berbew | 7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a.exe
Size

93KB
MD5

422c16cf529768e26a3551d06c6e2171
SHA1

bb34a0b15c2d19fd23b50d234aabf7e62effa0ba
SHA256

7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a
SHA512

f7b9cba8c271d5177202d4db4743fe3323af5f6a206409d03a089b957d418ff0d2769ca799704d3781c00e82cbf574e2378f5efafcc79c0fda81868365103f60
SSDEEP

1536:hqCBkb/xvlDCfMEoEDNGbsRYcJ2cueAcTd2wTggjiwg58w:JB+/xvFCfoEDNGmYe2c+62wbY58w

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhndldcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpfojmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bifgdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpleef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfenbpec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkcofe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egafleqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnndlod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cadhnmnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cohigamf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdgneh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebodiofk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhndldcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkommo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boqbfb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cohigamf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chpmpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcmlcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bifgdk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhkdeggl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cahail32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnobnmpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caknol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaocmmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkcofe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhnmij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bioqclil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkommo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpfojmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boqbfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bemgilhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcmlcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dojald32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egoife32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bioqclil.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkmdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkmdk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdgneh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caknol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egafleqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efcfga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpleef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnaocmmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpbheh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Effcma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmmiij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemgilhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cadhnmnm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 50 IoCs

pid	Process
2708	Bhndldcn.exe
2812	Bioqclil.exe
2668	Bmkmdk32.exe
2628	Bkommo32.exe
1220	Bmmiij32.exe
1012	Bpleef32.exe
2520	Bfenbpec.exe
2376	Bmpfojmp.exe
1900	Boqbfb32.exe
2932	Bifgdk32.exe
2928	Bldcpf32.exe
1004	Baakhm32.exe
1744	Bemgilhh.exe
2976	Bhkdeggl.exe
2320	Cadhnmnm.exe
2400	Clilkfnb.exe
1688	Cohigamf.exe
856	Chpmpg32.exe
2292	Cgcmlcja.exe
1228	Cahail32.exe
1032	Cdgneh32.exe
2836	Cnobnmpl.exe
700	Caknol32.exe
2500	Cghggc32.exe
2716	Ccngld32.exe
2692	Dgjclbdi.exe
2732	Dpbheh32.exe
2676	Dcadac32.exe
3052	Dhnmij32.exe
596	Dpeekh32.exe
300	Dlkepi32.exe
2076	Dojald32.exe
2644	Dbhnhp32.exe
2924	Dhbfdjdp.exe
2184	Ddigjkid.exe
1784	Dggcffhg.exe
1856	Dkcofe32.exe
2212	Eqpgol32.exe
2264	Ehgppi32.exe
2232	Ebodiofk.exe
1196	Edpmjj32.exe
2996	Egoife32.exe
352	Egafleqm.exe
1056	Efcfga32.exe
960	Emnndlod.exe
972	Eqijej32.exe
2792	Ebjglbml.exe
2384	Effcma32.exe
2896	Fidoim32.exe
2256	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
2764	7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a.exe
2764	7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a.exe
2708	Bhndldcn.exe
2708	Bhndldcn.exe
2812	Bioqclil.exe
2812	Bioqclil.exe
2668	Bmkmdk32.exe
2668	Bmkmdk32.exe
2628	Bkommo32.exe
2628	Bkommo32.exe
1220	Bmmiij32.exe
1220	Bmmiij32.exe
1012	Bpleef32.exe
1012	Bpleef32.exe
2520	Bfenbpec.exe
2520	Bfenbpec.exe
2376	Bmpfojmp.exe
2376	Bmpfojmp.exe
1900	Boqbfb32.exe
1900	Boqbfb32.exe
2932	Bifgdk32.exe
2932	Bifgdk32.exe
2928	Bldcpf32.exe
2928	Bldcpf32.exe
1004	Baakhm32.exe
1004	Baakhm32.exe
1744	Bemgilhh.exe
1744	Bemgilhh.exe
2976	Bhkdeggl.exe
2976	Bhkdeggl.exe
2320	Cadhnmnm.exe
2320	Cadhnmnm.exe
2400	Clilkfnb.exe
2400	Clilkfnb.exe
1688	Cohigamf.exe
1688	Cohigamf.exe
856	Chpmpg32.exe
856	Chpmpg32.exe
2292	Cgcmlcja.exe
2292	Cgcmlcja.exe
1228	Cahail32.exe
1228	Cahail32.exe
1032	Cdgneh32.exe
1032	Cdgneh32.exe
2836	Cnobnmpl.exe
2836	Cnobnmpl.exe
700	Caknol32.exe
700	Caknol32.exe
1536	Cnaocmmi.exe
1536	Cnaocmmi.exe
2716	Ccngld32.exe
2716	Ccngld32.exe
2692	Dgjclbdi.exe
2692	Dgjclbdi.exe
2732	Dpbheh32.exe
2732	Dpbheh32.exe
2676	Dcadac32.exe
2676	Dcadac32.exe
3052	Dhnmij32.exe
3052	Dhnmij32.exe
596	Dpeekh32.exe
596	Dpeekh32.exe
300	Dlkepi32.exe
300	Dlkepi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cghggc32.exe	Caknol32.exe
File opened for modification	C:\Windows\SysWOW64\Dhnmij32.exe	Dcadac32.exe
File created	C:\Windows\SysWOW64\Dojald32.exe	Dlkepi32.exe
File created	C:\Windows\SysWOW64\Cbcodmih.dll	Dggcffhg.exe
File created	C:\Windows\SysWOW64\Geemiobo.dll	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Pmdgmd32.dll	Ebodiofk.exe
File created	C:\Windows\SysWOW64\Pgicjg32.dll	Egoife32.exe
File created	C:\Windows\SysWOW64\Bfenbpec.exe	Bpleef32.exe
File created	C:\Windows\SysWOW64\Mclgfa32.dll	Bpleef32.exe
File created	C:\Windows\SysWOW64\Fgpimg32.dll	Boqbfb32.exe
File created	C:\Windows\SysWOW64\Bhkdeggl.exe	Bemgilhh.exe
File opened for modification	C:\Windows\SysWOW64\Dlkepi32.exe	Dpeekh32.exe
File created	C:\Windows\SysWOW64\Fdilpjih.dll	Egafleqm.exe
File created	C:\Windows\SysWOW64\Fidoim32.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Fnnkng32.dll	Bkommo32.exe
File opened for modification	C:\Windows\SysWOW64\Dpbheh32.exe	Dgjclbdi.exe
File created	C:\Windows\SysWOW64\Dggcffhg.exe	Ddigjkid.exe
File created	C:\Windows\SysWOW64\Ehgppi32.exe	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Egoife32.exe	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Klmkof32.dll	Emnndlod.exe
File opened for modification	C:\Windows\SysWOW64\Bmkmdk32.exe	Bioqclil.exe
File created	C:\Windows\SysWOW64\Obilnl32.dll	Clilkfnb.exe
File created	C:\Windows\SysWOW64\Edpmjj32.exe	Ebodiofk.exe
File created	C:\Windows\SysWOW64\Iimfgo32.dll	Bhndldcn.exe
File opened for modification	C:\Windows\SysWOW64\Boqbfb32.exe	Bmpfojmp.exe
File created	C:\Windows\SysWOW64\Bldcpf32.exe	Bifgdk32.exe
File created	C:\Windows\SysWOW64\Bemgilhh.exe	Baakhm32.exe
File opened for modification	C:\Windows\SysWOW64\Dpeekh32.exe	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Edekcace.dll	Dojald32.exe
File created	C:\Windows\SysWOW64\Efcfga32.exe	Egafleqm.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File opened for modification	C:\Windows\SysWOW64\Bemgilhh.exe	Baakhm32.exe
File opened for modification	C:\Windows\SysWOW64\Ccngld32.exe	Cnaocmmi.exe
File created	C:\Windows\SysWOW64\Dpeekh32.exe	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Bhndldcn.exe	7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a.exe
File created	C:\Windows\SysWOW64\Gojbjm32.dll	Bhkdeggl.exe
File created	C:\Windows\SysWOW64\Bmkmdk32.exe	Bioqclil.exe
File created	C:\Windows\SysWOW64\Cdgneh32.exe	Cahail32.exe
File created	C:\Windows\SysWOW64\Joliff32.dll	Dgjclbdi.exe
File created	C:\Windows\SysWOW64\Emnndlod.exe	Efcfga32.exe
File opened for modification	C:\Windows\SysWOW64\Bfenbpec.exe	Bpleef32.exe
File created	C:\Windows\SysWOW64\Cnobnmpl.exe	Cdgneh32.exe
File created	C:\Windows\SysWOW64\Dcadac32.exe	Dpbheh32.exe
File created	C:\Windows\SysWOW64\Bioqclil.exe	Bhndldcn.exe
File opened for modification	C:\Windows\SysWOW64\Bifgdk32.exe	Boqbfb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnobnmpl.exe	Cdgneh32.exe
File created	C:\Windows\SysWOW64\Eofjhkoj.dll	Dpbheh32.exe
File opened for modification	C:\Windows\SysWOW64\Ddigjkid.exe	Dhbfdjdp.exe
File opened for modification	C:\Windows\SysWOW64\Bhkdeggl.exe	Bemgilhh.exe
File opened for modification	C:\Windows\SysWOW64\Cadhnmnm.exe	Bhkdeggl.exe
File opened for modification	C:\Windows\SysWOW64\Chpmpg32.exe	Cohigamf.exe
File created	C:\Windows\SysWOW64\Cghggc32.exe	Caknol32.exe
File opened for modification	C:\Windows\SysWOW64\Fidoim32.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Ffdiejho.dll	Bemgilhh.exe
File created	C:\Windows\SysWOW64\Mecbia32.dll	Cadhnmnm.exe
File created	C:\Windows\SysWOW64\Dgjclbdi.exe	Ccngld32.exe
File created	C:\Windows\SysWOW64\Qbgpffch.dll	Ccngld32.exe
File created	C:\Windows\SysWOW64\Dbhnhp32.exe	Dojald32.exe
File created	C:\Windows\SysWOW64\Ddigjkid.exe	Dhbfdjdp.exe
File opened for modification	C:\Windows\SysWOW64\Efcfga32.exe	Egafleqm.exe
File opened for modification	C:\Windows\SysWOW64\Caknol32.exe	Cnobnmpl.exe
File created	C:\Windows\SysWOW64\Dlkepi32.exe	Dpeekh32.exe
File created	C:\Windows\SysWOW64\Qfjnod32.dll	Chpmpg32.exe
File created	C:\Windows\SysWOW64\Nmnlfg32.dll	Cahail32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
288	2256	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cadhnmnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clilkfnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cahail32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhnmij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baakhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemgilhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cohigamf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdgneh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgjclbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpbheh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlkepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbfdjdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bioqclil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehgppi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bifgdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkdeggl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcmlcja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcadac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhnhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggcffhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqpgol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfenbpec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Effcma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fidoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emnndlod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnobnmpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caknol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpeekh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddigjkid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edpmjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chpmpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpfojmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojald32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egoife32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efcfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkmdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egafleqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkommo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldcpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cghggc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaocmmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkcofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebodiofk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqijej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhndldcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpleef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boqbfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccngld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebjglbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmmiij32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofjhkoj.dll"	Dpbheh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll"	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khknah32.dll"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgkoe32.dll"	7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnhccm32.dll"	Baakhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmmiij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhkdeggl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnobnmpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnghjbjl.dll"	Caknol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bifgdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akigbbni.dll"	Cnaocmmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkcofe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bemgilhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cadhnmnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmggi32.dll"	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baakhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmmiihp.dll"	Cgcmlcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhofcjea.dll"	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll"	Dkcofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkmmi32.dll"	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mclgfa32.dll"	Bpleef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfjnod32.dll"	Chpmpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cahail32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnobnmpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dggcffhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkommo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cohigamf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimfgo32.dll"	Bhndldcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chboohof.dll"	Bmkmdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clilkfnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joliff32.dll"	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhbfdjdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fidoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmhccl32.dll"	Bfenbpec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boqbfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdiejho.dll"	Bemgilhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhhpp32.dll"	Cohigamf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chpmpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caknol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geemiobo.dll"	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fidoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpfojmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecbia32.dll"	Cadhnmnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clilkfnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcmlcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhndldcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cadhnmnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkcofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkmdk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2708	2764	7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a.exe	30
PID 2764 wrote to memory of 2708	2764	7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a.exe	30
PID 2764 wrote to memory of 2708	2764	7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a.exe	30
PID 2764 wrote to memory of 2708	2764	7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a.exe	30
PID 2708 wrote to memory of 2812	2708	Bhndldcn.exe	31
PID 2708 wrote to memory of 2812	2708	Bhndldcn.exe	31
PID 2708 wrote to memory of 2812	2708	Bhndldcn.exe	31
PID 2708 wrote to memory of 2812	2708	Bhndldcn.exe	31
PID 2812 wrote to memory of 2668	2812	Bioqclil.exe	32
PID 2812 wrote to memory of 2668	2812	Bioqclil.exe	32
PID 2812 wrote to memory of 2668	2812	Bioqclil.exe	32
PID 2812 wrote to memory of 2668	2812	Bioqclil.exe	32
PID 2668 wrote to memory of 2628	2668	Bmkmdk32.exe	33
PID 2668 wrote to memory of 2628	2668	Bmkmdk32.exe	33
PID 2668 wrote to memory of 2628	2668	Bmkmdk32.exe	33
PID 2668 wrote to memory of 2628	2668	Bmkmdk32.exe	33
PID 2628 wrote to memory of 1220	2628	Bkommo32.exe	34
PID 2628 wrote to memory of 1220	2628	Bkommo32.exe	34
PID 2628 wrote to memory of 1220	2628	Bkommo32.exe	34
PID 2628 wrote to memory of 1220	2628	Bkommo32.exe	34
PID 1220 wrote to memory of 1012	1220	Bmmiij32.exe	35
PID 1220 wrote to memory of 1012	1220	Bmmiij32.exe	35
PID 1220 wrote to memory of 1012	1220	Bmmiij32.exe	35
PID 1220 wrote to memory of 1012	1220	Bmmiij32.exe	35
PID 1012 wrote to memory of 2520	1012	Bpleef32.exe	36
PID 1012 wrote to memory of 2520	1012	Bpleef32.exe	36
PID 1012 wrote to memory of 2520	1012	Bpleef32.exe	36
PID 1012 wrote to memory of 2520	1012	Bpleef32.exe	36
PID 2520 wrote to memory of 2376	2520	Bfenbpec.exe	37
PID 2520 wrote to memory of 2376	2520	Bfenbpec.exe	37
PID 2520 wrote to memory of 2376	2520	Bfenbpec.exe	37
PID 2520 wrote to memory of 2376	2520	Bfenbpec.exe	37
PID 2376 wrote to memory of 1900	2376	Bmpfojmp.exe	38
PID 2376 wrote to memory of 1900	2376	Bmpfojmp.exe	38
PID 2376 wrote to memory of 1900	2376	Bmpfojmp.exe	38
PID 2376 wrote to memory of 1900	2376	Bmpfojmp.exe	38
PID 1900 wrote to memory of 2932	1900	Boqbfb32.exe	39
PID 1900 wrote to memory of 2932	1900	Boqbfb32.exe	39
PID 1900 wrote to memory of 2932	1900	Boqbfb32.exe	39
PID 1900 wrote to memory of 2932	1900	Boqbfb32.exe	39
PID 2932 wrote to memory of 2928	2932	Bifgdk32.exe	40
PID 2932 wrote to memory of 2928	2932	Bifgdk32.exe	40
PID 2932 wrote to memory of 2928	2932	Bifgdk32.exe	40
PID 2932 wrote to memory of 2928	2932	Bifgdk32.exe	40
PID 2928 wrote to memory of 1004	2928	Bldcpf32.exe	41
PID 2928 wrote to memory of 1004	2928	Bldcpf32.exe	41
PID 2928 wrote to memory of 1004	2928	Bldcpf32.exe	41
PID 2928 wrote to memory of 1004	2928	Bldcpf32.exe	41
PID 1004 wrote to memory of 1744	1004	Baakhm32.exe	42
PID 1004 wrote to memory of 1744	1004	Baakhm32.exe	42
PID 1004 wrote to memory of 1744	1004	Baakhm32.exe	42
PID 1004 wrote to memory of 1744	1004	Baakhm32.exe	42
PID 1744 wrote to memory of 2976	1744	Bemgilhh.exe	43
PID 1744 wrote to memory of 2976	1744	Bemgilhh.exe	43
PID 1744 wrote to memory of 2976	1744	Bemgilhh.exe	43
PID 1744 wrote to memory of 2976	1744	Bemgilhh.exe	43
PID 2976 wrote to memory of 2320	2976	Bhkdeggl.exe	44
PID 2976 wrote to memory of 2320	2976	Bhkdeggl.exe	44
PID 2976 wrote to memory of 2320	2976	Bhkdeggl.exe	44
PID 2976 wrote to memory of 2320	2976	Bhkdeggl.exe	44
PID 2320 wrote to memory of 2400	2320	Cadhnmnm.exe	45
PID 2320 wrote to memory of 2400	2320	Cadhnmnm.exe	45
PID 2320 wrote to memory of 2400	2320	Cadhnmnm.exe	45
PID 2320 wrote to memory of 2400	2320	Cadhnmnm.exe	45

C:\Users\Admin\AppData\Local\Temp\7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a.exe
"C:\Users\Admin\AppData\Local\Temp\7cb61d4ec55ea2f2adfa9c4ff40d49793254f175a72eb6250ea0d4cb2bf3090a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\Bhndldcn.exe
  C:\Windows\system32\Bhndldcn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\Bioqclil.exe
    C:\Windows\system32\Bioqclil.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\Bmkmdk32.exe
      C:\Windows\system32\Bmkmdk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\Bkommo32.exe
        
        C:\Windows\system32\Bkommo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\SysWOW64\Bmmiij32.exe
        
        C:\Windows\system32\Bmmiij32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Bpleef32.exe
        
        C:\Windows\system32\Bpleef32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Bfenbpec.exe
        
        C:\Windows\system32\Bfenbpec.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Bmpfojmp.exe
        
        C:\Windows\system32\Bmpfojmp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Boqbfb32.exe
        
        C:\Windows\system32\Boqbfb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Bifgdk32.exe
        
        C:\Windows\system32\Bifgdk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Bldcpf32.exe
        
        C:\Windows\system32\Bldcpf32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Baakhm32.exe
        
        C:\Windows\system32\Baakhm32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Bemgilhh.exe
        
        C:\Windows\system32\Bemgilhh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Bhkdeggl.exe
        
        C:\Windows\system32\Bhkdeggl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Cadhnmnm.exe
        
        C:\Windows\system32\Cadhnmnm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Clilkfnb.exe
        
        C:\Windows\system32\Clilkfnb.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Cohigamf.exe
        
        C:\Windows\system32\Cohigamf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Chpmpg32.exe
        
        C:\Windows\system32\Chpmpg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Cgcmlcja.exe
        
        C:\Windows\system32\Cgcmlcja.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Cahail32.exe
        
        C:\Windows\system32\Cahail32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Cdgneh32.exe
        
        C:\Windows\system32\Cdgneh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Cnobnmpl.exe
        
        C:\Windows\system32\Cnobnmpl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Caknol32.exe
        
        C:\Windows\system32\Caknol32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Cghggc32.exe
        
        C:\Windows\system32\Cghggc32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\Cnaocmmi.exe
        
        C:\Windows\system32\Cnaocmmi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Ccngld32.exe
        
        C:\Windows\system32\Ccngld32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Dgjclbdi.exe
        
        C:\Windows\system32\Dgjclbdi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Dpbheh32.exe
        
        C:\Windows\system32\Dpbheh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Dcadac32.exe
        
        C:\Windows\system32\Dcadac32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Dhnmij32.exe
        
        C:\Windows\system32\Dhnmij32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Dpeekh32.exe
        
        C:\Windows\system32\Dpeekh32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\SysWOW64\Dlkepi32.exe
        
        C:\Windows\system32\Dlkepi32.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:300
        
        C:\Windows\SysWOW64\Dojald32.exe
        
        C:\Windows\system32\Dojald32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\Dbhnhp32.exe
        
        C:\Windows\system32\Dbhnhp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Dhbfdjdp.exe
        
        C:\Windows\system32\Dhbfdjdp.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Ddigjkid.exe
        
        C:\Windows\system32\Ddigjkid.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Dggcffhg.exe
        
        C:\Windows\system32\Dggcffhg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Dkcofe32.exe
        
        C:\Windows\system32\Dkcofe32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Eqpgol32.exe
        
        C:\Windows\system32\Eqpgol32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Ehgppi32.exe
        
        C:\Windows\system32\Ehgppi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Ebodiofk.exe
        
        C:\Windows\system32\Ebodiofk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Edpmjj32.exe
        
        C:\Windows\system32\Edpmjj32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Egoife32.exe
        
        C:\Windows\system32\Egoife32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Egafleqm.exe
        
        C:\Windows\system32\Egafleqm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\Efcfga32.exe
        
        C:\Windows\system32\Efcfga32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\Emnndlod.exe
        
        C:\Windows\system32\Emnndlod.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\Eqijej32.exe
        
        C:\Windows\system32\Eqijej32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Ebjglbml.exe
        
        C:\Windows\system32\Ebjglbml.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Effcma32.exe
        
        C:\Windows\system32\Effcma32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Fidoim32.exe
        
        C:\Windows\system32\Fidoim32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 140
        53⤵
        Program crash
        
        PID:288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bemgilhh.exe

Filesize
93KB

MD5
c5cc2dedeeadc792245f93665c82985b

SHA1
e7aa2b04b0b86945e9768b8fcdc2d907f9ea1ba3

SHA256
bb03c0187ad73065e3ebedd0f9c623e0f57b1485b98f97a28d490b65423e3000

SHA512
c7ecff338f49089cc6e425a571f130d863227d535147d2f82e2ef10de6a14cf76c4925596d5d5bb7f8c31ea9d0c19b13d230eafd8bacb1d1c5d1be9d8dbf1c90

Download Submit
C:\Windows\SysWOW64\Bhkdeggl.exe

Filesize
93KB

MD5
733eb09ed6f11cd0a355d8965866101e

SHA1
a77478369d68b60e62c3217537e906aef1de39e3

SHA256
2031e523c5e34746377f1ad5c9552a0334568368935b04280f0068ac488df4de

SHA512
586a2c7c3e4bf9fcc278841574aa2e5d8aa295aa44aea8aa47a52b98d6dece11aff4b3080661893a56c145a671512d60c5dbd97a5ab7da3c09e321c06905b8c6

Download Submit
C:\Windows\SysWOW64\Bioqclil.exe

Filesize
93KB

MD5
ed3d8652f31e488a337d6b3ea4b786bc

SHA1
b4d79b3fe260b17c75c44e41a1bb68bd315f8bb2

SHA256
981ffb05fc0b975d67e92b93a716b0b7950383baa24a6929ed44ad671b479094

SHA512
8c28f5f270fd68c34a2332ab5b22391195b9e0a59a72f361cc61b272c9f5104bba51748914d988e510f889710d106ca90e3dbf43e07902bde57a419c6e781e42

Download Submit
C:\Windows\SysWOW64\Cahail32.exe

Filesize
93KB

MD5
606c5e0b6d2a431500ab3eeb4c5227b4

SHA1
20b888cadab12ab416666442c0689e93fa5bde2d

SHA256
8f5c37b28220c74b2ab3f711018d60a4b88a21f637a56fe86716576871061fad

SHA512
3257fe06cb57d28d17aee6e17b53073aaaada656b7b82f7a03bbb5e74f0e3a3b07f3221e07e3e038e34dc7d62dbb88ee734e258d3b19f63a26812cb01a156e00

Download Submit
C:\Windows\SysWOW64\Caknol32.exe

Filesize
93KB

MD5
798bcf17296b01439727b4cd83baa9d8

SHA1
6cf028d7aa81abacf982e91b62573886fb6cb8e8

SHA256
6d3e9dd7139b0bca40537790e297b575cd4d478370e4e429df4e7c8c6acc32b5

SHA512
39a6abcb45d8d8aab8f29611d5f07f5f84af7293aa5a5c20d07d6d5fd8f42ca4b6c6bd201754975ae7231388a48abe29fe512e39b52fdf76824f767ade9e6563

Download Submit
C:\Windows\SysWOW64\Ccngld32.exe

Filesize
93KB

MD5
c5a0d0377553fdecfcaee2ed1fc76966

SHA1
358ec08eaa2a181bc39a6ccb424af18d0f25099d

SHA256
9362eb7150ba4e42df477aeac2965fd40fb10d459a9a5359d7cebf6709b90e10

SHA512
45013324dbe5a6124af14acc45542345a866aaa94e08e8cbf924d85bdf0311c1f3b663fd141d16a59b97e25c4a72256acc477156293ed3bf2ba3ec6e64f0b234

Download Submit
C:\Windows\SysWOW64\Cdgneh32.exe

Filesize
93KB

MD5
86c5c331c036bc22ec7590a9b452a27e

SHA1
e989919c7dda0e61e4562611ef1a1e97f1f09fa2

SHA256
e148dd2776fd3c9bb94fe43c527a14407531900d761785acdfde3cf5cd1c3a49

SHA512
414040dadf57e1989d3bae2e1febd804b437e61eb9eb651ab22f9ab4c74e73970ac1c6d96128116dc6def668964865503d2d768e4d715225a6ba23b879ebf31b

Download Submit
C:\Windows\SysWOW64\Cgcmlcja.exe

Filesize
93KB

MD5
10e8fe841980fa02bf6abd85a5ebf616

SHA1
8d9266da7e66eb9600404866f78a0d9dccac6f3e

SHA256
8bd97d034ebb57273b7b38fb2dc0ddd525900bc4a1f93f0e748bbf8c5b86344f

SHA512
1d45c98a7c5cc83ad5e1a3a9a65a330acbad3e114e7f5db11729563296323e8a63bc823256b67f3b88a708b0d877f4444aad76d5ebf2c573e6ed9489632778ac

Download Submit
C:\Windows\SysWOW64\Cghggc32.exe

Filesize
93KB

MD5
851c56f7c6a7132eb0a636470614f69b

SHA1
3560d537fb5a09beb9a5840a49a1c36e44e7a27b

SHA256
9426e21a524ad6c62f1b264d1905e8d9b2af5f39fb12b2094a1656cfcedb04b1

SHA512
8d8913ef345000c79522e210f18160ab287bee1958abd2dffa321560aa2a1ca3b8fbc98cd24dafe331616df5686df752025b24be1588672a9096c5209340fe7e

Download Submit
C:\Windows\SysWOW64\Chpmpg32.exe

Filesize
93KB

MD5
48764602cd507594d259bd56b8b88c5a

SHA1
7df7d93e5d142cb46b7fc0950c69c8bdd659ee98

SHA256
5d1be1a1050097cbc2bc219bdfde358c81cd71b52add8f76d83c5d6895ea4ef7

SHA512
add3e3b871bc1dd3ced09be01a17e769fb77f08dc94b5446ee2aa321b99b4c774c0ea0172fb687f5cc405a3897b1c964d1bab02f55b19ce528daea1625b81a62

Download Submit
C:\Windows\SysWOW64\Cnobnmpl.exe

Filesize
93KB

MD5
ac39dbd2b801037c4aef8ab2ca24729d

SHA1
416d5b494484d967a8ec0c37318792060776d9e5

SHA256
37ce1c37fc8ef1e670ef702fca3a7797857c2a9989a81c444c40ece64a793fbc

SHA512
f906ef7b2cc328d1c0549da40f931f9320a89690c17c38dabf2592d1bcc5d0cb15afc56617578ce1107659c2b5f3e415d6a15bc0988ae57be2c9d1358b1498a6

Download Submit
C:\Windows\SysWOW64\Cohigamf.exe

Filesize
93KB

MD5
f3e01c39059b1b36b1f9c485b86c2b0b

SHA1
97e80368b38007221a3b572285876011082647c4

SHA256
3a19aefea87dd0131ead9130247c422ed2ed67ca6dbb53f7f225bbc6273d364e

SHA512
2e2d4940b1f050d207768d8095168666266769b4d8877bf1737acc1b68acfba10df0231b25bfdf115f30dcff430bb257a3eacaebb6795d80a3af850ec457c6ad

Download Submit
C:\Windows\SysWOW64\Dbhnhp32.exe

Filesize
93KB

MD5
b4e6ef7b2d5e61ba5feea614a4efd489

SHA1
d614425cb4f741fe99c6a12c019ac794312e9662

SHA256
9170c3687df9e7c372fc9449d1e7767b4c453bf8528b71a603bab15c06aaf245

SHA512
2f1249bf799678cb4601b1b0a7a5bf563ced03d42c9644201d6282da79f81940569cbb0b9303fa2811eb5a423defb93432f3b1e0fcd3fbdf6ddc2006703a0223

Download Submit
C:\Windows\SysWOW64\Dcadac32.exe

Filesize
93KB

MD5
b22a1eb2a80d39574d42de45d45537c4

SHA1
f56c73aabee672ba0705ec794a156fa10e27d7df

SHA256
faf196b8ba81a7b0ec1456ea4905a1354cf443fc06c605b47cd1c91c1deb487f

SHA512
402783b512d7775021842db928e002cb6580b5886fcf9cb5be9a21ee860321babc767f482017ecbd29051d2ca0021df7b2194d2de4d0761145c2940ad0c4e507

Download Submit
C:\Windows\SysWOW64\Ddigjkid.exe

Filesize
93KB

MD5
cb00de4801453a88be036adc49b303c4

SHA1
ddba64969638cd06a554b414bd878ecc6f9a90f0

SHA256
a34b5cdb3d7c0cdeda6089da34fa22ec76d00b576322ee49545dd2126fe54b8e

SHA512
dc7f7617f560fc46f74b5521fcc727e4904f9312b45f6e38c4a7d987fe0940712e07bdcf61fd6998597dbc27004490c2fc06c4af9e2c210c674c59cd1084878b

Download Submit
C:\Windows\SysWOW64\Dggcffhg.exe

Filesize
93KB

MD5
73a8a9fb7146ee1d72e5b0ee5272f157

SHA1
4dc4ba4277ee76408358413b052d5d92a99b436e

SHA256
40f76d95a7ce82c298c1082f063736721fde1fe07f3e2ed86891d4c8e63de884

SHA512
e4a3ad321bb3b3817322a4ae2fd433f1f928ca1d557de7d9a2f32529760f24acd8d5ab60ede6c2a0adee309e1261c4e5b6e2c878548ae668272788ea7a0e6d6e

Download Submit
C:\Windows\SysWOW64\Dgjclbdi.exe

Filesize
93KB

MD5
2a6acec5cce55a40a2ca6c2ea20a9d94

SHA1
3234fa97529d5b6a04dab223b413d09c7841de0e

SHA256
af9b6535310f67be2c56633282900557ed5083593cb0f4ff1c5ee0638c43f784

SHA512
fa70f7b1c12c849af866bd2c45bb1e8c016e00bf1e19f4bbc31d23d95f6d2d10d57e4ee0f0b688ffea577fbd03654cb22f32e1936a7bf0ecab8cf7501e116961

Download Submit
C:\Windows\SysWOW64\Dhbfdjdp.exe

Filesize
93KB

MD5
fc7ec203af4331bab14c962c2abeca88

SHA1
1cfb72bb914f25e38b19c06f9912c520e66d245b

SHA256
3e6988b13c0af860eeb442527c359121d2b4927f284a40a5b3331ad716692ef2

SHA512
9d79527b8192657e2233c3c0559ae1f7b87f3a3e30047e110fcb78ffacd794e1d8eb93c5f3e60c7d1b6988d385bfe8ba14f83a47b973618539bd863e1a65ce58

Download Submit
C:\Windows\SysWOW64\Dhnmij32.exe

Filesize
93KB

MD5
5c3e63efee7578aa223e24603964af6f

SHA1
2e2a343bb98dabe49387ced4d03c01eefba928f7

SHA256
62d33c28bb7222369deb315c1ed4bb96b1a99a4655169c0816f1e79575043526

SHA512
0b511550a823679f1307ab5530b9fc61286af3202d306e6cb208ada1168d0bd4c06142d1db2d0302d6a1116d6930b9f3d889a0377a327d3a2adb22b55b4e504d

Download Submit
C:\Windows\SysWOW64\Dkcofe32.exe

Filesize
93KB

MD5
9242a8af90fc4fa6c59f39b94fe8ae64

SHA1
29b79241357e528301b0f9d61fab7a0f25fcb7c7

SHA256
87e32db52ae80c8a643b03921d0b26b918b02705e8f1424e02c5eb6d98aa135e

SHA512
a04bb4df4ba00b5a461551e574b871380b3ebd08593d7286b01b6cdb91ecd8688f4b38ee87a58f85510b98f5022acd949e9f0e3d7171ac952b8e5f601db86125

Download Submit
C:\Windows\SysWOW64\Dlkepi32.exe

Filesize
93KB

MD5
b23638f901a6c2fe861e7a03a954e4d0

SHA1
d30d84ed576adfffe3dcae2762effc41d1c9f7f1

SHA256
50a0058baba0ce5706c92787ce373955e542f5080f88d5e8e5a7ace687269390

SHA512
42a70327b4dc87b7295bb3bb03b2942ee0511da604ee005feb9ab2c899be2095c935bcae7cb1c68cb8c52b866c88bcd0580d61d77fe056ad20ea0ae0694e847a

Download Submit
C:\Windows\SysWOW64\Dojald32.exe

Filesize
93KB

MD5
518ce5a3a36d5d80919786761583bb0e

SHA1
6dc130597d458bec38d0454a1c6ae853131ea75a

SHA256
55025320e3d6d53b82fbcc795387e9ba35908cf9565ca0d05d25ef035176e6a9

SHA512
00c7c442dc072460405847f665a6b4a83334cddc8366dc28a9b7bb54c4b3ce52da834901c998c99b39aaa7b8bf5e83f778bdfcedd73aa1c71699e29149ff1062

Download Submit
C:\Windows\SysWOW64\Dpbheh32.exe

Filesize
93KB

MD5
c702dd6d60ee5dbb6a03eacf3b7c8f55

SHA1
63da2338f4cdd918d9fddf95c4c4b413863e006b

SHA256
c26d33b925ed308ad62d347ba58bb643e09b199e62d6700581a829e7640eac23

SHA512
ce9be2b77a8c9cbf4c76d9a10dfc0bd3d6bf52f81a21f05a6c9e10d51da817c022a59461e2b6829a13dc6d2d2586b0a94d95b149caf98e300b00a19c0a9bb31f

Download Submit
C:\Windows\SysWOW64\Dpeekh32.exe

Filesize
93KB

MD5
fe8a0cea8363fb8107144435038a16d6

SHA1
73f1668e210c153a7897968d3f51576e58befeb4

SHA256
beca2db244f768ade9005234cf5c2dc07a31bd60f5f9fee894d939af0d8a280b

SHA512
9a6c0a9451832d2bfb04a48441497633b609604fc4f14c3a152ae73abaeb762f31d3f55666716e9b4be7fc36b4a648ac9fe975fa7bd66c6ded65273d8df67397

Download Submit
C:\Windows\SysWOW64\Ebjglbml.exe

Filesize
93KB

MD5
05e7a23bb72325dbf734601cf66b1489

SHA1
310fc892ce9f5e16a8e9d72de593a3afa6a04dcd

SHA256
d58e6286c957912e693d4122fdbfe33161074134220c14b3132a1b4701076af4

SHA512
3029a1d172e2cb3767fdb82a01f6560253bf5c0f97f531bb43c430019017b8d936c7de9993f5829678c08245292438bba6bdc4e5b1531ac0f44a94d18c214aa8

Download Submit
C:\Windows\SysWOW64\Ebodiofk.exe

Filesize
93KB

MD5
fefd0697144c4ff3e63c5a83f0f3e1a6

SHA1
74db4d3ebd1e98b131b88366baa8bb5aed607010

SHA256
d1b3394eae0be82f152c324d14b1d723b476dfb5eec513cc053dc14a8c01ecbb

SHA512
cfda7647eb01f0c05af89c3025a6f406505f60f29562e47d37c85dfa6cb0aa184c46616d9170b2f5bf9bc93bf0fdbb2c5a87ca98a3691f746fbf949441499a15

Download Submit
C:\Windows\SysWOW64\Edpmjj32.exe

Filesize
93KB

MD5
728d72db79a379a3ef548e782e829816

SHA1
bc38d1f43017b20c7acb84a70e6016f2d3cd5ca3

SHA256
491892370428b63c9538fba6affa2b252b1b5a1b7f7426d324ae895e7b2a75a6

SHA512
47840bda624793a7955144e8c972217ac1103250156828f762cd9fb2afd2174170913f2dcf1682b1ae9a51b4cbb99a76007ef9438874e7858b5241b175367786

Download Submit
C:\Windows\SysWOW64\Efcfga32.exe

Filesize
93KB

MD5
b2b5b695787c16d6f4d22bb9e55fd857

SHA1
5fa243d7760a5a0098e4331002f9d8065e907efa

SHA256
2daaed3f576a548df72e3dc6d0d4055957ed52b219e86d227178d77ceb7487d1

SHA512
dda42a4c2ab8f7f5fdfbc3ac98bb68d0ef16caa2700792a5e9fd2c3baaa803bc9a7a86518b3a68780df0bbae7ccad67f1aff7eeec7fb9ce29a542b11d1d5e26f

Download Submit
C:\Windows\SysWOW64\Effcma32.exe

Filesize
93KB

MD5
91804513d6000d2aef4df75b67a3b723

SHA1
6b47f488e62831f35a26e35a23958f54740da76a

SHA256
86f4e65f741a6757f1d0dfc317296bc91129c74f9b2f359a11215bc626df4017

SHA512
21cb02d21760e30b5d88e35df12e1954a60f023a93dc06f619ca0771df13989dfd93c436ec007988e6d63fc3045f0500e631399da183ed0993d0632be83a0474

Download Submit
C:\Windows\SysWOW64\Egafleqm.exe

Filesize
93KB

MD5
d77c6563322ca6ee9fc5f796efe6b79b

SHA1
9c9e3e336e569ff6946b508c5e682622afa1f5fd

SHA256
8b6a48bf54e47c455676e3e7f2125ddd4409c5572855655e02f06be2ec6874a1

SHA512
5c539a68d78223d52a888ef902ca4a99de85da25aa0f6ed14161c55f7062a8949b53a181c6cdb6fa489474972e4526671c207d36dd9c80da619b3f00a4066f9f

Download Submit
C:\Windows\SysWOW64\Egoife32.exe

Filesize
93KB

MD5
388ed1e6d9c49f4ed239947875c7cda4

SHA1
9cdf6ae103313bc18bc8a37795de28e50d5f4949

SHA256
fb292d189801c4d669f5a44c6473689bbee42ad4e2e15e518ae8d76b54dcbc96

SHA512
59476021762f14c9c8a75319df3a067cd1a2cc63c3e43b024dc589a7f63c215a0414c5729cd553d9b1c2d084321ffe57667d943c6abfef73362efb4cca9d764f

Download Submit
C:\Windows\SysWOW64\Ehgppi32.exe

Filesize
93KB

MD5
be0b02ae0c37375ed0517564c7a06097

SHA1
bf15275f84f6ac7124f5f9dd0cbd4a6a6836399f

SHA256
3f64355416f6d88b790ce068087a248b4825138368586554ae05fb1e489ae3e2

SHA512
89f25d5357c4226277d63a62fb2368810f0e55572c6481aea38fa8667cb6f72d0a42b7984dcf5832e066d10e707451595f4effd391b6c5562deebe3a0f93dc3a

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
93KB

MD5
cbd63708ed752fe71959c4979ab09bfe

SHA1
d36787d2e4461389a90bd28ca8b23c7f0c852628

SHA256
a6e44c1f6d6b0b302ebaf81e78d436becfc19e51539cab2cc99b26ad6e4df767

SHA512
98dc79331763d0ca0f01a745a6f3fd30e11beedf90712405bf0ada8a4b020a10ab74d92fb84ef682a75fe77689efe1e966e629e408a06cca91225966f6286b59

Download Submit
C:\Windows\SysWOW64\Eqijej32.exe

Filesize
93KB

MD5
92e94d8c30975224b1ffab9167aa57a4

SHA1
d869e831a37c62735ce74edc83f77389452f0731

SHA256
204448276e8dfe2b1bd5b2f57bb0165bf5d68d4bc559bf96f172bf358324ff04

SHA512
13c6b73bea2e998c87b5258af3a2d6f328de404d8ccada7fe290edeeea9aefaf04285b5d6832b2a3d8ec58a9613ce3e95fe58772511e00672e471175ccf76e9a

Download Submit
C:\Windows\SysWOW64\Eqpgol32.exe

Filesize
93KB

MD5
7c7b3abb7c920f890ca503170a1f7cbf

SHA1
c582e9438bbd7c26c473b32c10c154f46560959f

SHA256
e394f7ee4a42dbedd85d3508973fa0675846c935ed44137265c962a3f8fc6658

SHA512
87fb67b1ffde3ce149a614747872156172659f629e02575ddaa01c34113957b0a07035f3b4d8d398e25ecd258242e590f6ba7df032b6f0583ea2674fc6dc736b

Download Submit
C:\Windows\SysWOW64\Fidoim32.exe

Filesize
93KB

MD5
9776f73c97d7175d5d74c2221f80faad

SHA1
3dc884191939c699fdf75dc9da184e07b66ee2c7

SHA256
1b2f44d61d2dddb2e99e7472e6cbeaeb3fec6024543e0909e874e4b77b566cae

SHA512
df88879905e86d8620ce344ca5659e2dc0e82401dfa95134b3acb747928e85307c92e91fc9cae5777254a5784d5284a4c4260bca876ec75d33b009beb34677ed

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
93KB

MD5
35985e79a7dc666a869e0f60d5845370

SHA1
e86c4a53031d07c5ba430ea96f23b21d4d6bf821

SHA256
00a616fd71156002014bcbd1b0aeaf7a51a5b56f2550875cd81078a5e979c61e

SHA512
1f7be93b304e7425b2bff323d0dddcaf679fc135a2ded007403475751f81198577e29d1a4905cfaf1183016b673991c876898e1a52d324ef85ddbec714fe86f9

Download Submit
C:\Windows\SysWOW64\Fnnkng32.dll

Filesize
7KB

MD5
db757ec09926a53962e1c47cebde899b

SHA1
db9d7e713ccc1d4c5e140794b78321a08865af20

SHA256
c6f4f09c846d228ffbb11d4f883f48499d58d052c394b1bbfbf8fe434cd65439

SHA512
475b0c26a682d1b4101a80e2c2fd1e366e92302bef551ea4d298ad408e0d7ad8ae5735f430bfac0f4cadd9a1d717af2ad0fa8b1b8b4d70de60b06742d12e28ee

Download Submit
\Windows\SysWOW64\Baakhm32.exe

Filesize
93KB

MD5
310e781a40c5c9646dc2077eb62dfa6b

SHA1
8da18ec7bf22e0819dfdca0a5542efcff47d40c5

SHA256
dd8da69145ec6664039f8220e591fc61f99e9b065022f267343f3e79194bedbf

SHA512
9be52d2ac9f96e33f0d3f20763a048d1c82f178f533d47197914f1d65f6f20cf22abd5af508b507c9a253038b476128ebe8a09c72e6ccbc40e30accc08b658f6

Download Submit
\Windows\SysWOW64\Bfenbpec.exe

Filesize
93KB

MD5
cc426d695e3f90dd8c753ea6e359135b

SHA1
59cb4f6a55203a38fb95c1ba1bfe80def43254be

SHA256
b21327d62afdb37615e28a0304f9852b1ab09648052387f5a5df8eeebc48166f

SHA512
12acb4f7e4c402e09478cc6169e31b064ac52262d2c37c2d3ff592b42ffeeffb65bbf6051f97bf37a1fa3773574bd79923e5db6f5769b046f6b37b31a69867ea

Download Submit
\Windows\SysWOW64\Bhndldcn.exe

Filesize
93KB

MD5
891d1e25ea19483b876d60f79892be9a

SHA1
6fe0c7b4b2289c9ca320688c840383109f4a9cf4

SHA256
8eb5da67be0eebd0a5c3b3b343d0e2e771e546a981a8d330736f169e02deec29

SHA512
e2c9a48f4c0dbb470bf0e7cbfb86d3485cc562f626acaec2f5b6479475a18e37edcbccffeffe05a0a6e943a7ba25b4e4bc90e9fde5291d74f58d654e6046305a

Download Submit
\Windows\SysWOW64\Bifgdk32.exe

Filesize
93KB

MD5
1569f29e3fc07b9b565fcb70d8e4b60a

SHA1
613864db544ef1e29bc4121970615f19fc1033f2

SHA256
89819d5c72e63346f2940fea235aadf7bc8052fa1f8fe0f4ae08d6e1f1c59dcc

SHA512
411ebe08152848246a7bb04951968beac461a9255e3b6fc25855163fe6b9e2c0b391bbdcf07e47b1d3c4cd0e720cced282db5caa1593c140ad923449e40397f0

Download Submit
\Windows\SysWOW64\Bkommo32.exe

Filesize
93KB

MD5
ed4099308b8373e15ba1f11576ebb078

SHA1
0b44f12089317c57244833eb3523e06ae18f3bea

SHA256
f77ae5122f34d0e56192d8929b9f054fb35dc12db248d0771883d9cdcd8626d6

SHA512
d74068020d451ceb68a617f606a2b417632c7e1d8aa5b5c4fc04942cd1807650818e5dab0a399ff915e22d451475dec19aa6f4343d2c0441c205d0db7bd0abe4

Download Submit
\Windows\SysWOW64\Bldcpf32.exe

Filesize
93KB

MD5
5af415220f1f6787704ae3626bf46ce0

SHA1
0e48dd426abdd0dbb55aed7178e77a3a896e5664

SHA256
c9a495d32d3b8c8d36ca4ffca0eb00f76a003cf20213acc20563f46dcbca9843

SHA512
109528e56df92a7684d66201ed5147539f54a576001cfb593a317920344b9c9dacfaf4903583ae97e2771a4dddfd76e2b11d8464fd48ad68520fb8ec728d568e

Download Submit
\Windows\SysWOW64\Bmkmdk32.exe

Filesize
93KB

MD5
3d4ce76f448c4f7616a358d0ccbcd09f

SHA1
7d475ab198e890bccc6354c9705c1dff7afb1b74

SHA256
265dd87e2290471096f75da6c8a8ae58a195e049493e652757b756cf00d1c88f

SHA512
17f28aacfd41aa2046f1010c04ade7231b44f49dc1ace713f0c0902551a1f9f55158bcaa5458df9ca0fd7d90bd6c63c513ddb5d8918dcd428ad6e45528175ef7

Download Submit
\Windows\SysWOW64\Bmmiij32.exe

Filesize
93KB

MD5
9c40fe424080e4e07061274aa1e9a6ee

SHA1
661827870092aadd2582766c5096028eccf1cd01

SHA256
7e3de5c85f226f3dcb2b579096a0208a31e37734e85c880ee1b2afe679f57d25

SHA512
18eb3a4b7b5260e4de8ed9f1fe57f9747f329fd380082c5cd25ce00a3d8064a6821526ebd67303557170731c32c96b12bd67f8bcede7644b013d5bde4cd333ab

Download Submit
\Windows\SysWOW64\Bmpfojmp.exe

Filesize
93KB

MD5
776ad08c7e719821938eed5d22c1759e

SHA1
18fae2b5711317f849b316b34847652c7a840a9d

SHA256
0282bf0d76b7fd8349c664afcd853f527295c7070a5f93ed208d1db6dc7baff3

SHA512
c3f09334adf22fd8f54aac9e412d7a36096b98ac6aeb15b9ec00dcb7a9d59fe1a0ff35240a6bd86c9ef38e2379c1ea699ff8d48e9378bae6f32c14cd4292e9a3

Download Submit
\Windows\SysWOW64\Boqbfb32.exe

Filesize
93KB

MD5
d9070f0214bd949f0c049f80c013a04a

SHA1
1da3b88f4af85ee5a2a04fe4c9a0f4c207981268

SHA256
63b4be9fb3fd4622dc25a7b966a0bbe6b564ad13356b2c5b890f117993fd863f

SHA512
ca3d3d177d6b539d2bb3f192fc7b08e73bf2506a6aafacf7113739cd6649e91639d30e145a459c77257abcc498e5116b0285f039bd12adf76a77c0f59dd140d6

Download Submit
\Windows\SysWOW64\Bpleef32.exe

Filesize
93KB

MD5
c4ac06ae3e513439828228d0506bb6f8

SHA1
9295e47078fc55708de9acd5519edffb54afd570

SHA256
f5aaa3efd80d182190a87a45d9ecfdc8a7c5a67e6ba4544f21649ac1e8220604

SHA512
a3c09efc4feff29ab4f5c21dc038509e9e132598c906f1b879ec65617fa18296ef9eeab4b4d1e83c0c064b7346d065af635f5427407396f1b52813916bed1c16

Download Submit
\Windows\SysWOW64\Cadhnmnm.exe

Filesize
93KB

MD5
addbf69c2a4cbe33c271470a969a0ec2

SHA1
f4f6ad8d6c28c2b09d2762c7c9e317dfeae0877a

SHA256
fd59472af100368d580343989b10d29b920cb2c1deb8b35f894cfe36870e528f

SHA512
cad5698d69e35221ec1bb05ca15024fd40b9f2e2e67a3298389eb7e725ef70c2a3dafd27d01cb8823142adbe829a6ee16d45ba4fb733568ba5a5fbcc94e4b993

Download Submit
\Windows\SysWOW64\Clilkfnb.exe

Filesize
93KB

MD5
3bda6d4cee65b99dde5689d568ac6f9b

SHA1
ee2ec7aa04536b36415710250c2a128c30132d88

SHA256
3e987876d3b4e5da5a3c5f9bbca06d9c2765f5ea12140d595eba8a53eb885d42

SHA512
39a703e80c4633fd0c584a72e5295e13f13953c5c2cdea14493a47492ecf44fd82a88c3e34e206f577bcf4938b2908728c2d6d798de09ba629ae7535199f03c7

Download Submit
memory/300-380-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/300-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/300-379-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/596-373-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/596-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/700-283-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/700-293-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/700-292-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/856-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/856-238-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/856-239-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1004-158-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1012-462-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1012-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1032-271-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1032-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1032-270-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1196-492-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1196-493-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/1196-494-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/1220-451-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1220-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1220-457-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1228-253-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1228-256-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1228-260-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1536-302-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1536-306-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1536-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1688-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1744-183-0x00000000004A0000-0x00000000004DF000-memory.dmp

Filesize
252KB

Download
memory/1744-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1784-441-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1784-434-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1784-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1856-435-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2076-395-0x0000000000360000-0x000000000039F000-memory.dmp

Filesize
252KB

Download
memory/2076-387-0x0000000000360000-0x000000000039F000-memory.dmp

Filesize
252KB

Download
memory/2076-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2184-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2184-423-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2212-467-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2212-453-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2212-450-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2232-471-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2232-482-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2232-481-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2264-470-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2264-468-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2264-469-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2292-249-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2292-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2320-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2376-113-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2376-483-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2376-105-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2500-294-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2500-595-0x00000000772F0000-0x00000000773EA000-memory.dmp

Filesize
1000KB

Download
memory/2500-594-0x00000000773F0000-0x000000007750F000-memory.dmp

Filesize
1.1MB

Download
memory/2500-295-0x0000000000330000-0x000000000036F000-memory.dmp

Filesize
252KB

Download
memory/2520-477-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2520-92-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2628-58-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2628-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2644-396-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2668-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2668-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-353-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2676-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-358-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2692-330-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2692-318-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2692-336-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2708-26-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2708-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2708-13-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2716-313-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2716-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2716-317-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2732-339-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2732-338-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2732-337-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2764-402-0x00000000004B0000-0x00000000004EF000-memory.dmp

Filesize
252KB

Download
memory/2764-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2764-12-0x00000000004B0000-0x00000000004EF000-memory.dmp

Filesize
252KB

Download
memory/2764-401-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2812-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2836-272-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2836-282-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2836-281-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2924-404-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2924-411-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/2932-139-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2932-131-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2996-495-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3052-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads