berbew | a1d088495ab370b2ade0e531e77455c0185799e3295f1c8c3ec50d872fff4552

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1d088495ab370b2ade0e531e77455c0185799e3295f1c8c3ec50d872fff4552N.exe
Size

93KB
MD5

a03b2c15ea5ef798dc14cdef4594aa50
SHA1

11b3767cbbe0b117d228c0d1ac65696c933e0734
SHA256

a1d088495ab370b2ade0e531e77455c0185799e3295f1c8c3ec50d872fff4552
SHA512

9c188583dc2f619d2703b2564bb9eb761b230a4f19223e38e2602600c931e9365ad931981fd4981a29658c24a3ea6028b214f709789fa4e990cf569f3f7d7652
SSDEEP

1536:DULivZPyZoYRJ7gZa8QPZvPaHX1YSEIFtlh1DaYfMZRWuLsV+1D:DULgP2oYRJ75XBvsMITbgYfc0DV+1D

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a1d088495ab370b2ade0e531e77455c0185799e3295f1c8c3ec50d872fff4552N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 38 IoCs

pid	Process
3248	Afoeiklb.exe
2592	Aminee32.exe
4436	Aepefb32.exe
4508	Agoabn32.exe
4232	Bmkjkd32.exe
3608	Bebblb32.exe
1708	Bganhm32.exe
2892	Bnkgeg32.exe
1384	Beeoaapl.exe
1540	Bgcknmop.exe
1132	Bjagjhnc.exe
1852	Balpgb32.exe
3260	Bcjlcn32.exe
592	Bnpppgdj.exe
4340	Beihma32.exe
4136	Bhhdil32.exe
3148	Bjfaeh32.exe
2524	Bmemac32.exe
3940	Belebq32.exe
1012	Cfmajipb.exe
832	Cndikf32.exe
1112	Cdabcm32.exe
4760	Cmiflbel.exe
548	Cdcoim32.exe
4256	Cfbkeh32.exe
1224	Cdfkolkf.exe
3372	Cnkplejl.exe
4620	Cffdpghg.exe
540	Cegdnopg.exe
2344	Djdmffnn.exe
4712	Ddmaok32.exe
2376	Delnin32.exe
4276	Dkifae32.exe
4996	Daconoae.exe
60	Dfpgffpm.exe
2328	Dmjocp32.exe
4064	Dgbdlf32.exe
2384	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	a1d088495ab370b2ade0e531e77455c0185799e3295f1c8c3ec50d872fff4552N.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	a1d088495ab370b2ade0e531e77455c0185799e3295f1c8c3ec50d872fff4552N.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2180	2384	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1d088495ab370b2ade0e531e77455c0185799e3295f1c8c3ec50d872fff4552N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a1d088495ab370b2ade0e531e77455c0185799e3295f1c8c3ec50d872fff4552N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a1d088495ab370b2ade0e531e77455c0185799e3295f1c8c3ec50d872fff4552N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	a1d088495ab370b2ade0e531e77455c0185799e3295f1c8c3ec50d872fff4552N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cnkplejl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 3248	3304	a1d088495ab370b2ade0e531e77455c0185799e3295f1c8c3ec50d872fff4552N.exe	82
PID 3304 wrote to memory of 3248	3304	a1d088495ab370b2ade0e531e77455c0185799e3295f1c8c3ec50d872fff4552N.exe	82
PID 3304 wrote to memory of 3248	3304	a1d088495ab370b2ade0e531e77455c0185799e3295f1c8c3ec50d872fff4552N.exe	82
PID 3248 wrote to memory of 2592	3248	Afoeiklb.exe	83
PID 3248 wrote to memory of 2592	3248	Afoeiklb.exe	83
PID 3248 wrote to memory of 2592	3248	Afoeiklb.exe	83
PID 2592 wrote to memory of 4436	2592	Aminee32.exe	84
PID 2592 wrote to memory of 4436	2592	Aminee32.exe	84
PID 2592 wrote to memory of 4436	2592	Aminee32.exe	84
PID 4436 wrote to memory of 4508	4436	Aepefb32.exe	85
PID 4436 wrote to memory of 4508	4436	Aepefb32.exe	85
PID 4436 wrote to memory of 4508	4436	Aepefb32.exe	85
PID 4508 wrote to memory of 4232	4508	Agoabn32.exe	86
PID 4508 wrote to memory of 4232	4508	Agoabn32.exe	86
PID 4508 wrote to memory of 4232	4508	Agoabn32.exe	86
PID 4232 wrote to memory of 3608	4232	Bmkjkd32.exe	87
PID 4232 wrote to memory of 3608	4232	Bmkjkd32.exe	87
PID 4232 wrote to memory of 3608	4232	Bmkjkd32.exe	87
PID 3608 wrote to memory of 1708	3608	Bebblb32.exe	88
PID 3608 wrote to memory of 1708	3608	Bebblb32.exe	88
PID 3608 wrote to memory of 1708	3608	Bebblb32.exe	88
PID 1708 wrote to memory of 2892	1708	Bganhm32.exe	89
PID 1708 wrote to memory of 2892	1708	Bganhm32.exe	89
PID 1708 wrote to memory of 2892	1708	Bganhm32.exe	89
PID 2892 wrote to memory of 1384	2892	Bnkgeg32.exe	90
PID 2892 wrote to memory of 1384	2892	Bnkgeg32.exe	90
PID 2892 wrote to memory of 1384	2892	Bnkgeg32.exe	90
PID 1384 wrote to memory of 1540	1384	Beeoaapl.exe	91
PID 1384 wrote to memory of 1540	1384	Beeoaapl.exe	91
PID 1384 wrote to memory of 1540	1384	Beeoaapl.exe	91
PID 1540 wrote to memory of 1132	1540	Bgcknmop.exe	92
PID 1540 wrote to memory of 1132	1540	Bgcknmop.exe	92
PID 1540 wrote to memory of 1132	1540	Bgcknmop.exe	92
PID 1132 wrote to memory of 1852	1132	Bjagjhnc.exe	93
PID 1132 wrote to memory of 1852	1132	Bjagjhnc.exe	93
PID 1132 wrote to memory of 1852	1132	Bjagjhnc.exe	93
PID 1852 wrote to memory of 3260	1852	Balpgb32.exe	94
PID 1852 wrote to memory of 3260	1852	Balpgb32.exe	94
PID 1852 wrote to memory of 3260	1852	Balpgb32.exe	94
PID 3260 wrote to memory of 592	3260	Bcjlcn32.exe	95
PID 3260 wrote to memory of 592	3260	Bcjlcn32.exe	95
PID 3260 wrote to memory of 592	3260	Bcjlcn32.exe	95
PID 592 wrote to memory of 4340	592	Bnpppgdj.exe	96
PID 592 wrote to memory of 4340	592	Bnpppgdj.exe	96
PID 592 wrote to memory of 4340	592	Bnpppgdj.exe	96
PID 4340 wrote to memory of 4136	4340	Beihma32.exe	97
PID 4340 wrote to memory of 4136	4340	Beihma32.exe	97
PID 4340 wrote to memory of 4136	4340	Beihma32.exe	97
PID 4136 wrote to memory of 3148	4136	Bhhdil32.exe	98
PID 4136 wrote to memory of 3148	4136	Bhhdil32.exe	98
PID 4136 wrote to memory of 3148	4136	Bhhdil32.exe	98
PID 3148 wrote to memory of 2524	3148	Bjfaeh32.exe	99
PID 3148 wrote to memory of 2524	3148	Bjfaeh32.exe	99
PID 3148 wrote to memory of 2524	3148	Bjfaeh32.exe	99
PID 2524 wrote to memory of 3940	2524	Bmemac32.exe	100
PID 2524 wrote to memory of 3940	2524	Bmemac32.exe	100
PID 2524 wrote to memory of 3940	2524	Bmemac32.exe	100
PID 3940 wrote to memory of 1012	3940	Belebq32.exe	101
PID 3940 wrote to memory of 1012	3940	Belebq32.exe	101
PID 3940 wrote to memory of 1012	3940	Belebq32.exe	101
PID 1012 wrote to memory of 832	1012	Cfmajipb.exe	102
PID 1012 wrote to memory of 832	1012	Cfmajipb.exe	102
PID 1012 wrote to memory of 832	1012	Cfmajipb.exe	102
PID 832 wrote to memory of 1112	832	Cndikf32.exe	103

C:\Users\Admin\AppData\Local\Temp\a1d088495ab370b2ade0e531e77455c0185799e3295f1c8c3ec50d872fff4552N.exe
"C:\Users\Admin\AppData\Local\Temp\a1d088495ab370b2ade0e531e77455c0185799e3295f1c8c3ec50d872fff4552N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\SysWOW64\Afoeiklb.exe
  C:\Windows\system32\Afoeiklb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\SysWOW64\Aminee32.exe
    C:\Windows\system32\Aminee32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\Aepefb32.exe
      C:\Windows\system32\Aepefb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
      - C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 212
        40⤵
        Program crash
        
        PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2384 -ip 2384
1⤵
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
93KB

MD5
0e64d38dd0a0fc14235b8277bc392a2a

SHA1
b8ddf55821cfba886a706ed14380517478468590

SHA256
5a04d986a664b90e350cd49d1fffccf0be193612e9121b586ed708bb785e8f82

SHA512
2f7fb07f74268a22c3c6a5dc469b5c0883d4c1381233ebf7d736f076195931413c8b1bf55d28d48a742c8a6bdb6a20aa7395aeee73669665ff57a81b2e1a8fae

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
93KB

MD5
190e001fce7333849935f51480c42cf9

SHA1
3f5795b686142e687ae01d20023bc0685ce41636

SHA256
e73a8b927f94b0e5b0bd4025cf8a4bb202e1d95166508855f167165e0f19c6e5

SHA512
078e241ef5674678e6dc5f9d208cf6afe513c65bdbaf223fd666f42f89d89a7d51d027beae3791f5b1860afb1261365ac817e178281e7921ce5ec49fd2f39ceb

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
93KB

MD5
de067848c204ed3719fc90819df07720

SHA1
227b43222a29b2f5c75dfd1f5a019c1f6b9f37d5

SHA256
2eef3ea5ad815591b32f495d4c4f16c5636600964cb8d41d9d043893ce867244

SHA512
4641d1fbfc1fbf08c5ed0d59683336ec3ebaa8352f76ea8f750f0d2d182b39c4998b1335cb3dbbc9f73061d900b4f2fec2cb03a4acc68da7152f13b8fc1054e9

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
93KB

MD5
8428e6e7dc7377a7bf0be0998aba5471

SHA1
5a375d31d204350b4b21e55265dec4266ff28c0f

SHA256
35e1aa2b5750ee19b5c84a0db9030af77c5fe799f2501912e66401a2a9215c61

SHA512
a567e61732569a4b51d6ef796cef891b8ed0a10b57c29d5e8c0c3646274d6f03036d5e2750ef1040ed0859ce5a9be0b34fef78ebbbcc72177130cdbc645dde5c

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
93KB

MD5
0156a86af1d1c832cc6528a250f2e2f8

SHA1
3abcfaebc3656b8811b708dc564096b895b4fe76

SHA256
0c2d7bf6493e6031ffc6c2d34744c9d085188703a1a3e7797906271ef5212019

SHA512
28d020e09501d2226a027375762b74a36a5e8f15cac398d8204aba0a640f8266875fb42a13cbf30b784887f2da411660d7fbc4b570e34901bbd68ccf794fbd90

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
93KB

MD5
7c71aa568f9a2e780218aa36dd38f5db

SHA1
f609bcbbd3f32ad5319d16bf61e46c9ed7a58f23

SHA256
299ef901d2883c61b128f2a34fe7b857835c41ab5cae887beed102956910f322

SHA512
e3d6ccdacd49b1e43b7b8da4acd9db8a19126b26f72df4cdae0c93d74640d8a30822e3db786814f46a83efcb347d59ffa11972d27ebaa276189727ec49be5a6b

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
93KB

MD5
c475954c1e19171d29b512f080c2d38e

SHA1
0e3032caa8e01ded3f1a85df11f50e85d102248d

SHA256
f60c1d0f2efa539145cb8b4d20b9adb7d15ac403a811bbcf91d2bb3afad44d81

SHA512
d82adae614091e3223b6e1785bd2e43d2c52ecf1f67c45c3f69c91b7553b475165be7189aa3985ee97bebc35dec617a4caa637fa4d26ec0cee20cb8a99f7101b

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
93KB

MD5
5cc2650b5b58df70044883b2e2f56a86

SHA1
0968a2cbf7be312b02295652f2a7282e236183d4

SHA256
e27b3bcb30a17e79c3a11f84c63e9bbcce0fb1e644dc08a21326e4adf624a52c

SHA512
477244498e7da06881ba6d815b9964360cbd2d1ad0b141e407611f94ff019c439d2d048ee62f6d6370f0e9f227887474bb0ae301ad19e07df37b9ec2968a5b75

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
93KB

MD5
6b9bfaa319d68961703f4aa75d89ca10

SHA1
8a30430070e3f865a0929e7bd1689c3da1103f17

SHA256
538af3f69889d15ff8cd68f3793cc9dec06d108db8f8144d7e2b307eb3feb59e

SHA512
9e442e3959cf6040418654d3d5340eb6ef78d74c2b56d15087080071e4e80109926005e6fb3ec3efce695605532815b41f01911dd45953acf774edbb6c81280a

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
93KB

MD5
37d70537b70723d5d953dab4e793399b

SHA1
cdce17e4a90b956b3130b39c3931051a8b938680

SHA256
75035dcb89e600ca07197d17eec311d0c278060a263dcfebd716752917a43f11

SHA512
75870a838c64c02e1ffca2f1794d60ff9501e045993d2f4105d44bdbea74a983f3cfe522f86b966e17c1089cf054597d5573dfa152854074db42be741fb48f23

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
93KB

MD5
d6105d638b4dec730168057f35ab965b

SHA1
871bf0e4b40f4a0d583884677ee1b34ab4683bb5

SHA256
1ed33a17cbb8669ed64069ca520e7c316c6ab36d0a7740a3565fc066afa60c8a

SHA512
2e166b704e81d12411258dcaa0f6b5abbae5c05fc5804e77180835a279ad6e99eab27682aee23542f3ec8e310436e2428c121da551c8ad9eed6ab864cb258215

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
93KB

MD5
24f8f1985ed73592a597db54ea067d2f

SHA1
a63d383b31d8f0ce728a5b66b6a5fd4150184cb2

SHA256
d6ba034791afc2116df479ea100ea798bb0354e1cd1bb6250406006820fe3958

SHA512
71ca647dbe37cdd150e37ed35e4302f3a3034fb3ab97a04cee498ee599553499509080246440ca24cf4a159dcd796fec75df9e208e5d029fe40b70657b18ce21

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
93KB

MD5
83f4f0b337aaff86384a3954e74a4798

SHA1
cac2fba5ca495894d9408ac5dac0349f54084bfe

SHA256
5c575d01c12848a201c09dcf9c8c477eb7c7035497d295984e5b496831496554

SHA512
ceee949db50eab38cc920ed64a9077f709cdc1cf272522742d51d084ee19d1774a5d065934eaa66be8afab9ec2cbf87ed8e6504732de55797dd466683263f15f

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
93KB

MD5
ae4abe9d475eeafb01bab3c66c2d9f21

SHA1
cf7078735bbf2dde5a458e760c9985c9fa5822fe

SHA256
fb518052d279f1984faa1309ee465cfa122161570028223879d0a8e1a695fee7

SHA512
8823f699c0e024a1e8896784cdee4a6edde26656cb8a6d6ec87f3daea9969fcf9c227fc33add84e604d0d367586cd5367fddab48dd2f5fcf6b3f18351b567987

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
93KB

MD5
38674243a807154898b651e849d666a4

SHA1
d640bd698d8337d4e2bb2b9753b3edfdbe97d07a

SHA256
e8d7938a440646a6a89465129b3019fd090d8abac758ea83f0eb497225a3480a

SHA512
dae79978eff409e2e9f26158fb0a063eaa5361fe95878d348aa95c213978d3d6d646700a78fd8a61c7dbab2cf089ec2863e1fe8e5decd553c503899f7d26cc2b

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
93KB

MD5
04e0fd64fe3669bdbbb407b3fd426457

SHA1
aa2b6c58031d5dc4929dc404b045a4f7f54872d9

SHA256
f1af122c9198b233273248eb761d800680443fc39b18de1e758bc1d50aa4ccf1

SHA512
e13ceaf850f06d7560e7c8517847834242e27993d50085a8ced57b54313d54919480acb1f940e5ea8ced6fc1c594a370245d2f32c760e3f701d3a50fca33f02b

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
93KB

MD5
7673f3dfa75d8331a08abee1712b428f

SHA1
eae7ded0fa29f8b27e82508abc953fa8ea2c2dac

SHA256
7e94486167fde16ad4b52545a67e90eff3d044a9cd62f50308b015b88376693e

SHA512
0089ad598205820724184f965c4ac889183d6822d7d4fd644b5f81c071e25c841099d1f6ea2383f8009e71770783c0b906ef09689279f760346f5c5a1f80e856

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
93KB

MD5
646645cd3534320283fe5548fdd5cdf2

SHA1
7c962419418d9b32e0587a04aa21070bfcc43567

SHA256
cb90dfd47ce76d768e7e965912179fe9bec3e3fd3a6e772c262880490020a989

SHA512
17c611395cf523c6e513cfc751236ca5e02b160a27ee018cee18f83b0dcfe7f385345656ef99219340fca5b04b99661501b82af55c9dca673548172e795bc22e

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
93KB

MD5
8e87711555c48c034190f3dca108988a

SHA1
1ab00cdf6ca24937dffbbb95815e789330b13fb1

SHA256
efd5347d2ae650cf8060e74e9a3297f9564f9e7e529a0f4e52d18be524a73c4e

SHA512
944a1df3b2ac94e5ec49f043261945c7e414e1bcc24bf2b434b78c16a26b9907a9b6a546fec3a8f39b76225d0f89d1ac2bfbed49053b08b02fd75032d67366b3

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
93KB

MD5
9272f393faf06c911e41f60a03054bc2

SHA1
a17b592389b0e027a99d8910770defb683f11946

SHA256
e516b3c9153768091790543d0867a01fd818cb0e1bc9fe5a19987cac5c1e1ef1

SHA512
f0e4d84786a2fd9ffaf42311faa6a53a36e4af754c25e4e47faa24fcf5a86b692ede8347e78a396587c78ff8951b89df9acd461c33b1aa81b368244d8304fba9

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
93KB

MD5
447ce0fe515a0c4325b8f709906dbd3c

SHA1
5bb5dbe3a7fdfab8973f700860e896aad35bc04b

SHA256
456deadabb0491d4a0ad4d4664f9ae099bb2775584e1028f6843e09985d0ee8f

SHA512
a874cbb4a6d9a4cd283e6d7e76f74e7c15c2d0ee1f5deca09e694eee0ed1d2f07138a3c174a050fb999a6ec4e5f1e336247918325a8a15936456bb3651bbbee0

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
93KB

MD5
39e77a88e5a05390a042b20d40611f04

SHA1
451d1c2120808adfaff32b45df4f96ce94e6ff63

SHA256
22cb39626a6c350249b266b8c75d67329ec62b27576daeab6e9680b2eac50837

SHA512
65076f62858431edd63c2db796d76df76286b74541ceec29eb5cfbd968e756e6a5d3ba5d5c16f3fb70d1251d89cc7892c8687d7a28b6fadefcc65d17252623be

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
93KB

MD5
dab94acc1fc0320a4d125a1e510814fd

SHA1
15c3f2a9a2b6d48917c98bd0c5cdbde7033a113e

SHA256
5c5b3c170ac3f39739bbb0f9cf16ed17f801bf32ec939fec04bdc1a08bb0647c

SHA512
9f8420186b74e6ecbc6080beec7b1b76a45969f1e03631b920dce9b817f590b3d75d7b92a02b277f7691c789698defa10cb4df6b85d7f13b6f52cc940f4525f2

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
93KB

MD5
989bb9b6822371dd3159c0feed473958

SHA1
6999a82c3d6df8a4bd283578a79884807c9aec97

SHA256
65144a04f26c4db6b673aef1ca8407535f3987e1246b4e9afe8d1e2f95fce5ef

SHA512
e31e27dbe10b0749fea435708c3dee416edcdc7498e05a6ae3c14e8e5dc0abe470e26a5727510cb7896d169a394f3caadd56eae315d5e41e5cae5e06d2c066b1

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
93KB

MD5
5b9756d4dbc939d086915086a8ad25a2

SHA1
dbee5c4fb9522ce399163e69969293edcddf234d

SHA256
b40f1602a4325d763b7c5f3225cffead40aee6ad2f29b19916c0ca448f6343e3

SHA512
88f893c5c242f918148ba9b5385f826857089e53600e029eaf26bde272ad4f2e656fe54d85c2af36c3e7a2f4a7cfc1315b6e361c0f43f37e52766451d9c36b56

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
93KB

MD5
43dd289acc734447396430bc88ada7b3

SHA1
829a81186bd34d693f789696fe049bf44306ceee

SHA256
cc32d82dc24ebde36683a9c93a63786e39b865fcee96f8198f9f8130efa9537e

SHA512
de3d36a09a0c17d2f241f13e7e70cad4c529a584d4a2f0922da3176dfab1fe9cdb254171047a7dfd67cf25709a684ff1e890b724cd5dd0c1f850b093d1b74991

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
93KB

MD5
302b10234668f57532234cf1a290fb9d

SHA1
e9cc656221c615ea89d4991ece986a5929585f36

SHA256
1ad86b5abffa9300145f5eff7270a029419e63be3ef2760be74b470dbfd01ca9

SHA512
56d0939fd4acfd60c7eeab8b2a8e957f11c028317dfb0018592a7298d286917d97788570dd05d2f8296969ef8bd99baeacb55490ca34c79ea18974e04b830027

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
93KB

MD5
61e19e76d4628b5b6d3b89bcada4e74c

SHA1
9832081945458640293cd32656bc6deba99c35d7

SHA256
8161726ab44c5eddee8e61963038d6c92356ecb48114ff2ad1d0a36982edec68

SHA512
484ece33bab3fac4cfdf709eca0cead304ef10b391962f8b036d91d3f8063a9741b46fdafdc05c155b8d749952481f5887d8644df87698627aa24d123795971d

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
93KB

MD5
9a7547c3027e0e77a29c0d0aa3df8381

SHA1
57ea830d0b385bc188355767052e588e8bf0b850

SHA256
aa4084f795a02ff8ad8727a7c84fcbe24b0578df04483bbcc695313074f415d1

SHA512
12d4c40f8e5b84b7edea1690fe8432bd78eea70e57dc23c8c0cd17d3e09f6864eaf83a8a3d5d23e3fba854d50cfc57ee9f2a79f195c71fea486ecf4f9064c653

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
93KB

MD5
caea7ad83daea582895036835fcff149

SHA1
c8cd4fc57eb7cebd86a2234a3afcfa305b6be8f3

SHA256
91f0b9fba66705266242f0814dfb5379676f3873db1492b03d6a825876f01de4

SHA512
798de3759faef9e7e0fe1af7b635c0d7a8d684d5913929cd466d73a8805ebe871669b8d8f601011d72121a3218d7977e9186ad9bcc2661571d5cc94b90b4a0b4

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
93KB

MD5
c8d0effe836d5bc98cb309a0cdcdcfa0

SHA1
3bfbb02b6ee73c5256b644c8d9b1459d239b41e5

SHA256
4117e9848417808cc54b087573293590d58d02d645ada36d7de07ebbaca7885c

SHA512
ed9cb4513d23707b0344e93371ca791ef6b5f8e370257a2d0f45c5bdcf718f235a0de1b71d1e7c46f1a4d73ace1305ace85cdd883319bf15880a3c1efc1e1b4a

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
93KB

MD5
f36e7d63b8131802c533912a43a3bf29

SHA1
7b4641f722081625ab9c3b267470ab520148bfea

SHA256
83c48ea476b10aef5c8fa9946104e6a923ff3ca3d7829908ce945595171d3814

SHA512
e9b02f448774d2866d8399db83ff64f0b8a8bac0ab2f0904305420fa5899cb79c4cd5f5b699269a39512f384c230034494a169a99aa20a1c155aa6723f049392

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
93KB

MD5
52c5675f8de4e699b99fe7e5f07d52ca

SHA1
f71bb10a1dc10b9c5de4a3d46099b7eceb1bf9f7

SHA256
f1f90b85db500483eb937385b3a227977dbd4ded3b89976582a87aef43f0694d

SHA512
b8293b38d8252b329adf1c068e7428d34c86179887aefbd5db8a4c0a324034916d3323ee9b6f2dff5773d98157964aa1e9f5358715fa45ac67f4c0a8d9f22945

Download Submit
memory/60-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/60-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/592-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/592-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/832-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/832-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3304-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads