berbew | b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660.exe
Size

288KB
MD5

d088599907297eb5e034d6d4967308b6
SHA1

aee102fdf22cba0449d1747911cf3f65932b073a
SHA256

b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660
SHA512

3d474f4a784a547fb62d6d3eb38a08a0437ce26721e54f8bf2ee13372d14d23235bf171cc1b2cddf7742471f756666e10eae70e8d7e889d637006f0055f8e76f
SSDEEP

6144:RlYwmWhm8EEngNGZcLl+wGXAF2PbgKLV9:nmWI8RngNNLMwGXAF5KLV9

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c10-245.dat	family_bruteratel

Executes dropped EXE 38 IoCs

pid	Process
1124	Qffbbldm.exe
1880	Acjclpcf.exe
1248	Ambgef32.exe
1940	Aclpap32.exe
3816	Anadoi32.exe
3020	Aeklkchg.exe
4792	Ajhddjfn.exe
2184	Aeniabfd.exe
3236	Ajkaii32.exe
4640	Aepefb32.exe
2080	Agoabn32.exe
1752	Bjmnoi32.exe
2228	Bmkjkd32.exe
3520	Bjokdipf.exe
2232	Bchomn32.exe
1388	Bgcknmop.exe
2364	Beglgani.exe
2484	Bgehcmmm.exe
4192	Bnpppgdj.exe
2040	Bclhhnca.exe
4040	Bfkedibe.exe
4176	Ceqnmpfo.exe
4188	Cfbkeh32.exe
2012	Cagobalc.exe
3728	Cmnpgb32.exe
4344	Cjbpaf32.exe
4976	Ddjejl32.exe
1228	Dopigd32.exe
768	Ddmaok32.exe
2216	Dmefhako.exe
2576	Ddonekbl.exe
5000	Dodbbdbb.exe
1312	Daconoae.exe
772	Dkkcge32.exe
4012	Daekdooc.exe
3012	Deagdn32.exe
2140	Dhocqigp.exe
2968	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Bfkedibe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
216	2968	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 1124	3696	b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660.exe	84
PID 3696 wrote to memory of 1124	3696	b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660.exe	84
PID 3696 wrote to memory of 1124	3696	b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660.exe	84
PID 1124 wrote to memory of 1880	1124	Qffbbldm.exe	85
PID 1124 wrote to memory of 1880	1124	Qffbbldm.exe	85
PID 1124 wrote to memory of 1880	1124	Qffbbldm.exe	85
PID 1880 wrote to memory of 1248	1880	Acjclpcf.exe	86
PID 1880 wrote to memory of 1248	1880	Acjclpcf.exe	86
PID 1880 wrote to memory of 1248	1880	Acjclpcf.exe	86
PID 1248 wrote to memory of 1940	1248	Ambgef32.exe	87
PID 1248 wrote to memory of 1940	1248	Ambgef32.exe	87
PID 1248 wrote to memory of 1940	1248	Ambgef32.exe	87
PID 1940 wrote to memory of 3816	1940	Aclpap32.exe	88
PID 1940 wrote to memory of 3816	1940	Aclpap32.exe	88
PID 1940 wrote to memory of 3816	1940	Aclpap32.exe	88
PID 3816 wrote to memory of 3020	3816	Anadoi32.exe	89
PID 3816 wrote to memory of 3020	3816	Anadoi32.exe	89
PID 3816 wrote to memory of 3020	3816	Anadoi32.exe	89
PID 3020 wrote to memory of 4792	3020	Aeklkchg.exe	90
PID 3020 wrote to memory of 4792	3020	Aeklkchg.exe	90
PID 3020 wrote to memory of 4792	3020	Aeklkchg.exe	90
PID 4792 wrote to memory of 2184	4792	Ajhddjfn.exe	91
PID 4792 wrote to memory of 2184	4792	Ajhddjfn.exe	91
PID 4792 wrote to memory of 2184	4792	Ajhddjfn.exe	91
PID 2184 wrote to memory of 3236	2184	Aeniabfd.exe	92
PID 2184 wrote to memory of 3236	2184	Aeniabfd.exe	92
PID 2184 wrote to memory of 3236	2184	Aeniabfd.exe	92
PID 3236 wrote to memory of 4640	3236	Ajkaii32.exe	93
PID 3236 wrote to memory of 4640	3236	Ajkaii32.exe	93
PID 3236 wrote to memory of 4640	3236	Ajkaii32.exe	93
PID 4640 wrote to memory of 2080	4640	Aepefb32.exe	94
PID 4640 wrote to memory of 2080	4640	Aepefb32.exe	94
PID 4640 wrote to memory of 2080	4640	Aepefb32.exe	94
PID 2080 wrote to memory of 1752	2080	Agoabn32.exe	95
PID 2080 wrote to memory of 1752	2080	Agoabn32.exe	95
PID 2080 wrote to memory of 1752	2080	Agoabn32.exe	95
PID 1752 wrote to memory of 2228	1752	Bjmnoi32.exe	96
PID 1752 wrote to memory of 2228	1752	Bjmnoi32.exe	96
PID 1752 wrote to memory of 2228	1752	Bjmnoi32.exe	96
PID 2228 wrote to memory of 3520	2228	Bmkjkd32.exe	97
PID 2228 wrote to memory of 3520	2228	Bmkjkd32.exe	97
PID 2228 wrote to memory of 3520	2228	Bmkjkd32.exe	97
PID 3520 wrote to memory of 2232	3520	Bjokdipf.exe	98
PID 3520 wrote to memory of 2232	3520	Bjokdipf.exe	98
PID 3520 wrote to memory of 2232	3520	Bjokdipf.exe	98
PID 2232 wrote to memory of 1388	2232	Bchomn32.exe	99
PID 2232 wrote to memory of 1388	2232	Bchomn32.exe	99
PID 2232 wrote to memory of 1388	2232	Bchomn32.exe	99
PID 1388 wrote to memory of 2364	1388	Bgcknmop.exe	100
PID 1388 wrote to memory of 2364	1388	Bgcknmop.exe	100
PID 1388 wrote to memory of 2364	1388	Bgcknmop.exe	100
PID 2364 wrote to memory of 2484	2364	Beglgani.exe	101
PID 2364 wrote to memory of 2484	2364	Beglgani.exe	101
PID 2364 wrote to memory of 2484	2364	Beglgani.exe	101
PID 2484 wrote to memory of 4192	2484	Bgehcmmm.exe	102
PID 2484 wrote to memory of 4192	2484	Bgehcmmm.exe	102
PID 2484 wrote to memory of 4192	2484	Bgehcmmm.exe	102
PID 4192 wrote to memory of 2040	4192	Bnpppgdj.exe	103
PID 4192 wrote to memory of 2040	4192	Bnpppgdj.exe	103
PID 4192 wrote to memory of 2040	4192	Bnpppgdj.exe	103
PID 2040 wrote to memory of 4040	2040	Bclhhnca.exe	104
PID 2040 wrote to memory of 4040	2040	Bclhhnca.exe	104
PID 2040 wrote to memory of 4040	2040	Bclhhnca.exe	104
PID 4040 wrote to memory of 4176	4040	Bfkedibe.exe	105

C:\Users\Admin\AppData\Local\Temp\b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660.exe
"C:\Users\Admin\AppData\Local\Temp\b6b1d8178d1973f654bd4c80e4cee79300f21bfe7ab9583f25f506c211560660.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\SysWOW64\Qffbbldm.exe
  C:\Windows\system32\Qffbbldm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\Acjclpcf.exe
    C:\Windows\system32\Acjclpcf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\SysWOW64\Ambgef32.exe
      C:\Windows\system32\Ambgef32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1248
    - - C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 212
        40⤵
        Program crash
        
        PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2968 -ip 2968
1⤵
PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
288KB

MD5
9abea7a3cbdb23167eee4936ea34bc5d

SHA1
73016edf66dbe384218f2848b147748f9d79e3a3

SHA256
5e6fedfc6822dcad5b70b1c44b4a7b6c9d6eab79e16dee772da279d2cf0764d7

SHA512
f1b5378599d53f85ddf25b36b4c0b9bab38f57fd90b231dfbf23b780082c19a22ace704d192dda6801ee7086442fc92e430d4343de13bf7b1535eb1782f39618

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
288KB

MD5
320938d3fa2d593f99bf5c7563c0ab1e

SHA1
81569e7a694375c5f3dab261d8f8c0c11b5d9151

SHA256
4d28f2d7a0dbaf2cf1a024b318ddb57154d891232f6a001bbcd89a4ad69de2b3

SHA512
9a5865ba10e0f2acbcfe524c6c79457dbcd9e832ce84e6d444cb7709b9507eac847682f18c3385223a302f29bfb5c5e3301e135d96b5762220004de199bedeb5

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
288KB

MD5
3998901aa5ba2d0e9f7d57415292b10c

SHA1
885ad4bee31e77bb9f6c00f40a6b1af65ca2e7a8

SHA256
4e6614cdb1e76aa44c7d8b9579a31cfa553b2842b26c3a44345c017b322fbb89

SHA512
5904b5dfae8e60df9944bc03698906e0b2e3b78f9dd10afc4800a37131158566381b9ddbbef9be2952541a1e1626e74d3c627e180662ffec92b5f927f8d286b8

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
288KB

MD5
dcd8964076197a91f59efbcd2461ced3

SHA1
bab2212c5815d448f35f8beb5863bdc28e4ae82f

SHA256
0f4f0ca55a117f5b56b67de17fb991690dc8bdfb805b4589555247c1ab32eb68

SHA512
f2eb4e6a5402cebd09056dbcc438236f4c8095e3da2a5d7ef79104d665fab7daf702d79a9b0ade2bc6d8abdf4458adcf016c4fd32693ffc72fbf815c9ae54962

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
288KB

MD5
25363e65f6723facc93343ff83166d09

SHA1
7c96d34621794bf72e30b1aeb0b6a375d950afe7

SHA256
4cca4d2dec0c68345d690906c42552dbbefc57a6f962f4c924f4a31b89be4063

SHA512
6dd005643ec1445ffe6702176bddd7ae466b0467a817937d5dd48a8ccd0023b9c444ef4df2930aa58065abd2dfdd9c89573a03547edd143d1b59a3bbb971536b

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
288KB

MD5
ddc762cd2bafd1f9dcf7836738b6f37e

SHA1
78599274d5a2c4c32a58a0beac55753e1f84ee70

SHA256
8c1e0e42f46bbafa7d07ec580704f3bc0f401ac8e06769ba6e6a303142241b39

SHA512
c031f1e2119f103910fb1bec60b5a91a9c516861151d2f8ea6a1d5d64bf2bccf866545d63e54d4e70e4e1ffd97ce18e64d507e7917a56c13bfd73fd6626e3a62

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
288KB

MD5
10c0ddc1ce7452073a634ea7286fd3b6

SHA1
a919430725f780acde48f2b371fc3887d3d7d32d

SHA256
3b287a429be0418a87afd20f6b5ec0e3a7ee53f615b491052e26e152ff6e346c

SHA512
678b8c684c4d1fd4380e189a57399f1da8276fa3e73b6b036e96e718458067fe2700041221f47b19447c4edd05e60a0f788eb68c761880bc27198ca4513c4e43

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
288KB

MD5
2cf65c89a89436e2fba559b0e6bf689d

SHA1
fe1c80dfee952141b8fea70a6f7d017d3b13eaf6

SHA256
c9c6340693c72a8bac1fa44d43477c5eb6d6d869f4d8da49d71c1266c87f0db7

SHA512
be8f05250432187aad643f93d422e29b8d982bbeff2452894baca887a4f1cea9f672a87fdbe3b9fb8aad4fef6d68e5bfd01d46eca7845daa7e14fc59784183a5

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
288KB

MD5
f0ac9e790dbe1b6d5405090de7263f60

SHA1
e7badec85bfef5000d01bf062e03203f1ef1cb9c

SHA256
d85d9cb0b6849c6b8c6527f9f0973129ea16fed5645934ce8a99d23b754f2d73

SHA512
130dc334ac6ad239b5fb73907e450a2b5fa31a33a13e0855a32c44430e9c450772e0fea4381ea82f2b5f8b428e33bb0dbf792683503bcbda97876638b283130e

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
288KB

MD5
e9922f3d10a0281432f4151d5377ba96

SHA1
fa639903215a8f0c870743b9d0070d1babb15e47

SHA256
b8bc286ce3e1a25c0521c82d941903ebf9607f16e486c8493178bd35ed3e281b

SHA512
e719efeaff4070f2a096211f9e5594be428f8a4b2f7b5e19670b9e6cef70d187a04802d18f09535cd385b8667ebb6afe707bdf91369576cb4bc60a1eeb14037d

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
288KB

MD5
5067cb802890991740089c88bb860b95

SHA1
f866e116f9d05c6b65566d843ed9eaf6fff83cb7

SHA256
62f6ed8a30588fa2386829cacdd8d3a253629d844e66d70c92e8958803ab4080

SHA512
7cc596259b8333a011ba9af94317e296d904d57c9af3b0a44b3d99205ac32ecd7c82e3d6f94e90fb286b8672e71497258da92089265665aab35f60628f2c345a

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
288KB

MD5
59c3ef24c8b72cf88c00864ac60d5e7e

SHA1
9aa5058f27f7c1684e671e369327d282c15ae05b

SHA256
a60af1761c946f15173c25b4128d80c4cfdd61e5c90eda059492b9227e138f93

SHA512
6a9d3bbe97654723f765a42845a7d0c00f5d6e0e09aa3e0afde39ad74fe99c4bd81f3df1b4dc71f08e332df6f82a6fa4e8d027fbc5f6b399681bd25cdc08cf72

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
288KB

MD5
8412181e3bb7c14bd7efacfb07e0293e

SHA1
3f74488bc9c98923ea3e2e6c3e77cc6c849d32b4

SHA256
98dbc15f5b928cb0ee793d102c9849fcd4e7ab79eb63acc3179b83d08b0f1f3a

SHA512
617599449c3b567f1a96e2118c6828c1462ae6b5dd45d80746b3f76dffe6c31b2003e4f09c19b1130988efa9bda636baea0ef26dafba7be242d05d82f8d76b9c

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
288KB

MD5
95303f54d31049c59064de24f8c8cdee

SHA1
2d3f172962188a8f9bedac4e6801c13c7c8a977f

SHA256
dd761821dc895972c184a72538397c659d91dfa29ea89728c444722aeaf8f3b7

SHA512
b49492960114806b628a8d236fc91206903e00b7edd12ce04e27c1fbb58b6060145d9b01c6ffe61cc5dfa319e11d099eaa5d3ae88bfcc141f0ea526b3f8b8feb

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
288KB

MD5
6a26871ddaf9b5b2ef1b56de03c96d27

SHA1
a1225350f632d967ae8b083a5d0f0b2ed79ea89a

SHA256
9e8878f8b8bc97305b1e6c507290692d4b63d3651dc91ffbc2ab1f30bd1903b4

SHA512
d1a3a4474a129dc91bafe341415d780d5cbd9650d151de5a8a3b44896b06f3c18583359eb094bfd7512364ab04235d9f7ff5b863e3699e85269cbf36ad67cf7b

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
288KB

MD5
346127072ce1049f24cfe0924e52ffdc

SHA1
60ef2c18ce6eda8a5245113455bd370b38264c25

SHA256
a00deda2ca7384d51d7d17d0bc7456779b272999ed82a3dd072aba57144c7ddf

SHA512
4e3fd41ab461906f449942b16b5d48f5070b9fe313179eec031a0c23e1383b1a0f9b5da10b9bd6c84102c660d3c80a49f51a872d45754b984396580642393cff

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
288KB

MD5
9868c8a99a9ed3316bb7d1553c149fc2

SHA1
6d761ca5f1a94b947c6838e4093427f7ca991077

SHA256
ce20a2eabd611c562f046ffab90e58cbb69d1ee52eb00f633b9b218324623f10

SHA512
005680febbf4f223068fb0912b477969d88fdcb9a3f1485a91e22211dbb2a85bfb0d5b23fcc078c095d82b84c6ac85946c4b83f60b315b03bc6d07f84980ca29

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
288KB

MD5
0cd1b6e0fbc608277fc84537a579ebfb

SHA1
c3023c264ef6c784a7b2e5b56d9d7b6ba6c28178

SHA256
1b9ec31e584ecbd52b26d0c362c5f380a67430349aae5bdc00b3c4dd2a79dfeb

SHA512
7cbce94883a3c9b37b71762e14ef152612fc04534e68fb36f3fc10593c36f2292b433e7c6a7828c1005e0d21394cf9baffa8b84bab7f086fcfb9ca42b7e0332b

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
288KB

MD5
a1dcaf41030df96f37f8b4b0c94aecc7

SHA1
2cafb944bf164278b0cc001a06cd9f4034257ebc

SHA256
f06a974a090602ac710f2dc4e25c334d56b7ccc6bb54cf73b4aa468b9b6c2311

SHA512
25978e89e93313d481f97412148022a29bb2c46f78104f07af994f46e33087a1e5d3d78659be22a0319d8fb80c556d4f053f254dd40dffcb33a87f0ab1893339

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
288KB

MD5
e45e74d1fed926b42a4d04a7f1d8650e

SHA1
6b884cbd633b22abd4488abe9276f158f2e6731e

SHA256
4525e89754ee7b9f5ead61048f481ab86ac88af8f89f2901b6020d09b5823415

SHA512
fa11eb374567a003c0816bf73ad4f940f475f643de0506821b073f7bf15aa32260fdb2d90b1a0e3422301ed19e7240ab662503f187b74009b6ade902199ae479

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
288KB

MD5
33609a27cca9afb3298c7a82ac8ea3eb

SHA1
804579081bc2866a8497b343abfc7d11588f1a75

SHA256
30c8cb074692c8d69be00dcad50cc8dba18cadd0ee13e9592837ccdf3c43226c

SHA512
0e259c8bc34e58177cce492bc8cd21734aad4c5b76f41c2f7d94e2dfb689f9f6f064e36482eff1235f442b91ad645daa22fb1aaaaf1a525953c2f086dd7cf7ce

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
288KB

MD5
1c61b25173bf3100f26d60210d645988

SHA1
1fcb7a3752636859812056aafa196a501b7e8d33

SHA256
1f2e690a48f11ea301da6d587cee532cd48970c09fa17e2520e6a7e1a3990279

SHA512
4550ec337a8ae69c8ba6f433e1c86d28bad3c57c5c35b35b286c369d9b7807a306b111487f9dbe59ad37aa21e12fd978b469302ccf1c5adfa9af88c4666b8a67

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
288KB

MD5
51007e726d47ebcb6ff0e43456062328

SHA1
3dc598b7d5c19e55840533b0be505de4b877d5d0

SHA256
ad1798711bf9fb4d4e6acb5a9583b6f4b52489027a5545008eda3c252716e1f9

SHA512
123ddddad82a8fcbe070a66932fcae7ad504f38a81db56aec1e33910b4102bafaee5898a16bbbd34786584e5fb3da8f10c403fd74d52776d055d1a3e8a075d68

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
288KB

MD5
29695ec82b9f5ac31141f9fb249fb4c5

SHA1
904f03b5227599ab78b1685072ef28e499db1328

SHA256
408ce73aa5a5697edb684e8b39d31c69e5ce8684f072a22ef13e07dd29156a49

SHA512
b657238b5a25189341f0b67eaf7dd8aff05db889df4696a955170e9e08ac53f9ec3c201b5fdbd7ffdb3b2ed041db23d54d06b924d44dc6720197a7e3dc679a33

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
288KB

MD5
7e54d84a05cc871067371d693b24783e

SHA1
70da96d63868a6776e2fc3df67c7b7cae44c38d6

SHA256
6d11fd5cc534bcac2ff719473d77ec2f702a28b22c66d6d751d2bcbcd0c003ed

SHA512
0f87287733fe671832adddac2a41d00b4e6187a5f02f21ec344653b54942883f362a62d43c03d7cad9ba56003754eba92e8883933ee2bdfaec5cb87883a739ab

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
288KB

MD5
6ed4853646b30d10c3829e1f205ec88c

SHA1
2460bbada7a16f124869a320d6028ba1467a4a19

SHA256
7bbffe3fe4990752a70196d9b78ea347ac21f8cb39532459599b07b7f3461cae

SHA512
2b627bad7aadb6d38061bf5bb4411e0a7f9b196208ed174ff5bc271fd49c5b9cd0ced4bb625dff6cabb5f2d33adafb0530c7b1a3b8d62f91152395879b46db0c

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
288KB

MD5
83e677c154defe8e71806ec7507cc641

SHA1
59cc64cd06c7c43f5917fba07568f4adbe11408d

SHA256
d5fb69374c72adaccd43c6768ce90c32d252888d582c2e08eb8e94787e242aab

SHA512
652a3bb21fe70dc6293d134f100bbfb4955e8eedf55036170645811964914a82c4636f60ca6e4b5fe0fd2af9e51e085de4358f89649b3ffd19e6d732c4e9fd8d

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
288KB

MD5
3a28f877eabdbc6b37e5936c7450f3a0

SHA1
a65d628942493015f68a3f9f20f5b4a6d6e5a313

SHA256
8ba0a7c1be261cc907a28bad09286e17023c8d851790564a5554e0d0b0813e86

SHA512
3e91376cb71f9144135d101f47b3295be6fbc1ff604aab2ea68734a47afbbead22f5eb367bb4f1f6b09632ddc1f02ade97f5b8426f617785ce581e81ce72ba66

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
288KB

MD5
68b87e3c2870858aa9f9a91e843944ae

SHA1
9f5b3d711f62ab5667f0933f17a073aa953ee4ca

SHA256
53e16dc7c5588ea81e21c9b1b4e61eeb88a90ea4525bfbd54af78922c75cc48d

SHA512
b4529cee88fb935f8c10e034cd169ec590c688bf9c85fb55ba002e509ceeb60ab05b0fe8b008397b5112bca0f4ce2f98e0643676a9b7dcef912a71a77cb6b0c7

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
288KB

MD5
fb8f4eaa2cb4e68d13ceb97e29c6c7f4

SHA1
180ea9467056d4846e74cd59dc22a87ab9cb2209

SHA256
824ebbbb3ab1ecce5ce815ec5268b7acaf8ee83dc7e218db5fa00604ea68b93d

SHA512
2fe91828a9d57f0e62e0c61f72cbb1e0e098188c263faa42121a948efff9fc83b14e44c24c7d362b909975dac2f963e7ea62f34cb6322e7ad5558fc31dce9733

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
288KB

MD5
69c3cc5969b78d1b5f67a7516de04d69

SHA1
5dbe03de9b4310ac2c8702c9a63de5369f0e19d9

SHA256
e7fcd80663c169b22a8bafdacc57b67dd1d04efdb8448435189461192c93610c

SHA512
1a1cc2eb54a716907d444e99a6bf126dded7641629fec5b291fd16a03ef3dfe8237855f59741a4e36c6de5032dca350f350d5610c397a936de1d9cb0379fe4f8

Download Submit
C:\Windows\SysWOW64\Gfnphnen.dll

Filesize
7KB

MD5
201ff5728ae7efb06ceb44d5e653a9fe

SHA1
52e52dbd77976ae50e291e20d3244a9a53d742d5

SHA256
a4d5b4c7d7e71d8730d0227224a1bcd4714d09a8ce2d02633a3dd9bfcd827209

SHA512
100746c75b930a98b67d0d8c9d94c5e2e020fd84521a34b41e7e37d0cffdc7d1c31e8c34ad03d0dde187914cc35cbf5381784119cd0e822616e0eee1bb1aa8ac

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
288KB

MD5
55682e67e11ca379a1d90fcc0007905e

SHA1
118c126edd28d9eb08987af9316e4c3cef72e699

SHA256
00ae4d40c9a57b02e7bae6ff38b6fbc5a17a1d57a3ecc440783d4ce1c5e78dba

SHA512
c85bd105c0897123f7ab2f23630fb2b5b32b1f6f4cb10a9133666b5bb21348a8eea5cb4d455d1b693176906519d2fd63de6df1653ec090d1b56c824966dae53a

Download Submit
memory/768-310-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/768-230-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/768-309-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/772-301-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/772-267-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1124-367-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1124-8-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1228-222-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1228-313-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1248-363-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1248-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1312-304-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1312-261-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1388-337-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1388-127-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1752-345-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1752-99-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1880-365-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1880-16-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1940-361-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1940-32-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2012-190-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2012-321-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2040-159-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2040-329-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2080-347-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2080-88-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2140-294-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2140-285-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2184-64-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2184-353-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2216-238-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2216-308-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2228-103-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2228-343-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2232-339-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2232-124-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2364-335-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2484-333-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2484-142-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2576-311-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2576-246-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2968-291-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2968-295-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3012-299-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3012-279-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3020-357-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3020-47-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3236-72-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3236-351-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3520-111-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3520-341-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3696-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3696-369-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3728-199-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3728-319-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3816-359-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3816-39-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4012-273-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4012-298-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4040-327-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4040-166-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4176-325-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4176-175-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4188-183-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4188-323-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4192-331-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4192-150-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4344-206-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4344-317-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4640-79-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4640-349-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4792-55-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4792-355-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4976-315-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4976-214-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5000-305-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5000-259-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads