berbew | 7295c728152839a7f286c9341b4daeb82d2c9547121c6a73759235660e598a29

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7295c728152839a7f286c9341b4daeb82d2c9547121c6a73759235660e598a29.exe
Size

89KB
MD5

213a2b0d9996e3985cb92a04680715fc
SHA1

6b2a388c27572b78cce2dbcf58f2b87508d1a0d3
SHA256

7295c728152839a7f286c9341b4daeb82d2c9547121c6a73759235660e598a29
SHA512

92abb2937a27837f41766e31f435c8a7add8826f2c5f9a015219574567173f645fd035d9772fd997654bdedd8e9f78d3c92808d9323286061a18b8fafcf8db8b
SSDEEP

1536:8Y33xr9l1+5dIXbsGbwnUYDHbXydVT44F111111111111111111111111111111:bFB+LIXbdbkUYzbwDF/4c0lakgw

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7295c728152839a7f286c9341b4daeb82d2c9547121c6a73759235660e598a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
5032	Aepefb32.exe
676	Agoabn32.exe
3768	Bjmnoi32.exe
3520	Bmkjkd32.exe
3276	Bebblb32.exe
1408	Bganhm32.exe
2388	Bjokdipf.exe
2600	Bmngqdpj.exe
4984	Beeoaapl.exe
3940	Bgcknmop.exe
396	Bjagjhnc.exe
4860	Bmpcfdmg.exe
364	Beglgani.exe
4236	Bjddphlq.exe
2384	Bmbplc32.exe
3944	Beihma32.exe
1732	Bclhhnca.exe
2316	Bfkedibe.exe
4684	Bnbmefbg.exe
3828	Bapiabak.exe
2892	Bcoenmao.exe
2100	Cfmajipb.exe
3296	Cndikf32.exe
2924	Cabfga32.exe
1696	Cenahpha.exe
656	Chmndlge.exe
2420	Cjkjpgfi.exe
4668	Cnffqf32.exe
1944	Caebma32.exe
4948	Ceqnmpfo.exe
2744	Chokikeb.exe
2444	Cfbkeh32.exe
1316	Cnicfe32.exe
4872	Cagobalc.exe
1940	Cdfkolkf.exe
452	Cfdhkhjj.exe
4780	Cmnpgb32.exe
460	Cajlhqjp.exe
4932	Cdhhdlid.exe
4700	Chcddk32.exe
736	Cjbpaf32.exe
216	Cmqmma32.exe
996	Cegdnopg.exe
220	Ddjejl32.exe
4400	Dhfajjoj.exe
1000	Djdmffnn.exe
384	Danecp32.exe
3984	Dejacond.exe
2372	Dfknkg32.exe
4052	Djgjlelk.exe
1860	Dmefhako.exe
4936	Delnin32.exe
1992	Ddonekbl.exe
5040	Dfnjafap.exe
4316	Dodbbdbb.exe
3872	Daconoae.exe
2996	Ddakjkqi.exe
3804	Dhmgki32.exe
4044	Dogogcpo.exe
4960	Dmjocp32.exe
1152	Deagdn32.exe
4632	Dhocqigp.exe
4680	Dknpmdfc.exe
1880	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	7295c728152839a7f286c9341b4daeb82d2c9547121c6a73759235660e598a29.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	7295c728152839a7f286c9341b4daeb82d2c9547121c6a73759235660e598a29.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1364	1880	WerFault.exe	150

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7295c728152839a7f286c9341b4daeb82d2c9547121c6a73759235660e598a29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 5032	3572	7295c728152839a7f286c9341b4daeb82d2c9547121c6a73759235660e598a29.exe	84
PID 3572 wrote to memory of 5032	3572	7295c728152839a7f286c9341b4daeb82d2c9547121c6a73759235660e598a29.exe	84
PID 3572 wrote to memory of 5032	3572	7295c728152839a7f286c9341b4daeb82d2c9547121c6a73759235660e598a29.exe	84
PID 5032 wrote to memory of 676	5032	Aepefb32.exe	85
PID 5032 wrote to memory of 676	5032	Aepefb32.exe	85
PID 5032 wrote to memory of 676	5032	Aepefb32.exe	85
PID 676 wrote to memory of 3768	676	Agoabn32.exe	86
PID 676 wrote to memory of 3768	676	Agoabn32.exe	86
PID 676 wrote to memory of 3768	676	Agoabn32.exe	86
PID 3768 wrote to memory of 3520	3768	Bjmnoi32.exe	87
PID 3768 wrote to memory of 3520	3768	Bjmnoi32.exe	87
PID 3768 wrote to memory of 3520	3768	Bjmnoi32.exe	87
PID 3520 wrote to memory of 3276	3520	Bmkjkd32.exe	88
PID 3520 wrote to memory of 3276	3520	Bmkjkd32.exe	88
PID 3520 wrote to memory of 3276	3520	Bmkjkd32.exe	88
PID 3276 wrote to memory of 1408	3276	Bebblb32.exe	89
PID 3276 wrote to memory of 1408	3276	Bebblb32.exe	89
PID 3276 wrote to memory of 1408	3276	Bebblb32.exe	89
PID 1408 wrote to memory of 2388	1408	Bganhm32.exe	90
PID 1408 wrote to memory of 2388	1408	Bganhm32.exe	90
PID 1408 wrote to memory of 2388	1408	Bganhm32.exe	90
PID 2388 wrote to memory of 2600	2388	Bjokdipf.exe	91
PID 2388 wrote to memory of 2600	2388	Bjokdipf.exe	91
PID 2388 wrote to memory of 2600	2388	Bjokdipf.exe	91
PID 2600 wrote to memory of 4984	2600	Bmngqdpj.exe	92
PID 2600 wrote to memory of 4984	2600	Bmngqdpj.exe	92
PID 2600 wrote to memory of 4984	2600	Bmngqdpj.exe	92
PID 4984 wrote to memory of 3940	4984	Beeoaapl.exe	93
PID 4984 wrote to memory of 3940	4984	Beeoaapl.exe	93
PID 4984 wrote to memory of 3940	4984	Beeoaapl.exe	93
PID 3940 wrote to memory of 396	3940	Bgcknmop.exe	94
PID 3940 wrote to memory of 396	3940	Bgcknmop.exe	94
PID 3940 wrote to memory of 396	3940	Bgcknmop.exe	94
PID 396 wrote to memory of 4860	396	Bjagjhnc.exe	95
PID 396 wrote to memory of 4860	396	Bjagjhnc.exe	95
PID 396 wrote to memory of 4860	396	Bjagjhnc.exe	95
PID 4860 wrote to memory of 364	4860	Bmpcfdmg.exe	97
PID 4860 wrote to memory of 364	4860	Bmpcfdmg.exe	97
PID 4860 wrote to memory of 364	4860	Bmpcfdmg.exe	97
PID 364 wrote to memory of 4236	364	Beglgani.exe	99
PID 364 wrote to memory of 4236	364	Beglgani.exe	99
PID 364 wrote to memory of 4236	364	Beglgani.exe	99
PID 4236 wrote to memory of 2384	4236	Bjddphlq.exe	100
PID 4236 wrote to memory of 2384	4236	Bjddphlq.exe	100
PID 4236 wrote to memory of 2384	4236	Bjddphlq.exe	100
PID 2384 wrote to memory of 3944	2384	Bmbplc32.exe	101
PID 2384 wrote to memory of 3944	2384	Bmbplc32.exe	101
PID 2384 wrote to memory of 3944	2384	Bmbplc32.exe	101
PID 3944 wrote to memory of 1732	3944	Beihma32.exe	103
PID 3944 wrote to memory of 1732	3944	Beihma32.exe	103
PID 3944 wrote to memory of 1732	3944	Beihma32.exe	103
PID 1732 wrote to memory of 2316	1732	Bclhhnca.exe	104
PID 1732 wrote to memory of 2316	1732	Bclhhnca.exe	104
PID 1732 wrote to memory of 2316	1732	Bclhhnca.exe	104
PID 2316 wrote to memory of 4684	2316	Bfkedibe.exe	105
PID 2316 wrote to memory of 4684	2316	Bfkedibe.exe	105
PID 2316 wrote to memory of 4684	2316	Bfkedibe.exe	105
PID 4684 wrote to memory of 3828	4684	Bnbmefbg.exe	106
PID 4684 wrote to memory of 3828	4684	Bnbmefbg.exe	106
PID 4684 wrote to memory of 3828	4684	Bnbmefbg.exe	106
PID 3828 wrote to memory of 2892	3828	Bapiabak.exe	107
PID 3828 wrote to memory of 2892	3828	Bapiabak.exe	107
PID 3828 wrote to memory of 2892	3828	Bapiabak.exe	107
PID 2892 wrote to memory of 2100	2892	Bcoenmao.exe	108

C:\Users\Admin\AppData\Local\Temp\7295c728152839a7f286c9341b4daeb82d2c9547121c6a73759235660e598a29.exe
"C:\Users\Admin\AppData\Local\Temp\7295c728152839a7f286c9341b4daeb82d2c9547121c6a73759235660e598a29.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\SysWOW64\Aepefb32.exe
  C:\Windows\system32\Aepefb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\SysWOW64\Agoabn32.exe
    C:\Windows\system32\Agoabn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\SysWOW64\Bjmnoi32.exe
      C:\Windows\system32\Bjmnoi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3768
    - - C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3520
      - C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 420
        66⤵
        Program crash
        
        PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1880 -ip 1880
1⤵
PID:4580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
89KB

MD5
e7488b881d86b0ed582085f31d0e5adc

SHA1
ba2bad08ddeebdc68772820c0d5e78d9629ff645

SHA256
1f7fe7dd62dfc20604bae084d8e4c3de0bfed8c5a02bd183e4186e935852fb37

SHA512
0ed6f2cb540ead9213879aef610d27437d97f84766449f4e65f6ac31d0bbb0a7c24e6c7cf2534517415f7a8c660355a8c9cab05430f81d4576a754d3627b2f75

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
89KB

MD5
76f4f1eeefdac660d6b1ae59ffb8cb7f

SHA1
02012476436eab6aee706ec09cba183f5de01ecf

SHA256
72823ba18e7044943a125f83c9b7c0e12afb0d1b3197d7a90be941d9ef88e8d7

SHA512
b784f9d6716e436a53e28a472b720da807fc1614242df21418db9e2e844fb0d60732a5da4920556091ee851a8c3770812c4959ce5e8dd6565aff825b84f0e9cb

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
89KB

MD5
6c9bfaf289138d0c6e7597c06531b869

SHA1
14357968950c43012b9707a4b3a2e1649d603e03

SHA256
2dc1a614567dd262b68bcb6cd0d2088b0bf47169e166b28a5f419c92769a66c1

SHA512
dbcd9a21c3a9e7b8ed2a5e39c2b71feb9f661058273ea322abbee2858f735781031fffbf8d2765ce4220235e23bf55edb603203da4fee975132f0d92ec47aae1

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
89KB

MD5
2d52229893d951ee2237cca5a5b11328

SHA1
0c28831b6327f74908cb12f57847f421b00fbb51

SHA256
f67cd1dd9b7593faf14e48ebba1bcb0ea725e57f003d8d4d4f5be1cd5f370f32

SHA512
fc39ebd6d9f68c5fd1a8fded3f4f91042d1915331d32a64fa52569fc6b7fdf2d9e96d8a491c10baf38cd980a6bf9394313e725a146e5b1ad772ffd6b3b5a943d

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
89KB

MD5
9742a570aef16bbed7ff740e1ed14d22

SHA1
9e3725f0a68b4a39223673b2dc49f7634b311d7d

SHA256
ca12ed1308c87acef8ff89ec05ebe1e301709f16fc3f026283cec4d4828b6652

SHA512
928c4a56291ad42ff6c15a487274778ea7db0774fbd9c09f1afaa886d0903d11a552f6e3539f20ac87d8e81b49882fb1c8f6edba4bbcd594fb1476c2ffc54a40

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
89KB

MD5
68e9c3ff96f4ff7c4a0214549bbdac8b

SHA1
b5371d6466288e9cb4c2a27994463d2e0a4e4030

SHA256
5abf1ba99b6f5e2ed05e5bfa58da95f8ebb648b1e6da3452da271a7e7b7ff5ca

SHA512
633d006480bb25d2e0f60850754b7c92baf53219613c247d223ce2dc10ebbebc1e147eeaef9022738048169c9c2d0dac74a56bf2215195b8d2e2e0bd9832aa42

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
89KB

MD5
8add7cf56c27703075c4d157e7d79259

SHA1
78547c67e9c8ac2bbf92f066aea24bfb56aa8476

SHA256
68fc3a22037636c63b47f79b31def7d120f63b4874f400c3e0d41f185adc47ee

SHA512
4b1a05ed82f88b35c736f5170ca6950d2117d760be39895e13e5ea2bf61487eee94bb5de0c12a4324458a1496d2cf1895555ddc18e3d8766c49ba276177ff4df

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
89KB

MD5
2b572a1a7b656235c4c84d4fbee47154

SHA1
6189bac70aa465d5d7a520d867ffc49b55aa9fa6

SHA256
7a70b464554d1deb403f761c9a340b34481af29b4b62e4673f756590ba740dfe

SHA512
f215f2c025143d2eca8d01369f8dae66794b610c698c07973b547f2762127ca0d7e620e83dd9c8413b79b1cf9f3d44d77a45a60ad03349b3fc392fa488a5f4e8

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
89KB

MD5
a4aaa5f490b6e4e2311b96a48f5dd008

SHA1
59cd6819b3caea6aa608ebd1fd795a4aafd14645

SHA256
dff0f0a85928628f1b53199f5fa76878b2d8666820ea70830898a3d6c73942d1

SHA512
2da495f891a5ffff3ddb22e0dfcfd3d75f1f5d3590e766ec229e70a9556831721fa771a8805e8a9a206917dfb3ff5123ce226a2404183a0606c57df745ca884b

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
89KB

MD5
0c238bce5a6c89bf6cc28fabb8a6531c

SHA1
dc642138b9871e0e6ead91beac30bebb8fcdffb1

SHA256
92d13ab7c8f999b134ad0f416b0e383de13765b9d2a07c539fb41e0c837be18c

SHA512
9ec2d571f07b3599f857c2119f2e609dbbdf6602a52172fec1a94aea91125b9f8d8f0714d56f507a102d347a14992dea276f98f13c278afe64cba9f34c26ea90

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
89KB

MD5
5383cba35c5f9c54f145f911bf811683

SHA1
347d18ae55adc59910ebab248f86aa80edc1d490

SHA256
a678007988c1b7b375e0ebea3adac62b4be28e704810f23273aef94854d45447

SHA512
4bec9d56c6055cd31c7d438863b01b354fa8cfeaa1993e2c5a151d356e08ab884967710824a0bed82e72990a4721fc6155a1b020d2ded05fa899c01a583f5c41

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
89KB

MD5
541a3422444b778717e6ca50ae9b4d88

SHA1
91a64c7ceccd8662266476d2c80ed1581803ca90

SHA256
4da0f7edccc4ad46685fb6e6f65e97c011b632eb67a26899c115328ea9996cf7

SHA512
135c39aa69dfbffeb1c2d71b333479062143fdd1fa20193ad3d24a7c05e4f75821305ad8f378e2daf2b8b64f985010296554f2b7e298f6585f537d4377626b27

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
89KB

MD5
7864539776310d734a787851199514f3

SHA1
76b901ca10646c6af6d2d116e825bb5721b50534

SHA256
63be49d3ca4ee28c0fc35c321838f5de0ecd5f664946469734b1b446453d2b92

SHA512
359a8eb4fed58cafe8f7a43a74933d43809a2c5742dc4a981fee3e7f97e75bde154f67cd2eb481869a4de8af2f15a733ad45d71af9f47420833d5554c1e24485

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
89KB

MD5
9fa678775aeb38d35241ff96ed0ee3fc

SHA1
0bf7dd4cb2f3abafc729080fa4245f98e881ffae

SHA256
5ebe5bed385b376292add5be3a88b5795ca7de7c91ec136cdd2de140ccb890d7

SHA512
39f5ea380d0f9eebeef0441870c5138b034d395431e86fc09be3e8ff79f9811af36eda5953be8bf5e180581fde7f1f4e40aeeeccb69a5e818d3e0410f5ad18e0

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
89KB

MD5
49cd26b43f50c0a903cff4182298c076

SHA1
88a06dc95c00a07c6a7f4acacb3835b7a2023f63

SHA256
65cac3a071e5adfeff2187caccb4f14781f0fda9449a7766d619984030af57f3

SHA512
4b244e2da13da7f77e77abc3455f747dc82c71ef6b5a0cc3d7486f56bff89f3c86c8f4c779cb0ed01fde8c44b32bbf9a94f1b39dbc1e74958a2a0550e8796083

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
89KB

MD5
3e7fb4964cfb37b45c84ede966c03fc0

SHA1
a2c56687c43232b8142ed6e1529ed7c97bd7cc8b

SHA256
16eecaeff234c0618e88a3140b6541f449469e6a50a0f04930ff81c88a58154a

SHA512
b1aba8584ab0051d41df53459565680d0d56c11d42009daddbcb23bcd0b2d126b5a6aa0f731a096e782bf5149dd9482b6a7598eb9e50867698b6959a6c2d6c46

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
89KB

MD5
f28471449b950897bd79c60c95f075f8

SHA1
9924da4b0cf8bde875a61b1657f046abee91e204

SHA256
de271c6a91bdd72b610a3be7de1c9c28d5489584fafa4b4bb8c08aa8f79f7445

SHA512
ac594cc0ff34adc5483bb1d064a35edf1d7e4cd69fa3fb578a54b20d0639d282acc95a1fbe12563de470d3b844322673991754effc38e3e0f7e9089f3a178288

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
89KB

MD5
0d46bde217aab87465fcb88620e25709

SHA1
a62ea38b50fc734b19ff3c6cf1591dabe1424934

SHA256
9a023ac65d31f4555c0dc267ce5ca51ea96f634af8011db47029ee6d317bc8dd

SHA512
4d5a1bd2e7eae6bfa70e827f42df4485777df81fef171cedcc21ca7035f0096832b3ae83ba6486ae8c4306951b8888287197e07816ca284950454a3c50e3e994

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
89KB

MD5
db8c38083f1d9e00a5ed6d494e66fa6e

SHA1
b93b5af5764b0d5014619f30009497a9bd19fba9

SHA256
08e31dcabc57bb079f95811617dfb84d1071e1c2641f3b329279c08670916400

SHA512
b14f84ac37bd94f9ed124d9ca9962b780b46b85fe45b4d65e231e822873999ac4676645927071d10c7168526d22b18a8ed02221b77707090aaf9b7c8e7903646

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
89KB

MD5
4a45250ad1e6e18466f7c472d68e4590

SHA1
ff0cff7cc27d08f04c2ec06ce71d0e9588023a63

SHA256
7cdd728f8e26e5bdcb1f7662240de4fd17040faf27e3084efd71509ae771f728

SHA512
32e55d2382280f2881d65b9df534be4eb775645bbd4124f4195b0748ec37c8399eaf7e577364a06e4cebe6231c37d72fcefcca9c7461bef5c7af3a8e6aef1555

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
89KB

MD5
fd68664735d2bd202e9115b9f3a0934c

SHA1
17d5cfc59499742a204d6f09a8f2ba31455d5e9f

SHA256
ea1c4aad4e797b0ffd38e45b6ec3e9254176ca72774a3f87e809b894615bfad2

SHA512
afa7428478d1652429abe0476b8978728c6be929a5c4643eed40ad4d73cf5d9c4d5bdf1e183a01a7a908c4284a593556e59074e79410506d77115bad04b53267

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
89KB

MD5
cb3b41df6089747d9926a8c28ad306e1

SHA1
9116951a5721570146e8aa6ec1c53711115cb5f2

SHA256
38474ada1a7686fde171c1dde0f013296e438945d1f3e553dd8a90637352fe07

SHA512
f4949f9acd1a4ef0bd6501227f030e63e413507188e15f1eccf5922d25be96efa21e9300c75ae6f49ae1f4ee18901b260f6213ecc38566353ee341152123c684

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
89KB

MD5
6929cd95b53c62e0cb4dd9d388030b65

SHA1
f75a9047de2676a574a1a4998d1acc90816f1bb3

SHA256
e49d0d844e82d1168f5913afc98fa3be5e96c62a3c4ee60ab82efb5ebea99207

SHA512
960250074ab24bf76732bcf10bf7f543c3182e4c58593d2f4db4ace091d8147ae81868b20596f8ae40ab10ea3a4c70dad2d1cf4569b7a840a5401f3ad8d0a3b7

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
89KB

MD5
14c538648210250c00eb24ba05e44ef0

SHA1
2ed0632373e53c95f2c5311acc950c2d318a6043

SHA256
6f455785453a78dc85fb058b8904f771187c1a1aada15ad64147f171ebf041bb

SHA512
e848582db8985b661b61e863ab78b1531fa5f742622b1751f9525de6762f499fa970d123d567634dab9d2331aaf12c1641e1209c76091093f8d35bd79423c2cf

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
89KB

MD5
a01bdf3e774ead786f33a1c899c52357

SHA1
063483dc16fbb3f8805b9569f47224d3c0afa406

SHA256
02f08a1cae3c74e559a0b1479e55ac6e757368b40c46d3894062e8d18e1a17fc

SHA512
b0002ce9d3e480c648c9f48fb9f259b5d2074e145a1b0c9a4b0d7d192ad90253601eee7bb262e45b4a98ace83ff1418c019bf0bafc1e1a2455e05dbca29bf4a5

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
89KB

MD5
e25e831b5999165d4b88581e36241ecf

SHA1
b5ac42cdab118f22a1a23490f2ee4206d2936f0d

SHA256
0b3c0dbd3834f9d854a6906a311c2f77ff53b03af5cc9c27c966375c583db2f6

SHA512
0baabf46dc5fd84f4b6098b8f9f668770fd8d55831d2b9ef0aec685ce0f02805a6f784ffd55113d0ef2cb7be445b5907ccedafa73579b4688a9928452843ebb7

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
89KB

MD5
2757093df1506adcfcaeb6587aa30535

SHA1
e4a9897a15c7d74a2beb1bac9794f23b2c6a76f3

SHA256
d75676f8632aeb6671f88c27f9c0a739521a0e2e96c55a574e97ffdf14190103

SHA512
b7869036722a49aec33e8a110ab5dd692ca88b193dcc19cd13c6d1f09767908110f88fa4f5270585d669f1099dc6d1d13eec41bb46c32fdad42eacb7ac8e4033

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
89KB

MD5
cbf728668ac8757a2a24c36a0d3ca106

SHA1
d3699719f71cb8d01b8586b49d091cc12cecb56e

SHA256
f0db9ab02089059b3373fd659f64587a512d1ff1bf6a4890ca5a40b097d68604

SHA512
45e67962f93a6871cec54e7019575be45122f7d01374963185916f64ac15372cefb66c330d2238faa245504509e757248517db8e2cf0c62cb4cad03e43d917bf

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
89KB

MD5
39c13eaf3fb7d151576e975694b36ac3

SHA1
57154245a19fcd899e869275a54d136a2f475173

SHA256
a3736c0ed18c7e6314c1e80012ff7671f034fa1d8dc74046748f841c4b2a5ce1

SHA512
11122e02858097ddf2ec0a41df452c767b24a5d4e7f26419d3e5b107bc7ef41e4832ad70d10536788bef0732186a8fcc5f77a2d0e9a3ca33f049942270083be2

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
89KB

MD5
f2606108e67bb7213f9c4cee5d3e6e9b

SHA1
6cf3915e0bdc477aed281d39676a2a06d09e5863

SHA256
13c59b8856b743120d72a79bac7eb4d18aa821274ca169050574b59820385155

SHA512
4321c0d66303ab1de8025e3627508072d21f3618ed81be74d9a3ed34765838cd1a1e8da8e70ad5b940eb601ebdd762a21412272616df255001886c3d702dc0f0

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
89KB

MD5
f4fe9d3038b273164417e937599125c7

SHA1
29a9f2a7bcd1b14880b02745c92da841a55b52c0

SHA256
b1ea84c9c6c31bbfe0eb0cd1db2104f5d01de6942ea815fdf9dd7b4874816758

SHA512
98474d200aa88c9752252a931f2ed9452f3e51eacc003aeaec7f8932d236b1cccf2ffc17a833d929c69f01d2877d3cdeb472459a8786b46bb06fb5605e9b6dd6

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
89KB

MD5
ea36465b52d743466c72f0ca8e56bcd9

SHA1
6ef5e7cde3be8c1212dfb012567c8d0bf4947d0d

SHA256
cf5f0268d1b6c6c8d205de7270efe15ea3d8cb4d5b2d8a174e5500ac43bf8f88

SHA512
6191a775e87c84b64ce59b248344c942681ee4491b1933e670dc9028630c8eb6b6198294a48e338cba39a2d2394763ad51cd2872b526adf7c0cf7ba43fc7f7d1

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
89KB

MD5
df34396f24992a81123e1c900212731e

SHA1
1872fb1a8abd85ddf40b8097402b224963eda5ec

SHA256
617be851f06852a02e9b6b7813a8b41a38360f470dff12511e083b4f4cb3cb70

SHA512
f38414baedbe155b42041babcaf354ec63a9353faf054cbba20b61ff01b15a3d2e9f92eea1f77b4bcc91f61fa16e928b9961db4f8081e69ee1c80a157663c5d6

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
89KB

MD5
dd0ae059489f5917a2ca4667687845f0

SHA1
cdba0caf045b262fa33b0f25f4c270a84a6e5ecc

SHA256
5cef57393ac5e959f44a9a0dab5cf6ec8b617426bea55ae12e2f4770aea7c40a

SHA512
ba50da9653fc9282a8cacfd9a1b47bf05d2ecb6775d63dfae1fa1881186fdc4da4136b33003f36e26c1cd54329b0ece27c1145484299c5aab53b09d392a925ab

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
89KB

MD5
f505da6e244becb8fc6e5e9a14b0d0cb

SHA1
4cbdb9c5c2e82d5f495769cec40c031ccb68439c

SHA256
9d8692cb491565883cd2736971f4e3eac37f3210e7d9f2293410a0e5db4cf067

SHA512
368e2403c293436afe9b35a3b17d890f5be878e3364966a27f170a57f73ffe6b0ece9d43410550f15ffcacaa8cafa6cde71397eea9ee3c5503b75a4b3ab666f6

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
89KB

MD5
57843f8053ff9dc8796441543054cc9b

SHA1
4c066473e471ffe232a8c42a58ec8a67061942ba

SHA256
6e7a00617d09a874577ef3cc8d21fd8239f9adef0be56043b48a624b68af1c54

SHA512
e1f68e642900cfccd6f5432390a2ada063cb7de679acab5c7ae249fc325777396320e550bd3fb7f47c262829ae7e691d70fa27642e20608814946a02b7fc303d

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
89KB

MD5
87a4b4840a0a93468b930e2aa7cdd00e

SHA1
9f28232d0a0995cf0c379bd36318787e72be8146

SHA256
dbc7093e05105717242802ce19a1a012e8b6020ff2e4f561594f220647a01568

SHA512
1d57388398dc4390571127823c4774148344797006c72a3ecfdbaa04c548f64ce5786a5dbaacf6cbad24072c713e77c08a373da2eeb29b6c56375558ba04bf40

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
89KB

MD5
5cb349381a512b43b3976cf8647c4b22

SHA1
6f6aed58e4e4163760d024195d9443844f9ab513

SHA256
fcaa4bc95d98d834f02a8e303892cd875ce0bb4844e1cd86c6bf0b10cb727ab8

SHA512
0251fec9cc47ee6861d360d2362e7b82e62b4efafa93d673edd03912a47d1bf014476a855ff47a5842e4f81d9d115784f2781036ddbace90f283ae964bb95b66

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
89KB

MD5
058852d991790d79644d96e4eaf909b0

SHA1
69525fef3b767fa148111f315c3660c3f301645c

SHA256
fded5e6d0613591762c14702e7eed86a365bf27ab0a4d4e721856829cbc48569

SHA512
1872aebcf0ed5ef99f664b011f87fe11b562f0c623953f60e1e4839c80553cd82dd9c55f5147b3423c711dd9b2d5830567ecd7e8857b67185b0d90804dfd58fa

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
89KB

MD5
cd82691b32e64236e8dc401d209af056

SHA1
d8b3a22a83bbe65131b9520296d0b47c345df4fe

SHA256
d9e2a7fac6fd3fe92342094c273878e1dfdc19803ee435718e92793d88f3f7dc

SHA512
166352abc76f59357eeecc9682455b186b3d45f470030d839fcbe943071b0c475a266fc1263a9fd05e9ea30950e2a56bab8efc75db137d3fbf3eaf61e03edefd

Download Submit
C:\Windows\SysWOW64\Phiifkjp.dll

Filesize
7KB

MD5
ec91f06b4d590882573031b752c92cbe

SHA1
8ebe73a38950f267113164cee75cf0062a13046c

SHA256
5834c142272f491f836612ac77a67c633a0c59234e512996bbb63312e24297db

SHA512
31f8ca358ec4d6668ca75d4fc9fea7f2e6e48c671890317493fbf16e63614e724da519c5a96dc1c7a1fb1ecb3f0ebc3804ed26d25c0604d89685856397469067

Download Submit
memory/216-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/216-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/220-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/364-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/384-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/384-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-471-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/460-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/656-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/676-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/736-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/736-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/996-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1000-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1000-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1152-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1152-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1696-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-472-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1944-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1944-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-475-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2600-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2892-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2924-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2996-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2996-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3276-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3296-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3768-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3804-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3804-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3828-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3940-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3944-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-464-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4044-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4044-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4316-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4316-458-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4400-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4400-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4668-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4668-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4680-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4680-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4684-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4700-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4872-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4872-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4932-469-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4932-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4936-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-476-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4960-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4960-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads