berbew | 1fd29933d86d47213ed2d864fe2a17800405ba58cedd1d6df1286dbc84724124

Analysis

max time kernel
110s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2025 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fd29933d86d47213ed2d864fe2a17800405ba58cedd1d6df1286dbc84724124N.exe
Size

163KB
MD5

b0fd1e224d6574749c7b8b403a794a70
SHA1

8271abdf8c86e0c88cc28ab380f667f4064abd22
SHA256

1fd29933d86d47213ed2d864fe2a17800405ba58cedd1d6df1286dbc84724124
SHA512

f23878b2dd6e44c19783e0b8aabf5773c409e96a8126b22ed7fea9055a7709d07a6af88b1fe52c7658fc979cf13f0e5bd17d4d8fe26613ecb8e756806d0ffb30
SSDEEP

1536:Px0wkAyGrGuIEDAPlggpDH2lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVUg:OAyIGu1DAdhT2ltOrWKDBr+yJbg

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1fd29933d86d47213ed2d864fe2a17800405ba58cedd1d6df1286dbc84724124N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Downloads MZ/PE file 1 IoCs

flow	pid	Process
29	3480	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
712	Anfmjhmd.exe
4568	Aadifclh.exe
64	Accfbokl.exe
4952	Agoabn32.exe
1476	Bjmnoi32.exe
2704	Bmkjkd32.exe
1180	Bebblb32.exe
1860	Bganhm32.exe
1740	Bfdodjhm.exe
4428	Bjokdipf.exe
4328	Beeoaapl.exe
2576	Bgcknmop.exe
3128	Bjagjhnc.exe
2420	Balpgb32.exe
3604	Bcjlcn32.exe
872	Bfhhoi32.exe
3276	Bjddphlq.exe
4700	Bmbplc32.exe
2316	Banllbdn.exe
5020	Bclhhnca.exe
2192	Bfkedibe.exe
2160	Chjaol32.exe
4624	Cjinkg32.exe
3104	Cndikf32.exe
1600	Cenahpha.exe
3484	Cnffqf32.exe
1124	Ceqnmpfo.exe
1136	Cdcoim32.exe
540	Cjmgfgdf.exe
4936	Cnicfe32.exe
2180	Cagobalc.exe
4140	Chagok32.exe
3688	Cjpckf32.exe
2336	Cmnpgb32.exe
4804	Ceehho32.exe
460	Cdhhdlid.exe
5112	Cffdpghg.exe
1688	Cnnlaehj.exe
2164	Calhnpgn.exe
1908	Ddjejl32.exe
4596	Dhfajjoj.exe
1472	Djdmffnn.exe
2936	Dopigd32.exe
4508	Dmcibama.exe
840	Dejacond.exe
3272	Dhhnpjmh.exe
1812	Dfknkg32.exe
4340	Djgjlelk.exe
3472	Dmefhako.exe
3284	Daqbip32.exe
3516	Ddonekbl.exe
1672	Dfnjafap.exe
2272	Dkifae32.exe
4016	Dmgbnq32.exe
944	Daconoae.exe
1660	Ddakjkqi.exe
4956	Dhmgki32.exe
2124	Dogogcpo.exe
4904	Dmjocp32.exe
3996	Daekdooc.exe
3924	Dddhpjof.exe
424	Dhocqigp.exe
1720	Dgbdlf32.exe
4576	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
740	4576	WerFault.exe	154

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fd29933d86d47213ed2d864fe2a17800405ba58cedd1d6df1286dbc84724124N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1428	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1fd29933d86d47213ed2d864fe2a17800405ba58cedd1d6df1286dbc84724124N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1fd29933d86d47213ed2d864fe2a17800405ba58cedd1d6df1286dbc84724124N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 712	4188	1fd29933d86d47213ed2d864fe2a17800405ba58cedd1d6df1286dbc84724124N.exe	87
PID 4188 wrote to memory of 712	4188	1fd29933d86d47213ed2d864fe2a17800405ba58cedd1d6df1286dbc84724124N.exe	87
PID 4188 wrote to memory of 712	4188	1fd29933d86d47213ed2d864fe2a17800405ba58cedd1d6df1286dbc84724124N.exe	87
PID 712 wrote to memory of 4568	712	Anfmjhmd.exe	88
PID 712 wrote to memory of 4568	712	Anfmjhmd.exe	88
PID 712 wrote to memory of 4568	712	Anfmjhmd.exe	88
PID 4568 wrote to memory of 64	4568	Aadifclh.exe	89
PID 4568 wrote to memory of 64	4568	Aadifclh.exe	89
PID 4568 wrote to memory of 64	4568	Aadifclh.exe	89
PID 64 wrote to memory of 4952	64	Accfbokl.exe	90
PID 64 wrote to memory of 4952	64	Accfbokl.exe	90
PID 64 wrote to memory of 4952	64	Accfbokl.exe	90
PID 4952 wrote to memory of 1476	4952	Agoabn32.exe	91
PID 4952 wrote to memory of 1476	4952	Agoabn32.exe	91
PID 4952 wrote to memory of 1476	4952	Agoabn32.exe	91
PID 1476 wrote to memory of 2704	1476	Bjmnoi32.exe	93
PID 1476 wrote to memory of 2704	1476	Bjmnoi32.exe	93
PID 1476 wrote to memory of 2704	1476	Bjmnoi32.exe	93
PID 2704 wrote to memory of 1180	2704	Bmkjkd32.exe	94
PID 2704 wrote to memory of 1180	2704	Bmkjkd32.exe	94
PID 2704 wrote to memory of 1180	2704	Bmkjkd32.exe	94
PID 1180 wrote to memory of 1860	1180	Bebblb32.exe	95
PID 1180 wrote to memory of 1860	1180	Bebblb32.exe	95
PID 1180 wrote to memory of 1860	1180	Bebblb32.exe	95
PID 1860 wrote to memory of 1740	1860	Bganhm32.exe	96
PID 1860 wrote to memory of 1740	1860	Bganhm32.exe	96
PID 1860 wrote to memory of 1740	1860	Bganhm32.exe	96
PID 1740 wrote to memory of 4428	1740	Bfdodjhm.exe	97
PID 1740 wrote to memory of 4428	1740	Bfdodjhm.exe	97
PID 1740 wrote to memory of 4428	1740	Bfdodjhm.exe	97
PID 4428 wrote to memory of 4328	4428	Bjokdipf.exe	99
PID 4428 wrote to memory of 4328	4428	Bjokdipf.exe	99
PID 4428 wrote to memory of 4328	4428	Bjokdipf.exe	99
PID 4328 wrote to memory of 2576	4328	Beeoaapl.exe	100
PID 4328 wrote to memory of 2576	4328	Beeoaapl.exe	100
PID 4328 wrote to memory of 2576	4328	Beeoaapl.exe	100
PID 2576 wrote to memory of 3128	2576	Bgcknmop.exe	102
PID 2576 wrote to memory of 3128	2576	Bgcknmop.exe	102
PID 2576 wrote to memory of 3128	2576	Bgcknmop.exe	102
PID 3128 wrote to memory of 2420	3128	Bjagjhnc.exe	103
PID 3128 wrote to memory of 2420	3128	Bjagjhnc.exe	103
PID 3128 wrote to memory of 2420	3128	Bjagjhnc.exe	103
PID 2420 wrote to memory of 3604	2420	Balpgb32.exe	104
PID 2420 wrote to memory of 3604	2420	Balpgb32.exe	104
PID 2420 wrote to memory of 3604	2420	Balpgb32.exe	104
PID 3604 wrote to memory of 872	3604	Bcjlcn32.exe	105
PID 3604 wrote to memory of 872	3604	Bcjlcn32.exe	105
PID 3604 wrote to memory of 872	3604	Bcjlcn32.exe	105
PID 872 wrote to memory of 3276	872	Bfhhoi32.exe	106
PID 872 wrote to memory of 3276	872	Bfhhoi32.exe	106
PID 872 wrote to memory of 3276	872	Bfhhoi32.exe	106
PID 3276 wrote to memory of 4700	3276	Bjddphlq.exe	107
PID 3276 wrote to memory of 4700	3276	Bjddphlq.exe	107
PID 3276 wrote to memory of 4700	3276	Bjddphlq.exe	107
PID 4700 wrote to memory of 2316	4700	Bmbplc32.exe	108
PID 4700 wrote to memory of 2316	4700	Bmbplc32.exe	108
PID 4700 wrote to memory of 2316	4700	Bmbplc32.exe	108
PID 2316 wrote to memory of 5020	2316	Banllbdn.exe	109
PID 2316 wrote to memory of 5020	2316	Banllbdn.exe	109
PID 2316 wrote to memory of 5020	2316	Banllbdn.exe	109
PID 5020 wrote to memory of 2192	5020	Bclhhnca.exe	111
PID 5020 wrote to memory of 2192	5020	Bclhhnca.exe	111
PID 5020 wrote to memory of 2192	5020	Bclhhnca.exe	111
PID 2192 wrote to memory of 2160	2192	Bfkedibe.exe	112

C:\Users\Admin\AppData\Local\Temp\1fd29933d86d47213ed2d864fe2a17800405ba58cedd1d6df1286dbc84724124N.exe
"C:\Users\Admin\AppData\Local\Temp\1fd29933d86d47213ed2d864fe2a17800405ba58cedd1d6df1286dbc84724124N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\SysWOW64\Anfmjhmd.exe
  C:\Windows\system32\Anfmjhmd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:712
- - C:\Windows\SysWOW64\Aadifclh.exe
    C:\Windows\system32\Aadifclh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\SysWOW64\Accfbokl.exe
      C:\Windows\system32\Accfbokl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:64
    - - C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:460
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:424
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 404
        66⤵
        Program crash
        
        PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4576 -ip 4576
1⤵
PID:2240

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTEwRTg1NkYtMzg5OC00OTRDLThCMTAtMkNGQjI3RjE5OUNEfSIgdXNlcmlkPSJ7ODM1RUMyNDUtNDQ0NC00OTkwLTk0NzAtMDQ1QjQ1M0UxMzJEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTNGODcyMUYtNjZCNS00MEE2LTg1NTItQTkyRUNCQUIwNDQyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjE4OTAwNDE2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
163KB

MD5
f23e44943576d82482e279318efc1d31

SHA1
c30ed3b8d2c1ff23cf48ab130c71a45763c8f475

SHA256
b2bf0e52c75a9e3c17cc4384abc3c87a520c0f7db480d12c20a028cc5977bc40

SHA512
b7c3d97580aa00059fed6eb7cba0024b5043fd91ec936c65bf1b928a81691639440aef83b8842e08869944dd103e19a9bba3b159f49260d4fe2c3efa9feb5cb5

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
163KB

MD5
b9e90626660c3a4a2d3a97ea931094c3

SHA1
59bbabeb6c74701648078e29c376d0a5cc7d407d

SHA256
0730afddc71ec0550704061377d9c654bd6a3d16bafb2d83a8285a51169a1dff

SHA512
32dc0514d6a4831e5ee9ad51cce8321d870f277a1a895fef85d095eda171c83decd2a6579317fad4e05688c256f11d3ff21d49d81043f8525f1fc68f40fd5c00

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
163KB

MD5
1d3d5437ea6015f6cfbcc9f0d9cb12bd

SHA1
a90354cbbf91d1da7181224b780a9e5753ee8258

SHA256
c6f128d3d23d513f5ce32833eb6aebea6d5ab1e5a4053244ddb15a61b09749e9

SHA512
c12784699a9fc9e8cf2bdcce7bf497f52f38146e51872af00a2f6e2fa417853ad93e9682f9ce4ecd91f4829f57578b0756ee40aff05e3763b9e2e736a2447766

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
163KB

MD5
7af33e1834ed8d649eef39f048c663bb

SHA1
be7a77818d98300a1bea0720b01b482e9e29c626

SHA256
07a72cc5c789275120a2dc79aaaf3ba9689c6c362e000b232da55a618ea8fa72

SHA512
b2217e45c8af9514345ca8c3a4bc11202cbd7783b73da6f0d70fbaa83adbdd5343ea05ea4457e615f8a00864ee67970cf8ee3d3a0beb5884125d60743a5eb671

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
163KB

MD5
124324a120645fdd9f7572a9fdd0347d

SHA1
13db0ba61664de1d4ee8cde1fb0be43f8cb05beb

SHA256
3aea15b7e28328abccf4c1213236614ca2aaf9dde31fa191eed946dcc326b70e

SHA512
2e77a664fe76a9ece8dea4c30b2de2d1ea020d4cc8f3114962924d66ebbe4edf8162218132b77b3cbb8ad6a42b32d2f6048c452b706423c9de5f56842b135fa9

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
163KB

MD5
9b90418406445142999e9ae929e68dda

SHA1
48c3f44e5104b22f3fd94ed8867f250c48ec2245

SHA256
d17b5bff626a8fff7ff03dee8c54ea5f79f1b5b898cd0e6f566284553612fe3b

SHA512
fd8aef5639b67e86b6821183903b57dc2c523775b372b1cc83b29fc06cae9bffe19bd6929a07fab53e1ce80ced9dfe804a2f3f2b5562e6ec6485e4d4c0faab7c

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
163KB

MD5
009e917fa045a0dd7901fc5833e57d91

SHA1
c353d50cea0e6090f48fdfb1cb07f80b812ba776

SHA256
c6c0da2ebc520bceaf9b199e625d63ace3793c72c710bf99f3ba362e4bc7906f

SHA512
9777bb72baeb8f8eda7e1118c67ac4a487b9758e8815590e9e9b65be9d6c6ceab49c4571e5a730a316da2d8ba21905ee0e637a623b10395116184d053f9b02d8

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
163KB

MD5
bd18144f0d444ad421811028d29eed89

SHA1
d8c343c7845152c77ffbc694c8b51e28376a40b7

SHA256
a139a483d19d1b843b2052fedbec5902c7062bc31046812dae097ff11a48e50e

SHA512
77d535199e34086b186ec6ee84960b0c12642329056120b3586011bf96cc9da50aa84ce0e16a2d8e5cb5892d6953f58eba34a1a23d1eacceb1d399d5d907b99b

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
163KB

MD5
f14dcc752ce7502691072cc8f95c4e20

SHA1
2f6ddcdd622c6f0c8b1b6e0eebf70000e6df57c4

SHA256
5069eacafc60cb27694797c7ec933684b085ea9360b55682439d830f0802d2ec

SHA512
11a1aa6f4ec39ad0ffac36c3caeb29cea2732af857a079ba4aa773f7b9f9a657a221575c388faf10431e25d78625f9f78bf07a086da45f67f42c6d2cda6af829

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
163KB

MD5
87f9b1a6435b2f35486687a0d280d903

SHA1
e62121b25b5a0f472e2b8cd2514454c369710b01

SHA256
6babbee3b9292d83efdf8efdcab25dee88fd324b40670d03447d20534478e76b

SHA512
9423ffa123b14b6a7a1f3bbd85cc48f8ef03b807c788d04f344ae8a3538a0bc6470d71a0004df742e518261215b99d3dc515892c971828bf3e407821f4310294

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
163KB

MD5
d007cf7277a5726b6e9d1193aecebf9d

SHA1
410fe4a4a3a32c9c0cb1bd9fa38143b75cfdb918

SHA256
f027a587770590586aac22e34a76e0d995d482a0ec6620413ad5e1a91d644807

SHA512
f5cb79efd96e16ef5a8a4177952caf35c593295e392ef08a9fd8b8e6b2cf1adfeb0121c993e0ae2e219c1cc0ac1a2c0be1015342f4b115d208e79e4e9a178683

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
163KB

MD5
c5bb223009ed2058a5a3642dc9eed6a9

SHA1
e447d52c38e51ce3490cd562613f5ea2f771cfc2

SHA256
887a6cdfcd8d5f69d14e78194eb65876fd243bd7be796a60c48d4f3a7799d27e

SHA512
a024b1266a89b1e749d16fd62de66754d84b102d48d92358157074d7b4e0d4bef8008c3354dfe81258f09cba7ea6c7cbf6a6a4800961b4f66e1f66ac6bcee268

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
163KB

MD5
a8c43cbadbc4fc7c0eec006d8f89203c

SHA1
98ea1d4207b18321534b29b63d3851279266a946

SHA256
9d3335fe6c84b8e3cc3ad47084697ffe359c35fd6c1b1651cd588043a0f4c269

SHA512
f29a18c78492e946d8352e66b0a2014a05ceb76efb461e2de480c7adddfb8b8c7f176668a466792a1aaddc71d8913b21063f533e88a15c9f3ac336a78a053763

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
163KB

MD5
aa8e97c3ef0340a478fe17cd6f3d20f5

SHA1
018357a66b82e77d91e27b79ed1c754779aa42ec

SHA256
35d2ed23a7951491fe152e18d1506d34ccff8490ac148e2cb66983f980faa074

SHA512
acec47f667a4784f8e7d722b03b3f1d257a2c703f677db82a9fd73efb0fac5f8d83381cac48157e31efa1560b58c0ecbd4aa23526651f23077840b91ff43a2e7

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
163KB

MD5
86b855f5c746e6d1aed61d4c44d1fb4e

SHA1
109ebce4be3360798f1aba6ed640857914da941e

SHA256
d01ef2f3d22dd12dc3adec0b6603d108a0d8712b95deb46c7249e2b00bcb58c1

SHA512
31d1fc18ef18882869398fa39f47233d222d9d1b1c2212c5751270c7140139e6f9022bef98de21495e1b14404c9d6adc430dbf3bfcccae546176626ba50f2f55

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
163KB

MD5
5e1c8bc2b5b624e55a31fd7e4ebe2dd9

SHA1
1071d6e0623754e5e8778ea133184b84e157d6dc

SHA256
15ce9c66d70ac24b6f956c5cf690aeeff39d26b38a76c3141bc99bfd78705646

SHA512
f13bda4e7b0243b2949d8dfb3b5e830ca04b7ba362589a2f4e7968bd71374c444346f6414b01088567d1e30eef6a9f294f4ce8b014ee0019184bce0357229eea

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
163KB

MD5
f291102bfd585f208deea4f3f0979c9d

SHA1
41f4c999449dc2e0ca9c48d87468f8159f081fb2

SHA256
020d91e9f8b2cfba53e6bde5afe4b2590002d9e63a2d2796a8557d53265a44d5

SHA512
89754abf273d7254271dc1f82b495da3fa4b70bf952a327840a333c55106a5e3c44509c90ac60df280f355c359d51e29ab9664a3809a79a22b48ea929c33891f

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
163KB

MD5
014d4694ee73d3b1e545644ff4b3e89f

SHA1
6460c7b502fcec3a8497a0ca64e4aef66d924d4d

SHA256
c62623f65047e085b10f1072f102c2c93fdf3b399f9f5161f8a5729223b54378

SHA512
13c470b3a40198d9a513adfae86be908a6f2c51a2e6a0f4809cc22d7853a38a3da7e7aa500fbd0f272139bd274f175ce0594b27b5939ebecf9d41ef9ba6dcbaa

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
163KB

MD5
7abdb7f2b7950fd11f8f8a6e7ee69794

SHA1
78b2064da5d942f5a865eaf7c449ce99a7e0bac8

SHA256
382693ca7ea6dc87ff99953cd8690c043f3d5079a948dab887058807bdc6ad30

SHA512
284674effa2ed8ff972f89c1fcae7ed9e6751d1e3d2b3c7dd674f1e680c3a0838ebc28d39fa86c1f15a8c74734120696250397de1360186d23fbcda10d1e5735

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
163KB

MD5
3b14166613c8ea0d16fff2c5f49e70d8

SHA1
0649a1e09838fa504b0c7f8b6e897721fb5084dc

SHA256
a8e9cacee97784ce057d08137039c9e798d065361c08ad060591c5900cf10e07

SHA512
8dff95e64a8ab4326696e2973a856adb1e2e53c43f281344663d3c801b103537168119413a738b2415635cd6e49f89920204e2d503aaf58e692018d89d83aec6

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
163KB

MD5
cc87956bc19f400bd3be15ac5f3d9185

SHA1
cab43a7663449e41064a7100efa056654ca516cf

SHA256
109d3f43523ca2c130a0d89b4330762d8631ea5c2417c1ebef479c7a2e40edce

SHA512
8b2d2e079f8d75915696a673724f6a6075b5b8effae319ab74f1c1967a62a6efef40e91a376b43a20d1c1b30545aee8296e3b1f13ed2874cf4f1c2f5bace3303

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
163KB

MD5
af63cdc36300a683eb376a922d147e49

SHA1
0a6e94ee3dd7f216b7b33b5c565399fdba54888f

SHA256
c8ee712552bc0f7c715545e25bb27ac1ee4cad80d6d1abf0fda967ef7d5e396f

SHA512
5fb780d81e2641451e77546155f314a31300d9e048d158b682d03e32439e74f81f7304b7d2b38ee4c494ead837c7be8696783ea5426c7862ca6377833a65929a

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
163KB

MD5
5b3198fd1c48afeeddcca9ce4f401040

SHA1
1cab28449d2e618d4cfad4e8b75b7f79afa5772c

SHA256
67f95b1e3367c7d2a8df7a9b9a7db4e9e6a90466d2375c45c50bfe5cee683916

SHA512
9c3365a0cc299449031a483710333bc6bf6af6ab41525eb761bcc46af69456dd4745b8f79062ab1e10f7f0a6f56ceea796a763560b3bbde4f3a9c31a85ed7366

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
163KB

MD5
d8d09524d3f571eeff451250a10c0ac2

SHA1
ba9c8d2b7b6daa903227dcdc273bb149c096c30b

SHA256
8361511f6288773793f0e2cb706ee30117d3f0320762c1f8104427a8e4b2d1c7

SHA512
1950132740018f8ced736a16981cda70cea2dbe32c7a5bd975fd1deeea76b9bc903bf9e454aa8e16dd297017d64cb2b6ae4d5182a6be5d283cdee73250f030b2

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
163KB

MD5
1cb7810463513f44d57fc2afaa2295bf

SHA1
3c76fddc5c0a57352bada3117f9b32ecd76706a8

SHA256
c3110ad0b8609348789d53c38b0f10271883ce1165387974de7f9352586ced5a

SHA512
33224df59ecdb5b55b8bc4021c7ec69f5f947c202962c9044f6a1d166695cfef077f5d7f73fc4f1337654c15e5ebe71ae0734d4af6756b420cde3e1249585f9e

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
163KB

MD5
e105a070b61d2be6a92b8ede0897e828

SHA1
40478880788671c5010bfe742118ecc2c720c7c1

SHA256
4e0b2de258fca753c938f1428f5c65ca6c9660eaff40989a4736d935afbdb9db

SHA512
660fbbbf3516a8a4842aac267a39a6f236cf9350f833daee69e2093d3c5410aee346e30bd52d94413eb4460a7aaab0ab8940a1e1bbc5b680741fc227ba561706

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
163KB

MD5
96fbd12150193647eb367300b188210a

SHA1
3c199e7f36f777f87dd68c90226965a2d747ac40

SHA256
4e8c3e80d155afdcfcbcee0c537bcb8caa55e95c891c6a557cf40f21b1344d46

SHA512
2e76cef0838d302a49bc2d539321a187c8a5609adcea448be3b674dad104e0ca2002cd2be1eb3df19d498c6b4f5831f824d35911c2c33822de07bfdfe41e2d70

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
163KB

MD5
517a9d6d155ffd763ea558ba5f667315

SHA1
c1695dd1c57e02df0cd8cea25c031c400f4d02b6

SHA256
a19779b07ed1e58b2008a6bed468697ed4e8905388879b7652a1431a1cfe8dc0

SHA512
9d3deed8810b8039e9bf958589216a458ec8338c941372391d0433e2ee19bbd375964a78f709d1b10af01f4db7bf6a3c02c499257ec4e3507d1a412f8ee0f419

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
163KB

MD5
bce674be6632c275022f2643596926fe

SHA1
666f2568dde28aa1d049b7d539651ef2019cc067

SHA256
d1c68d357ab8ad9008884fe5d75472e90b544a02ebbdd62c7b76f1d45314aa01

SHA512
c9c5ed5b393f9f468ed02524c047bc4acea89a88a31d550c057f5e298a5b9a29c788c8fea00216dd4782fd39190215edf479c0a21eff0636598ef8a7e7e52ed3

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
163KB

MD5
cd269577a1cc28abfd4abb19d160b2b7

SHA1
88a2c9a307302275dc86428eb52d78f5ef2357c1

SHA256
b30cc0f4db93b9b77c092d0b0114cc020f507f31c033efa3436c77d4859a2f0c

SHA512
f54e7ad5b057225262e39a7ae6e933c7c4357b197d09d4000d1bf43a9428158832b17447652348229b6ce09ef680cfa30a876da996d9c3b21e6ef392210e31b4

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
163KB

MD5
7ee2dec2cca07a38fad51a3695ecc293

SHA1
914e9cdaf79db8a6e3ce39746b654dd0a1e1d975

SHA256
ecbca5c988922d13161bb2abf2fd575b9d42c2fba493bd0e6589dc5586e3f140

SHA512
f108cd008baeea72d8c93c6226fd7310378c2a59bf9888feccaf41ae4f22b144981599155520505bfb7579dbcc8be62a8cd51a0ec2594b3e7f73b9ea5b1347dd

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
163KB

MD5
92e3a002ae345427df477370bd879060

SHA1
ccb3ee4ec918df930fdee16c49424c9b423851c1

SHA256
ee9fae3819b995d67dbe1d1354140d8781a7dcb63de232915091d52a0cb1a59e

SHA512
3148c143e3bbf660c5eba2cb078ef197bd6eceee0ea97e6baf7523b2fc9fc532a380b48a802868e4e579ce6ed1824c44d7c1ac067613066dfaf8c7f1a3c3596e

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
163KB

MD5
d9a62d95003ad7038a38b54117c9c501

SHA1
76757da3d742f7a825d6c2daba5dcf4d905ee463

SHA256
1660a6a0678eca87d1fb2c701f21a4b928172a279af250da8197620f115b08c0

SHA512
3790f38aca161a6015340ed40066bdf3c4a841171520a83e375b4d8c3d97504be9a277c540ae5738ae93362995c38e9d7b9380f2eb2ae6e6c44cc7912ef7249f

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
163KB

MD5
28637223eeeb9cbb6029e830cfaba0ce

SHA1
888e0b0cd48bf275b7819440bc31d7a84be320f2

SHA256
ffbc776b53964681c8a0fb138dce4420e952f1d9b3ecc6fa72a8d8f620d52ef2

SHA512
7a599c95b510572e70a82d75b35ef9a49bd427020240fda884e31380c98444ea08db4f8146e8f114bafd27efe694a59fac23db38bd4a478a85f467a4dcb59a32

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
163KB

MD5
6a61cf709a786c3c7a6d51af9d25f39a

SHA1
0fdbbd9b80eedb0013d34737c17900a00b01f976

SHA256
74c54bb6d48ebcb89b2359957cc2fd2e7e39ee50eaf4c4b4957263e2ab9f16cf

SHA512
deab3d4ccd2fe08c258c2c2e9a4d9aae973337794eae9af02b62aaf13882dbbb327402a0e78cf9926da705fcadf3e3fc97a4e5f4953138427df18f8567e3f88e

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
163KB

MD5
a660776f492e99b0677e769c3c4f860f

SHA1
b0286f9dd681a7a2bcf37295bc28e12e8ab7c716

SHA256
85e6ac7a7a52c49bcdef9cf45a51b566443084b5475b4abf6cca7267cb7df02e

SHA512
c1523c8c60e62883ad9fbf6fa83e837aaca00d3dd37462c8f0bf08e4b4c0342a32251b78b611e0fdcd5e7b37afb9336a4baae9d3257040456109030214fdeca7

Download Submit
memory/64-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/424-455-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/424-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/460-508-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/460-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/540-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/712-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/840-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/840-491-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/872-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/944-469-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/944-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1124-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1136-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1180-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1472-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1472-495-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1472-497-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1476-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1600-201-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1660-467-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1660-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1660-466-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1672-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1672-476-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1688-501-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1688-502-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1688-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1720-443-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1720-453-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1740-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1812-485-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1812-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1860-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1908-499-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1908-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-462-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-460-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-413-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2160-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2164-503-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2164-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2180-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2192-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2272-383-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2272-474-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2316-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2336-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2336-510-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2420-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2576-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2704-565-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2704-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2936-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2936-493-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3104-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3128-552-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3128-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3272-487-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3272-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3276-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3284-479-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3284-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3472-480-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3472-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3472-482-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3484-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3516-477-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3516-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3604-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3688-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3924-458-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3924-431-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3996-425-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3996-464-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4016-472-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4016-389-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4140-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4188-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4188-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4328-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4340-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4340-483-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4428-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4508-330-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4508-490-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4568-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4576-452-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4576-449-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4596-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4596-496-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4624-188-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4624-531-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4700-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4804-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4804-509-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4904-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4904-461-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4936-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4952-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4956-465-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4956-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5020-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5112-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5112-505-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads