f9d228967f6d3357e8d51a441bae

SHA256
3e5a672b8a77404ccd854abe03b5a040d78cbdcdb19d420eda051946225b566c

SHA512
1a476b89650d2c5e26629ae47aa96d8d89b98b0c2e72ead784ce35d0a61f8f94394ea5a0f13a3cf14b0bfef7b6bc120089a2f3413b3532454ae653bf65d855dd

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
2.7MB

MD5
a1019143e82cb144073a7ef4e9d80d11

SHA1
204792c6ea8bcb26322549d010b41d24946d3385

SHA256
3565abb98b4f6620092100c68681926f32b35b16a609049cd67654c3a2fce3d7

SHA512
79f2a0625db7df92efcd1a8cd8fd77311df7f28d868a3d0e850336408cae641936cdf4f78625d83bfb7277c88686ba85cc9e13922e2911fc44506297c2c33ee5

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
2.7MB

MD5
d4515b0da171384d04898b910a4fab3d

SHA1
25d7853368252eba0bbdd3893cde72c18ecc1c06

SHA256
5ffebf04efe21d11dae2a39f8fc312b818b79793569beea2016b17d28aeb89b0

SHA512
74bac5dccc7179b2b8e5cbdd623791f6b3a870043169a14af0e2c091cac17915b62cda85450250443ed85a32fcc55f92ed447ebb665f27b58bacddb081153cac

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
2.7MB

MD5
6d45bf072ef470bcaf386ca16a9e508c

SHA1
3a661b1222cb784afbe160c058bedf135a0da7cf

SHA256
bafb0b307bfbed5769cb07664f0873e51e13260fe363e8e7951bbdb481a90a39

SHA512
834e4e2e8f517b22462c7ab5ae84361530c5077d70b168c6ca7775dedb0bd2aeaf1f334e04d21ed80bc0f9c337ad2d8bc631cc481958b1ec9be4b61da96a9ef3

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
2.7MB

MD5
ea24d81c51d29d1c06124fd713b2818c

SHA1
09481f578a38fc1b18ad2a1a09f31a422fe6f3f4

SHA256
92a35186d48e506fed00661a069fe2505e1ab356ab87f7d3af8ae93788532f26

SHA512
4c2b743a50aa390587dea8b707243e671cd8c434022566855715309489f72715a8ea6a88ba41695f4e4d4c3424e5fced7bed0282b1b5d8a0443bf5c4f8ead518

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
2.7MB

MD5
0699e44284c3085509e090163082e474

SHA1
67674baba2be8fbea69e57b96c303cca0931af15

SHA256
3c295c9f14740981313f358bf294009d0f251a525ba6d1758f0228aeffcbe697

SHA512
c1c204a33c9f7fb55f1ed87cdc44c598acd061557f02eff15f97bb3075ee261f5de2513afab4522f1d3bc759f41945671920456e9295b8b43a4009f0179b1b48

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
2.7MB

MD5
566d40bde41e0e7d0661ae050c9ddf1c

SHA1
2462a5f526f0bcb31471a639e10354d2ae5b3ad7

SHA256
b952ba03b9ae5bc13dccc9516a13b6d940250f5995f3e6e73d1cacec5201244f

SHA512
b74f0c5b4ae611c6acdc6a0b7acaf7ba729fc4023a630d0b0cf3c3d3b6071d71a6e3fe374331916862249fc79a36a497dca50bb4bf2f834068e6216227f073bd

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
2.7MB

MD5
7fcf58c4ee6f194d0fcfd3bbe9d5413d

SHA1
63fd3f874743e8edd0bd13043bf37dc2e63608bd

SHA256
989421a1be33d18687082dae3081c971c62cdd48b99788b82cf2ee9f186c60e6

SHA512
a641de7913add1bd1be3543eb2f13593f81f615770d54f346cc626a1dbdb97c36aa6e9a2f17c5abb70f9a75b2ae843be946d529628f46bd1f6a29d5da11d0edd

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
2.7MB

MD5
ce8886ead848a5466829ec734e630973

SHA1
5869833886eac5f4a905bc58b00dd58941b7f037

SHA256
8b76388d9c2aa14eb59bc0a3a5ed2862ff79cefaeda46b63ca2309f2566c8a18

SHA512
57b67db0f5e27ac2a388af30881685bc9840a45c59ddd1e81f1f5c4bc0e19d3e73deab637abbaab9143d5605706fb5e779f18d593214f2efbd7b0fa647604599

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
2.7MB

MD5
205dd674c262d036e1002489d85e1e54

SHA1
2dbfcde41a570c2b7fcc0da77a12aa11e48585ec

SHA256
016eb2759c87d2ac5a40c178589c043d981b9e17f60ac572d6eef591093137c5

SHA512
7e7467cb774bfd35e0984a2d0e98e4f54c417b2b5a2947bf2771d4279df3443743003f10f92cb262ae8332182af61961a77dccc789a942e4890d6673b05543f4

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
2.7MB

MD5
12cea6fd4a61525e73664f5d4cafb757

SHA1
b48cad7f064b0e9f58cbda2c97e1b5e524e3bffc

SHA256
2eb747343cc701ef74c1f7e0836f467000e4132fed583d6451039cec5f44c00e

SHA512
924c4f108c7af41643385652215b4e2f02ce9030bf48c6dde892b192bf2a86a3c19f3077159b73ac3bb6c2e595780d8a4f67b030fbfba917181da7cdd6c28001

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
2.7MB

MD5
8a3d5859308dbccb39b0e5441291ab50

SHA1
726094be49de458ae1d2be2c1ea7ce1526cd0c67

SHA256
3c1005016808a2025aab3b979527a67a4716043b3ac68bbdcd67a7e3959f4ec6

SHA512
4b886cb999d8ae4e7c23d3c5a6e865ddc080b42327cd5f05fb2f3e680c3c376342cbf8c5ee0edc8e38ca106fe3efc5f8970ac1382ec1d6979972a57ee4ac32d7

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
2.7MB

MD5
0b24a0593269f723936b55cb98e714aa

SHA1
5c7bcee73c47da5ddfd83d8689e9255520147234

SHA256
71715fc35f164f81946de62463a4809090261e840c1d41a38f89bd543abf8899

SHA512
4e2ccb7ee66fe5c4258b436fc3d0efcc88202470d9a07c4f7bb4c65c0a90b14e973b5a1f830142976ab9118a721779a23b1b42884c96dd08efd27da8c05a6129

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
2.7MB

MD5
3facf593dcee50d74ca791e2b80d117f

SHA1
bb61c9979ef74dd27f3af09bb5f9d0673794de0c

SHA256
9dabbaa73e663a682659d52c940a74ec091cbb26d5f568f7e1cf96611098f391

SHA512
059221015d51924ff7e5668693feb62bd0b023842e164c33e03cd0ef8b3747294ecc722c4f0cbe7f4c65f46fefb7a797eea4efd7346c92b3a752a2daf40e2534

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
2.7MB

MD5
3c48940ade1ec35979b61d445e9f0c02

SHA1
db8511b2e4505c070c1a557e166bfae1bd3a4530

SHA256
dac4977db325eeccea4738882be17764c6fab010b6fb7ab736f86e3dd551fe0a

SHA512
a4ee121dfafafd89e0003a22d6225b1432b62b06f24b66eed692507a8751cede38a271a07545294b0b7077a140d81fa47f125d187dc09b1ef2bffc5e2a47bf58

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
2.7MB

MD5
7f790522fb3cd000013c06d6425bc49c

SHA1
079138b6ec38cc78cc9718384584297d9dbfb398

SHA256
497dd90cf49600baa6be33fcd6e1d4b06c94627cb9aa18e8a1f3098d6d6f0033

SHA512
4cd15f2fc6ed36dc430c663c36d3696d1141933024323d1214fc69b3427c10af6505ddd639e84093237e7ed87da24230ed3813f89e4fecb6034c07b1f8bf338d

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
2.7MB

MD5
a6e99c0fa371c69f92e18c70ce5bef28

SHA1
e24857a75c8a084e0b4313c613202b8fb20ef831

SHA256
0ed2c418498d0142ec496ca3de28c32c28532907caac536f73983eb600f3e8ca

SHA512
8e9ba6916a4fd66c3a74c73971a66eeec95c3fd676c5b4540be5154006455fad18a48f18e96df49e2a846fca3319b173e0f4ced768a44eebda6ac5cc69c873d4

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
2.7MB

MD5
75bf58413b065ec99e803ce7782a0341

SHA1
8e69c254dc2a61fb136f851544c3a94d2fd0f354

SHA256
e16b7045958986769a37b2a04b36c010a0abd556c523e4cb64172d8f23828a19

SHA512
c475abf6755a5c50b434ce279cc5af4c7d2bb694211a15d59ddefe5b073120aeb92bbd14c41ae02eb122f4e1b00860c73738c3e295600858702704a7a370c8b0

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
2.7MB

MD5
a46383223b292a2c10dda14d8a7615c8

SHA1
f92c1acb997987e502b55a261190d1a1455c43b9

SHA256
f54a31d4b841901c2ca03d97bb0a9557c13428fadeb1cfb920dd8a5563b22145

SHA512
0b928632e57e54627b27f003e36a60a429b9f6b498d544bfd38f2cc2ab29e93fa7a0676f40568dabdd07691bcbb9c40a6dc1b929d3cf1f3928e321a31299e84e

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
2.7MB

MD5
ff7375c985d84f7126acb6c4549b5972

SHA1
3663370359f5ee96471195735e49b61c9bc9870e

SHA256
834d7d8304ee3585aea36f19eac76ad1a0d9f327a3a3c0f0342d77e9b33fac14

SHA512
88d78e8d045108f4804159032ed615c1386519d694dccbc657d7559ff4d1a5e78dbd9ad4012bcac19b1202b453e3fad1c161d91fde8147548ab4c4a7751248d4

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
2.7MB

MD5
ecbc695dfcf30dec4c5f5cd6fdf4a46a

SHA1
890b1b77334647c6e80e52f53337c241c43f146c

SHA256
47cabd02dd167305aed3e45b76099a3eed81688b9b14d8294e04688ea69744cd

SHA512
3392a3d873d494afdff31cdbc10dcdca842eed32adbca4a22efb9630fda9fb55e17a92f36e7c3f1c9ca51c53c6326ec91190844d20090f77a16444b98ec0057c

Download Submit
memory/368-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2468-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads