berbew | a31935bde55d583aecd183b7b6a5ba443faeb93d9f6895eff48b214b03a27960

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a31935bde55d583aecd183b7b6a5ba443faeb93d9f6895eff48b214b03a27960N.exe
Size

320KB
MD5

2b2b946c562341881a9362204bdf76a0
SHA1

b859c1baf4a645009cfa5cd40d222164d1b6cb50
SHA256

a31935bde55d583aecd183b7b6a5ba443faeb93d9f6895eff48b214b03a27960
SHA512

a41aee01b229ee7bebba3d59dab485f81bfa512478b74add5e81e220f5edff50dc5c8baff8d0c8b2050ffb10771e2fe66a6f32fb3694e4a7fe87137c00175afa
SSDEEP

6144:TtXu35TxKhSF3QdQQO+zrWnAdqjeOpKfduBX2QO+zrWnAdqjsqwp:RXaT5QK/+zrWAI5KFum/+zrWAIAqe

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a31935bde55d583aecd183b7b6a5ba443faeb93d9f6895eff48b214b03a27960N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2536	Anadoi32.exe
2644	Andqdh32.exe
4484	Aabmqd32.exe
4808	Acqimo32.exe
3232	Afoeiklb.exe
2248	Anfmjhmd.exe
4324	Aminee32.exe
3476	Aepefb32.exe
1612	Accfbokl.exe
4696	Bfabnjjp.exe
4848	Bjmnoi32.exe
3376	Bmkjkd32.exe
4424	Bagflcje.exe
1112	Bebblb32.exe
2708	Bganhm32.exe
3252	Bfdodjhm.exe
2860	Bjokdipf.exe
2124	Bnkgeg32.exe
4496	Bmngqdpj.exe
3668	Beeoaapl.exe
3016	Bchomn32.exe
3656	Bgcknmop.exe
1460	Bffkij32.exe
4944	Bjagjhnc.exe
3972	Bmpcfdmg.exe
4452	Balpgb32.exe
4700	Beglgani.exe
2696	Bcjlcn32.exe
1852	Bfhhoi32.exe
868	Bjddphlq.exe
1240	Bmbplc32.exe
4388	Banllbdn.exe
3184	Beihma32.exe
756	Bhhdil32.exe
2108	Bfkedibe.exe
2820	Bjfaeh32.exe
4436	Bnbmefbg.exe
820	Bmemac32.exe
4740	Bapiabak.exe
3512	Belebq32.exe
3120	Chjaol32.exe
228	Cfmajipb.exe
4548	Cndikf32.exe
4704	Cmgjgcgo.exe
744	Cabfga32.exe
2544	Cenahpha.exe
2668	Chmndlge.exe
4264	Cfpnph32.exe
4980	Cjkjpgfi.exe
1672	Cnffqf32.exe
1012	Caebma32.exe
3628	Ceqnmpfo.exe
4852	Cdcoim32.exe
4004	Cfbkeh32.exe
3416	Cjmgfgdf.exe
1380	Cmlcbbcj.exe
544	Cagobalc.exe
5052	Cdfkolkf.exe
548	Chagok32.exe
3596	Cjpckf32.exe
2140	Cnkplejl.exe
3608	Cmnpgb32.exe
2384	Ceehho32.exe
216	Cdhhdlid.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	a31935bde55d583aecd183b7b6a5ba443faeb93d9f6895eff48b214b03a27960N.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aabmqd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5500	5264	WerFault.exe	174

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a31935bde55d583aecd183b7b6a5ba443faeb93d9f6895eff48b214b03a27960N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aepefb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 2536	4812	a31935bde55d583aecd183b7b6a5ba443faeb93d9f6895eff48b214b03a27960N.exe	83
PID 4812 wrote to memory of 2536	4812	a31935bde55d583aecd183b7b6a5ba443faeb93d9f6895eff48b214b03a27960N.exe	83
PID 4812 wrote to memory of 2536	4812	a31935bde55d583aecd183b7b6a5ba443faeb93d9f6895eff48b214b03a27960N.exe	83
PID 2536 wrote to memory of 2644	2536	Anadoi32.exe	84
PID 2536 wrote to memory of 2644	2536	Anadoi32.exe	84
PID 2536 wrote to memory of 2644	2536	Anadoi32.exe	84
PID 2644 wrote to memory of 4484	2644	Andqdh32.exe	85
PID 2644 wrote to memory of 4484	2644	Andqdh32.exe	85
PID 2644 wrote to memory of 4484	2644	Andqdh32.exe	85
PID 4484 wrote to memory of 4808	4484	Aabmqd32.exe	86
PID 4484 wrote to memory of 4808	4484	Aabmqd32.exe	86
PID 4484 wrote to memory of 4808	4484	Aabmqd32.exe	86
PID 4808 wrote to memory of 3232	4808	Acqimo32.exe	87
PID 4808 wrote to memory of 3232	4808	Acqimo32.exe	87
PID 4808 wrote to memory of 3232	4808	Acqimo32.exe	87
PID 3232 wrote to memory of 2248	3232	Afoeiklb.exe	88
PID 3232 wrote to memory of 2248	3232	Afoeiklb.exe	88
PID 3232 wrote to memory of 2248	3232	Afoeiklb.exe	88
PID 2248 wrote to memory of 4324	2248	Anfmjhmd.exe	89
PID 2248 wrote to memory of 4324	2248	Anfmjhmd.exe	89
PID 2248 wrote to memory of 4324	2248	Anfmjhmd.exe	89
PID 4324 wrote to memory of 3476	4324	Aminee32.exe	90
PID 4324 wrote to memory of 3476	4324	Aminee32.exe	90
PID 4324 wrote to memory of 3476	4324	Aminee32.exe	90
PID 3476 wrote to memory of 1612	3476	Aepefb32.exe	91
PID 3476 wrote to memory of 1612	3476	Aepefb32.exe	91
PID 3476 wrote to memory of 1612	3476	Aepefb32.exe	91
PID 1612 wrote to memory of 4696	1612	Accfbokl.exe	92
PID 1612 wrote to memory of 4696	1612	Accfbokl.exe	92
PID 1612 wrote to memory of 4696	1612	Accfbokl.exe	92
PID 4696 wrote to memory of 4848	4696	Bfabnjjp.exe	93
PID 4696 wrote to memory of 4848	4696	Bfabnjjp.exe	93
PID 4696 wrote to memory of 4848	4696	Bfabnjjp.exe	93
PID 4848 wrote to memory of 3376	4848	Bjmnoi32.exe	94
PID 4848 wrote to memory of 3376	4848	Bjmnoi32.exe	94
PID 4848 wrote to memory of 3376	4848	Bjmnoi32.exe	94
PID 3376 wrote to memory of 4424	3376	Bmkjkd32.exe	95
PID 3376 wrote to memory of 4424	3376	Bmkjkd32.exe	95
PID 3376 wrote to memory of 4424	3376	Bmkjkd32.exe	95
PID 4424 wrote to memory of 1112	4424	Bagflcje.exe	96
PID 4424 wrote to memory of 1112	4424	Bagflcje.exe	96
PID 4424 wrote to memory of 1112	4424	Bagflcje.exe	96
PID 1112 wrote to memory of 2708	1112	Bebblb32.exe	97
PID 1112 wrote to memory of 2708	1112	Bebblb32.exe	97
PID 1112 wrote to memory of 2708	1112	Bebblb32.exe	97
PID 2708 wrote to memory of 3252	2708	Bganhm32.exe	98
PID 2708 wrote to memory of 3252	2708	Bganhm32.exe	98
PID 2708 wrote to memory of 3252	2708	Bganhm32.exe	98
PID 3252 wrote to memory of 2860	3252	Bfdodjhm.exe	99
PID 3252 wrote to memory of 2860	3252	Bfdodjhm.exe	99
PID 3252 wrote to memory of 2860	3252	Bfdodjhm.exe	99
PID 2860 wrote to memory of 2124	2860	Bjokdipf.exe	100
PID 2860 wrote to memory of 2124	2860	Bjokdipf.exe	100
PID 2860 wrote to memory of 2124	2860	Bjokdipf.exe	100
PID 2124 wrote to memory of 4496	2124	Bnkgeg32.exe	101
PID 2124 wrote to memory of 4496	2124	Bnkgeg32.exe	101
PID 2124 wrote to memory of 4496	2124	Bnkgeg32.exe	101
PID 4496 wrote to memory of 3668	4496	Bmngqdpj.exe	102
PID 4496 wrote to memory of 3668	4496	Bmngqdpj.exe	102
PID 4496 wrote to memory of 3668	4496	Bmngqdpj.exe	102
PID 3668 wrote to memory of 3016	3668	Beeoaapl.exe	103
PID 3668 wrote to memory of 3016	3668	Beeoaapl.exe	103
PID 3668 wrote to memory of 3016	3668	Beeoaapl.exe	103
PID 3016 wrote to memory of 3656	3016	Bchomn32.exe	104

C:\Users\Admin\AppData\Local\Temp\a31935bde55d583aecd183b7b6a5ba443faeb93d9f6895eff48b214b03a27960N.exe
"C:\Users\Admin\AppData\Local\Temp\a31935bde55d583aecd183b7b6a5ba443faeb93d9f6895eff48b214b03a27960N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\Anadoi32.exe
  C:\Windows\system32\Anadoi32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\Andqdh32.exe
    C:\Windows\system32\Andqdh32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\Aabmqd32.exe
      C:\Windows\system32\Aabmqd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        69⤵
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        74⤵
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        78⤵
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 408
        94⤵
        Program crash
        
        PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5264 -ip 5264
1⤵
PID:5320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
320KB

MD5
3e2325852242cf5152733cc964a9de24

SHA1
755133985716569ee912f37dce70cb73de1154cc

SHA256
b5b9c28affe0e8e04d57d0a0efcb3cc8b70da23957451e716eccb8f300bf87cb

SHA512
8d82923b3cfffc67ff13ccd8f5d607b73666dbcff1e47817f61cf3f7ef391a0400cb9e5f55f4dc4f661823c132224944ea5855c44162fb06ef73863ee5422587

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
320KB

MD5
70a2468401fc55c673c6d63d1eea0909

SHA1
aaf81e81f3fa0551b2f649c0376e52f93d1f5675

SHA256
dc6246d945ce634323cd3e98741af3bd7e1d12537238d48ef29aede97db6b6a6

SHA512
5e981d4467aa83ba06db7f54ef4e43abf76e4f6d0e07270d5ab5913effc72673b3842bea54d34de6fee2ff891f2e90cc726fa2f78cd55dfb359c05dc6fecb6af

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
320KB

MD5
6d1e4c8d23b88cc4a0872a3f07954db4

SHA1
1e79b5abe366efbe47a7b52a7d20cd79f75f24eb

SHA256
d7c30485ed39dda4a88e2cfcd05c9cc3be9e5dee7aef76e03b3f47fd39a26301

SHA512
d1b596bee5592dbd5a525a2a374b6935915e13a7684855e891e3d245cc8a81cb9f30edabf2658f721fa879121b6472641b77ef2aa18f86a498c13128958e5147

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
320KB

MD5
26cc92189b28086edbfbae263ab886a7

SHA1
c3bbb38e0bc194ef95751a2c6f67d177562ea4d1

SHA256
939b9ac3066e810329abf5867c44e9c6554c73dbc22709671cbc0da479019f96

SHA512
202eebaa12a68929a573a7408476bfe1fd0134d068f3fc763da8d07dd78be8c8f03f5aae0709751edd8cbdd2875e217bedd0d9cd3fe813dd2e75472c9d4d63ea

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
320KB

MD5
8b755f7cc0c5843afc53403e3e6c8202

SHA1
53e4511b720b2cf484e0f4f3b1dba262e0b6a476

SHA256
2f4f3ca19cb71e24f214a97842791e954f565a7e289d2dfdb1dfab4885cc8ae3

SHA512
cf2997d30a34e82cd695275ecdf36f3891bf2c4936cc702565cb508325894df2099155eb0b6ea8fcb61153ab4b3a3099f2d73888a7926a8a9a0ee2d9a5b2d11c

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
320KB

MD5
fd885531273bffa9515abf7b4b2dc1b5

SHA1
02ed18a8473ac2741484b5de615a8a4e2d8185e8

SHA256
4116518dc075d6a5ed4843c1866f225398b03ab00008f0466af6004d09998239

SHA512
18c3499c98444e141e64bcb66deaa81e29c11f51e7aa34cd5d3b212604c4eaa6227c1094980dd636fcdb189e5ce5f84fd98d2b48991d908b05c210ce596e5e60

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
320KB

MD5
6ad64d01607ed031e771b0c36b55063e

SHA1
f5fc1dd7296e9b02c7031fac1c19e8887cc145ba

SHA256
0d599a0e327b155f57895ef8846aa5a48962c24079e6c9d3dc0954c9dadd721f

SHA512
7441d68c78a8caa796e8573d957e6b0b52b986dfbee27f05761c1b1621f4b35d59098caa0af6c4359fd6120b97d4c8c26485604261753b6e5781b5591c4dcffd

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
320KB

MD5
1c9ac7a4e15480325574814f3a08945f

SHA1
906609787f139dbf4331d486dec1873827ef6734

SHA256
324fa7bd4eba833d6d11e3f95a243e35dab21ac092e29e01c7609f5806165b2e

SHA512
e0b82dbe3f33361395004b40458e16d072b346caf4c350f7291d226dfc3b667ce18a976e168a8ca030902ab1e308b93867716eb216757edcc013697a89b6b878

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
320KB

MD5
338306c9659ba97636997cb2849604e2

SHA1
b4bd45013eac414d071072cf6f5802f8b2f596a0

SHA256
9a44216d28fdc220af3a6de725d70300844daa5706d0d049964bf648e4ab3ddd

SHA512
99a061e7be49526fe882b042b6121def1f6f09a2e6a0f7a823c5617f71870a652086e74b6eabb1b6f85c7d703b59a289bdf31114f1f916da3ebd0c76ef591d13

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
320KB

MD5
a6195a8718e469b01e64bf07320201e2

SHA1
1c8a282488014eb385d2e40192ce8f6152dddbb0

SHA256
ad45ab370d4d75ad4c3012dbfa854ce963a6fd88628294195835fbf485805a69

SHA512
70f137b51457565b7c0917521c5b1d7956492b7d364e8487605cf40d45a34c66445fa7a04c8715f2b3af6aae8bbca765c1accb9e5eb38362833f1c50efbb5ec5

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
320KB

MD5
750cd106e5c4f9736ccd8c05c1692ef7

SHA1
b91eb92f5a232c19bb4edde806e3e993308085f6

SHA256
75ba12b5731fa3b77165a38215c3ca7a445761341c251b9ed12598e01583ef8d

SHA512
ad91dc4486a2a1ec75a4d8cc0828acf2c376b0d5c5dd0d9765c29c426bfa84ed1073fb183b2f0b892c63b021ba2ee0d33c44b85e38844058a8108ef75ea03926

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
320KB

MD5
ddaaef97edd167ceba4d944b19a6a689

SHA1
9ed999ac2e7c33768bc64cc52dd0e89974925623

SHA256
e5cf29c0bac2164e5b41bcfbc227cce942934932f7484f42b4c5c414636aa45a

SHA512
6bffc9a58d3e6e1caebcb827da6587f7b6fc91d151f307445b21f820e2ab88be6b0d5b9bb4fcc111696f0c51d272983bc00b8ecdb3165d3d5ca0d5824d8037ce

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
320KB

MD5
abcfcd76eb6a6075e45fb32e2c7c8de2

SHA1
066bc39f6caf16e8e95dac90451aaaa5710f9f42

SHA256
41a42b2d27d528ad9d5590a7a1914510c6b414fabd1c04841222deef8b46ab57

SHA512
df689e3109795a6100201a74a145dd0f4bf9132adabbc4c2bd298630906a811a07ffd988a4cf37a553fe122fee7e6bf2b78fb5f2371567a242824bffdf72199d

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
320KB

MD5
95e38919b19b3f3c81f1759e13327c78

SHA1
0a6310df1a2e707cdfec99d1df4585a07a74bbcb

SHA256
c924cd51e10add512db30c5a85d7ae7e33b64b7ddf087b478492aaa78ae82462

SHA512
4279d6de1b6f696278c88e68b81a0fc9c7e34834a19c0e270e9caedb29486a911a5eb3315c6e952a9226899bf324e55ea044455e4b7e1951704df54581c535f0

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
320KB

MD5
e79888ebb72aea174fc63a3acf3ddcf0

SHA1
9b8b0eb09ad0d0e1077dcd047dea1cda9ccf947c

SHA256
7125925485317a5a6f0ef2f117fbec19b2b29f1d5dbf5f901f6b8e4b5d84cabf

SHA512
d02c676c60c108a3cad15d26092aee3d102b42d40de2628c9c4f5ff2b9e001af2a91bac8303e96b1aadb6aed0e3ed0acfc6c2ff8b8b32ec8dc92573acf110199

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
320KB

MD5
26748910eb32420afeaf3189d4d2f890

SHA1
88ed299cc52c7cf386663fce8701aae04e1c9cc8

SHA256
e7c86be0ec01f8d321d7229e895231f9041909b2a8e291b739a46f49a3ab84ad

SHA512
5a2992a06147721ce305a016fbec54018be801f5485ea39ebbb1f943d20be2c74a9f1d0e4408d2fcbaf7575c68268c0368850f09dc76ac5886202a6bf1cfae94

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
320KB

MD5
1e431d688a906ea11800416ed9b00363

SHA1
1a8f6d955d2b1b92b4eb4519dcedaeaaa3277aa4

SHA256
5fde678a8bcb5c670f1eb821e6d292d9b12e40870cd18704be27fa58b29b8492

SHA512
d310fc95d5b6e897de02f5efae3bac5a63878788d597dec7f634d990ba251c46b4f047d39682cbae41da58b299fca550914aa9acd7e2fc745c10ca67c904f056

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
320KB

MD5
42aef80c3c60170c83bc6de6be35b41f

SHA1
235d38a05062cf3a3d668c3b23463472f74b5f84

SHA256
33633056043917001af44bd4b666d457322dad557bd2952fd963b61f67d295a7

SHA512
1a4b58945b962b2aa92fdb182917e5b35fb70725f15a0c96d3120dff1021ad922e0782ea178fe5ed8eb6211fb846cc02b534069be24da011fd757d67b09424ac

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
320KB

MD5
0f7dfd36a1c3a4e48f6577656b81eb34

SHA1
b45f341a89a2faca619f58fd7ed2f7f28c434b96

SHA256
047b5ca1e757eaee60616c3605bec1e2985fd6bc261e91ec7c6a6c18d724e474

SHA512
49e194746f95987eedc6fa3549ef8e75d3021a83f8d1f731cbafda788c0f22e46198e9402ad63adf0a692e03ea17d9e3f78601892314e8f929f67bc877692afd

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
320KB

MD5
3d13ddf651391ab25109c75d88d35886

SHA1
3ebe9d15d58ec272b31912325eada5860be68d60

SHA256
3c7572c667402a7f80c8bd97382deccf9f3bdd442d532a794e497eefef94374b

SHA512
0126939264125ad8193625c300e4a664451952a4f5b7989db085797202f826a0b7a81f1f863de5bab3f244d9db06426ac50d474aa8765b9adccc5891722cc055

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
320KB

MD5
73a12497c14190ee5b83ec10b2da791a

SHA1
f68e913b45943aa8584eecbd0c8a72960bacb06a

SHA256
2b0760a1182b6b33f4d8ef29eddc4dbf598006a0293d93c3910644d7c22aaff4

SHA512
68108b44dbc22a24b5a686ba8fcf78f9b5e19335bf8ab1c7ebb10d4fd2cd723e8f5ef8fea9c45ba68b5e7b318a1f3ea48140559e1857974f92ccd64c506e2469

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
320KB

MD5
876cf7e076c83e7dc17b17e95eb8029d

SHA1
1e6da0e4b13484c1b09008356d68511910d90b7a

SHA256
aca1b267a49cc5496b48b5b318fea1d8e04d77f14fcb1bd8e2b3a225f09f9c8c

SHA512
d919436f96932a09f898135f5c8a941ec30b95d726f6fc65490ae819f6d7c066e88750729ba70fa3f364eff813d61ae3167432111232a207373349e7ee0da1d0

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
320KB

MD5
e2b12691377521603e1f705b3f84747e

SHA1
0f7d9f57aa33f6a93445fc8b294cff4405fdb8ee

SHA256
02b48cb557742a0567f88484dd28072d7e04069bdb693715dff3c23e5be8912a

SHA512
43007ba3ec8999adcea6ceaea7f2a9993c6259884ea2269eb89b86d11e8bf8c2be6e9467c7b3e0160c6d747c2f1c5774ef4f61c29787448103f8311c5435c901

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
320KB

MD5
a08f160e774abb1bc19b0ad5b1dfaa87

SHA1
7c052913525cac76a6afdee1a46035eef53071f9

SHA256
74a831e668866d93e56004f818da09a25785da86b7df16bf9adda8efc8dfa462

SHA512
c18ebaa128a4b4087fda7e7dbf8009a94de1d11ba87f430ad7f038123aa4eb5031727b12d7d22643fff0c6ead36e2ad12a46f09bd838dd382b6cce7d12fae49c

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
320KB

MD5
77b9988887325e15d0ec1aac4147d55b

SHA1
c19babef0e8c9c4fa5931c4e65c16e3bc9c5e5e2

SHA256
d690b5f435c889aa91cf8ff0b1ee0b4b34c6a7f4b49e7afa1a98a9a174ed09d0

SHA512
9c96f61bd432131d5a36e80892c846161035950345d9d39a4c0df378df4671331b4c0880b97fffb810f68a04bc89d0fc2b55d34debadef5865455bc0f59a80a9

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
320KB

MD5
d2f66cee9c390dc692e7731afdbaa0b1

SHA1
17e9f5a46fb72511bb81c248c97a7eb56f0d9e18

SHA256
19fe7f31f47ba84e37ec9b3196da62b01e34af0de5792d52c07bb839a6cd9a42

SHA512
481db87aa2de6de2d49f87c9248ecaf61491164b439ef385fa104d43c3ba4566e065be17225757579cbe8201036f9154307431cd5fab3123318ee6ef3cf8e6e2

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
320KB

MD5
26497ec3fa38b8d5b11cf827418da3b5

SHA1
34c70ae5a0667eae0eb381293f17b6108a3433b1

SHA256
95b9f249335ad18f1b8cac657efafcc1a6328e208fa16de5535818a042ed0a6b

SHA512
20745a0e8e41d9c06518c2ba5620f569e2ed4a0733d9586987929cd6e42e4ba1a5ed56159e9b9aba3ebcd07c8acf52fc9145416b0ed1aa6dff57c44f184c6db8

Download Submit
C:\Windows\SysWOW64\Bkjpmk32.dll

Filesize
7KB

MD5
b65f02033c1745b0c2bf3f2e291f14db

SHA1
3270f9fd7b343c04c56359173159742a45e8cff0

SHA256
f9a9eaae39b5d701882b1fed63640a571e25987ac39eae308de55755c73b7de3

SHA512
0157d6c862d544a587a84591411a8477a2890d1c856f97f9e8987030d49f439b5d2c9404ef7177622c4081e92c03de2ac2b6927ef0f6f55c90f19f4c37113aaa

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
320KB

MD5
80728711a81335de00e72dbba9b9d0f0

SHA1
cf5f74d3af1351c80ac568a4e3a2c178c08ba8e2

SHA256
20da2e689e5bae530bcb1b80d550f2c5b9af02b0b6d64cd211aced6c671d751b

SHA512
e6db239a137264870ef0a65fe7b85e24b5f2049a941fdd2d6e48bab6e69508aaccc1446e9031ca9b6970dfeca3b97ca90a274a78cdff70da5dea0a96cbeb5234

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
320KB

MD5
81848b27f5c431966e2917b45672c423

SHA1
fd56330545994a1717ac041c40f8f97d8f71e0aa

SHA256
2ab315e643450639ef460fd2e8655141dc46c8fac727b2f174a1f3fa835283a8

SHA512
fac937ab205535e94fad7ee36750ef0bd32e2393deea90529b38742f69d0d30631e26628eca88e1e9ed4a02066be7a8e5837d2826a1aafe55da9ea50d19b7fcc

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
320KB

MD5
e81380887bf8c5f06347990742ad8263

SHA1
ef864ba2ac91bbcf5acc144a7ca7f3b544a07af6

SHA256
2fb71d4b46758b5e7e7ecbad430021b2ae899ce4c630816fa65a94169477bfef

SHA512
51c6724c5ed9794a111b1e3a3d93f6d271152a6e3b0c562f10419dcc612c686beb921c7a06f9d3bddc3901e8952ca3fd04bde792922e107a7e6e3cd1ae3924e5

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
320KB

MD5
13667e4f9a1fb9893be495d0c21d05e1

SHA1
251db24d4e85d9ea40e94129be9b4c847c256a14

SHA256
a19e9bc6178bbbd70cc62cdd3b4cd57c59e406c22d3b1d42b719f66fd585cde8

SHA512
59e25f64c6d68dcccf8594abfbf8c2d76dbf24c257fc6965d751cb9f35c2cdc30b7b92ae6c5984d9f55d0f5647dc67f657caa4efba20cb679bfa9d74e918bf35

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
320KB

MD5
a5bf40613cbd227c59b2fc1be71d3828

SHA1
d3ab928180f75260dbd9942dffffd08df1879763

SHA256
3c2c6acc3cea2c38d406f009203fae8bca2a423354c002eb0a9a154d9d332484

SHA512
b45579cbb52f27a9e5582a285828692bd98e6f777e96e837643d4a781f3f96035307f4708d955b72567f709344424cc1ec772d3959ee01089fae71290e79c132

Download Submit
memory/216-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/228-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/232-605-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/368-600-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/544-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/820-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-601-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-596-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-604-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-598-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-607-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-615-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-595-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-710-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-616-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-709-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-590-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-602-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3120-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-614-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-609-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-591-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-603-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-712-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-608-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-606-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5156-610-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5196-611-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5228-612-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5264-613-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads