berbew | 80ecde84869df4656e048372abf0d08bc8ed8b9b9b74f5ed8e36a1a4f09e5db0

Analysis

max time kernel
95s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80ecde84869df4656e048372abf0d08bc8ed8b9b9b74f5ed8e36a1a4f09e5db0.exe
Size

337KB
MD5

8ca1836da2c87873a062150f9954c5c1
SHA1

d068d0b334ff35f92302eb158613fa603507fe9d
SHA256

80ecde84869df4656e048372abf0d08bc8ed8b9b9b74f5ed8e36a1a4f09e5db0
SHA512

4fa0cb3217d4c13ae8c9a6dc2c5b54667ee4332bea2c16957f75fbf4d1a59eee96394d94dd7e156aa7471a04432a1669238f291a9fa31524a00ee7f48fd1869c
SSDEEP

3072:nspRtBH2AycgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc0t:sz3WLc1+fIyG5jZkCwi87

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 47 IoCs

pid	Process
3272	Aepefb32.exe
2244	Agoabn32.exe
3060	Bcebhoii.exe
1000	Bfdodjhm.exe
4980	Bjokdipf.exe
3704	Bchomn32.exe
2804	Bnmcjg32.exe
3468	Balpgb32.exe
3112	Bnpppgdj.exe
4792	Beihma32.exe
3544	Bmemac32.exe
952	Chjaol32.exe
2276	Cndikf32.exe
2948	Chmndlge.exe
1600	Cjkjpgfi.exe
4276	Cdcoim32.exe
1060	Cnicfe32.exe
1956	Cmlcbbcj.exe
3028	Cjpckf32.exe
4432	Cajlhqjp.exe
2892	Cdhhdlid.exe
2100	Chcddk32.exe
3296	Djdmffnn.exe
1824	Dmcibama.exe
4476	Dejacond.exe
4340	Dhhnpjmh.exe
3984	Djgjlelk.exe
1620	Dmefhako.exe
3276	Daqbip32.exe
2180	Delnin32.exe
2500	Ddonekbl.exe
384	Dfnjafap.exe
4004	Dkifae32.exe
4372	Dodbbdbb.exe
5100	Dmgbnq32.exe
3004	Daconoae.exe
2524	Ddakjkqi.exe
2424	Dfpgffpm.exe
3524	Dkkcge32.exe
3444	Dogogcpo.exe
3508	Dmjocp32.exe
2788	Daekdooc.exe
2312	Dddhpjof.exe
4112	Dhocqigp.exe
3604	Dgbdlf32.exe
4584	Doilmc32.exe
2492	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	80ecde84869df4656e048372abf0d08bc8ed8b9b9b74f5ed8e36a1a4f09e5db0.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1488	2492	WerFault.exe	133

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80ecde84869df4656e048372abf0d08bc8ed8b9b9b74f5ed8e36a1a4f09e5db0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	80ecde84869df4656e048372abf0d08bc8ed8b9b9b74f5ed8e36a1a4f09e5db0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	80ecde84869df4656e048372abf0d08bc8ed8b9b9b74f5ed8e36a1a4f09e5db0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	80ecde84869df4656e048372abf0d08bc8ed8b9b9b74f5ed8e36a1a4f09e5db0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cndikf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 3272	4320	80ecde84869df4656e048372abf0d08bc8ed8b9b9b74f5ed8e36a1a4f09e5db0.exe	84
PID 4320 wrote to memory of 3272	4320	80ecde84869df4656e048372abf0d08bc8ed8b9b9b74f5ed8e36a1a4f09e5db0.exe	84
PID 4320 wrote to memory of 3272	4320	80ecde84869df4656e048372abf0d08bc8ed8b9b9b74f5ed8e36a1a4f09e5db0.exe	84
PID 3272 wrote to memory of 2244	3272	Aepefb32.exe	85
PID 3272 wrote to memory of 2244	3272	Aepefb32.exe	85
PID 3272 wrote to memory of 2244	3272	Aepefb32.exe	85
PID 2244 wrote to memory of 3060	2244	Agoabn32.exe	86
PID 2244 wrote to memory of 3060	2244	Agoabn32.exe	86
PID 2244 wrote to memory of 3060	2244	Agoabn32.exe	86
PID 3060 wrote to memory of 1000	3060	Bcebhoii.exe	87
PID 3060 wrote to memory of 1000	3060	Bcebhoii.exe	87
PID 3060 wrote to memory of 1000	3060	Bcebhoii.exe	87
PID 1000 wrote to memory of 4980	1000	Bfdodjhm.exe	88
PID 1000 wrote to memory of 4980	1000	Bfdodjhm.exe	88
PID 1000 wrote to memory of 4980	1000	Bfdodjhm.exe	88
PID 4980 wrote to memory of 3704	4980	Bjokdipf.exe	89
PID 4980 wrote to memory of 3704	4980	Bjokdipf.exe	89
PID 4980 wrote to memory of 3704	4980	Bjokdipf.exe	89
PID 3704 wrote to memory of 2804	3704	Bchomn32.exe	90
PID 3704 wrote to memory of 2804	3704	Bchomn32.exe	90
PID 3704 wrote to memory of 2804	3704	Bchomn32.exe	90
PID 2804 wrote to memory of 3468	2804	Bnmcjg32.exe	91
PID 2804 wrote to memory of 3468	2804	Bnmcjg32.exe	91
PID 2804 wrote to memory of 3468	2804	Bnmcjg32.exe	91
PID 3468 wrote to memory of 3112	3468	Balpgb32.exe	93
PID 3468 wrote to memory of 3112	3468	Balpgb32.exe	93
PID 3468 wrote to memory of 3112	3468	Balpgb32.exe	93
PID 3112 wrote to memory of 4792	3112	Bnpppgdj.exe	94
PID 3112 wrote to memory of 4792	3112	Bnpppgdj.exe	94
PID 3112 wrote to memory of 4792	3112	Bnpppgdj.exe	94
PID 4792 wrote to memory of 3544	4792	Beihma32.exe	96
PID 4792 wrote to memory of 3544	4792	Beihma32.exe	96
PID 4792 wrote to memory of 3544	4792	Beihma32.exe	96
PID 3544 wrote to memory of 952	3544	Bmemac32.exe	97
PID 3544 wrote to memory of 952	3544	Bmemac32.exe	97
PID 3544 wrote to memory of 952	3544	Bmemac32.exe	97
PID 952 wrote to memory of 2276	952	Chjaol32.exe	98
PID 952 wrote to memory of 2276	952	Chjaol32.exe	98
PID 952 wrote to memory of 2276	952	Chjaol32.exe	98
PID 2276 wrote to memory of 2948	2276	Cndikf32.exe	99
PID 2276 wrote to memory of 2948	2276	Cndikf32.exe	99
PID 2276 wrote to memory of 2948	2276	Cndikf32.exe	99
PID 2948 wrote to memory of 1600	2948	Chmndlge.exe	101
PID 2948 wrote to memory of 1600	2948	Chmndlge.exe	101
PID 2948 wrote to memory of 1600	2948	Chmndlge.exe	101
PID 1600 wrote to memory of 4276	1600	Cjkjpgfi.exe	102
PID 1600 wrote to memory of 4276	1600	Cjkjpgfi.exe	102
PID 1600 wrote to memory of 4276	1600	Cjkjpgfi.exe	102
PID 4276 wrote to memory of 1060	4276	Cdcoim32.exe	103
PID 4276 wrote to memory of 1060	4276	Cdcoim32.exe	103
PID 4276 wrote to memory of 1060	4276	Cdcoim32.exe	103
PID 1060 wrote to memory of 1956	1060	Cnicfe32.exe	104
PID 1060 wrote to memory of 1956	1060	Cnicfe32.exe	104
PID 1060 wrote to memory of 1956	1060	Cnicfe32.exe	104
PID 1956 wrote to memory of 3028	1956	Cmlcbbcj.exe	105
PID 1956 wrote to memory of 3028	1956	Cmlcbbcj.exe	105
PID 1956 wrote to memory of 3028	1956	Cmlcbbcj.exe	105
PID 3028 wrote to memory of 4432	3028	Cjpckf32.exe	106
PID 3028 wrote to memory of 4432	3028	Cjpckf32.exe	106
PID 3028 wrote to memory of 4432	3028	Cjpckf32.exe	106
PID 4432 wrote to memory of 2892	4432	Cajlhqjp.exe	107
PID 4432 wrote to memory of 2892	4432	Cajlhqjp.exe	107
PID 4432 wrote to memory of 2892	4432	Cajlhqjp.exe	107
PID 2892 wrote to memory of 2100	2892	Cdhhdlid.exe	108

C:\Users\Admin\AppData\Local\Temp\80ecde84869df4656e048372abf0d08bc8ed8b9b9b74f5ed8e36a1a4f09e5db0.exe
"C:\Users\Admin\AppData\Local\Temp\80ecde84869df4656e048372abf0d08bc8ed8b9b9b74f5ed8e36a1a4f09e5db0.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\SysWOW64\Aepefb32.exe
  C:\Windows\system32\Aepefb32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Windows\SysWOW64\Agoabn32.exe
    C:\Windows\system32\Agoabn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\Bcebhoii.exe
      C:\Windows\system32\Bcebhoii.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
      - C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 396
        49⤵
        Program crash
        
        PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2492 -ip 2492
1⤵
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
337KB

MD5
521f08196e12a98748899ef5d7d2ffc8

SHA1
52f88562e47c512a580956f8a116dfb6ae94b593

SHA256
c0962ed1921f4813898497c7ea92a3ed234af6c6f71db29f3ed849b27842bfae

SHA512
6569f11bf210fbd112576a5ff3d29b6a337c08054fe59e97f717a2cafc62f2ad9dc24266ff4dee5af518f001b054679b4d49dd1e507728fe7601dae8fde4cbe2

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
337KB

MD5
9c5738f995996ffe92131c83bb20cf6a

SHA1
6624b58baac7fb20fd7dc1c2cb52f1d63bd6a5ae

SHA256
6fd8152839ae1c44b8ec48660ae68db775fba7b7ab2d7589e1b34f55dfcb5d35

SHA512
0c66268cbc59fc6e9fdf32186015a4e207628c4d3a536a4bc6725b4c6f0e1d25008c4dce8de4831f96cb5a56c8923f189c8fc7ea9c3362f19c7d1d9090d5d1b3

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
337KB

MD5
98352f84a3cf8e319c86a0d4696561b3

SHA1
3ca347870b6db2e58d12934feb24e4f1c8d94522

SHA256
4c47398e0f299f6d636378781b12bd507ddd3ccc38894ca92d2b19fe0297bcb8

SHA512
09b5a1a63a52c5e5a81836eaca27add49750b3ca170ea1ab08f010d778bd530a5be3f5592653efe8b75968c607b43bf4d963ca7e59e5c3b11d6d0e83f6fbe8d8

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
337KB

MD5
39eacf83a014342f51005183e12e88b3

SHA1
b42de6e33dc5ab51a41169309a1486633247ee99

SHA256
68b7baae2dfd7104f36f3bc80cc2661d032dcca18e5b9c513b8c0cdfd8b8fb3e

SHA512
4a9887e5fa2501bc3e989d0e6e32d72f3cd40e3ee9972a44862c455a096d6b35a07fdadd7445a75cad957ddaffe1ac810d75766faa9582d6f57af8270dc0ce34

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
337KB

MD5
94cb79cd30b40c6f7736ce8bf364b911

SHA1
bd836a7927847ba3fb66fe7b9b6218239b6deece

SHA256
9caae3d530fa81c01f93077531d38192bb18cad14378a134ae5456fc83862b38

SHA512
51a4b01a32d0582c44bb1bc6f5acc36816ffbfa355537bec6a34a768c6d8444d48b5876b8e6625e22be9b9726282a39bb5d5ccef77c97d53027a5069aab43148

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
337KB

MD5
f793b34861fcf54e16cccb8a91f8d215

SHA1
5f61feaa661848bbbd71dd7d953eb81a22b712bb

SHA256
da451be89525654e09d869db0dba6e85c171b7ddbaf981b4682c36ebc32033d7

SHA512
61ebf562bd9b3f03cd49d4db6d3ae102ab50b0e36c8bdc6132552c611cf3a9c48fb172ad0397b44a449bdc0989d9a60fef9111627c1632cae077f0697f08b5a1

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
337KB

MD5
639ba26df546f6dc833708f5e3d0070c

SHA1
5fdc36486571ded8c296625dc746531dd96cbcca

SHA256
c94aee9f76cfd156a2463716aa40aeadf762e119cca8d1afc8576a50b06b08ee

SHA512
588d789b54f24064542f0f45865fe22790678faa98b27f91d8fedf8fa8ab6d16f8a537145765119fac4c3f01c729bd77631b26a2451d506c5d661e616e43ebde

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
337KB

MD5
b69a2eb0aa140fe82bbc46158a676a07

SHA1
f9ca5ef81b8288e3c8faba384bebd5c31c886ee3

SHA256
be0d58aceba98e02cfe61e1086be06ca3ea684edc951e80cc7b3826be3fadf82

SHA512
eb53570165257ad05166a4aec2d488add03c6e8e70ad0ef2c814d99918bc2a04914567c0a72f82731298debcae9fb6db43a381f06009fa9ffc29d78ff6110625

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
337KB

MD5
28d8a81147d269c1a6221ab6b32e9e23

SHA1
90ca0231da19977643d96b452b28c65c57ce1509

SHA256
4c846d815285f7ef47f7ff2c90b6cdabb991eccc65eacae85d9a635d33fb27d9

SHA512
da7c651a05e27607ce5db356fe492b2dfc205c2880f0b5948663847eb0444821ed3b2768c30220db56d55e1873b7e4de77f433a45697b521614634b8729dd0fb

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
337KB

MD5
d0de11141217568b23daa728691f35a0

SHA1
39754f8b1553c8641991dd50e040ed3b8c5c98c9

SHA256
9940ad44789a04a7712c1ac76b3f236afd07bada7d91d462f4ab730290f82023

SHA512
918c9a2deb637a71aee73eb9e52c4dc3edc2c23db0aba32d8c1fdacd785db118a8005c9fdf117c97814aeccdaa3974c68e0e07b1ab3d809b5ae443899c0812d9

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
337KB

MD5
9c7c7dbceffd0a93e66b27ed5a7025c3

SHA1
6ce1a7fbeb0a6d7eb30968416cf323decca0e531

SHA256
c8d322b0ddb71d9bb0ca4cf8ae595ef0951ee4423f47f045c3c4dd7aa9c20149

SHA512
3048aac23e910fb7ac5fe23e95a5540cffecb02c0c52d9d8196c641df3f8e4acea1d4693f74a2a112ec1ee2f62d5486478778a87a2b32c30b7f5bced50588039

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
337KB

MD5
baa1065faf6ca831f7f7af770619436a

SHA1
7eb0ffd84cef8552dadd20590e9a9037ee01b532

SHA256
ff52bd6eb6ccf1dd21e76482dfdd87be6d310c617d916692f912c66c6cdd9bc7

SHA512
09266611a16fd7fc167065fff333378fe5ffd719a7f92e20f46a5a6ae24f46414bb35d26f1dea46d59a30232ea8721fdde04fca8889d12b445301ef37544c27a

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
337KB

MD5
e4d1db0c13e3fd800d9678bb8ccc1adb

SHA1
6c4283cea16e5be970ec2677505e364dd40b784a

SHA256
5c65ea48273a6e4d7f94c5800fa8ff4c7815cecc5c2513cc180577a35647723c

SHA512
a5175a4e19e642cfd880031f33bb03b609274cffb64e1157555470fdf96bdad70c34039ff284ed692257aef25248d858fecb8536cebecda8a1125fca82a6e9b4

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
337KB

MD5
98e50e6e8157902b69096a52dc5fde5c

SHA1
e7f468421c07d7ff57ebbf737415bc35cdaf6357

SHA256
9d1e2886cc6d6eeb321753ee4c80a4071bca488378858b91677adf408190f218

SHA512
0e736c121348a43398cd53fbcdaa92bdd1e16312cce30e132fc748142354d2377280baef64284d8185a14a196367891155dca04005b8d64d70b6f706fedc1dea

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
337KB

MD5
ee4f63d4e6c3831b3a884bfef4df7edb

SHA1
e29a812128dc45f437ce7a3be706852e89e821a0

SHA256
aa2290880e6c43a564a327e9273cd6421e5e86f8122ba36734e39687fa3c5d43

SHA512
b77d88c5588c61ee05631522459c378190c0c911ca7f2f4d72e60564da9f0069c15d5e55c53db9adfaf3828f8d91e5b35abcc1b7659baa893e6ee0e474745730

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
337KB

MD5
5bbe4793d05984fee387c5cd175456c5

SHA1
1fcf369d0946832057cb5e9524c7c98dc3f2eef6

SHA256
0297e7300cfa831cca0922bc4095302671adbb507018e1210f53aaa2f184de22

SHA512
cbb7ef3ae217f3b94b39c45a52a39e7e24b60c557dd60692d9d90cc367b53fe3c74f767f3d3663813a30cb367a84671a5375e25a25ef1e3bca9f6e2dddc29b8f

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
337KB

MD5
73c79957ad9535735f1e4a91ed172ec9

SHA1
1a56708c30ba0bb854e73d15358b9cb4e3ff2adb

SHA256
d6ce5844e501851f759df864dec5b57f8eb880fa9ea0dffe7338c642a0075402

SHA512
d1e838d5bfac314800c53ebbd9bdd46c43d804ab8488f4d99471cb3e56a9ddfed13643351d40e3fd472f867f74ed97e31a709e660242cb8b7a8c5cc0dd7fe5f2

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
337KB

MD5
34003613de160ed6a99af3006d9da0f3

SHA1
82b967e2341f9ca11321705433374d99c7ad2d08

SHA256
576d7f7c2b0d6ccf92d9507c92f39866841eb982c32237a33ea357874ab63313

SHA512
5f9b0732b8725f562963b493fb04eead309b93003503a9af9c5e9f105522be32533d8691c09d0f9617733b71ff82c7d6508e83b4581d7cb37fff14be9714187b

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
337KB

MD5
82fd796cffd5aef40b1d16897ce0915b

SHA1
f42a8a010f424dbfefbbc9470cef9a33692887da

SHA256
bcf81d942f7e139a8f41804e5f6ac41062d3b0a264c10a0af5f0a4018fd68473

SHA512
84d17dcecf6d33206c588939aa7289ca532ac137bf7a0a72d5fa4118a0830649342521b201a3cf8a10405b912f85d16bdbe0af5674abf1c15df782162523d309

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
337KB

MD5
b74b9e34dcddfda162109c47ef913e21

SHA1
57a9663b2dfc6d69e3c82e1bdf1d78991aa6ef31

SHA256
dc6d663e29d3d3e74e109575cea416d6b79d7cc059009c99254af00b05b52843

SHA512
60a3ec9c1702b92f1a102e150234164bf96adb521f271f051ab53a6e0e98e3f41cb15fc17e8c0cb7eb4fcbbbf2560180a81a5a87f31d833641577116939993d5

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
337KB

MD5
62206b6f99f322709729274617dec3f9

SHA1
9eff1f737d7cfb2cb2d14a6758fae9c8151aea53

SHA256
5f9d38e3b043da7a7fa51fb01ce30d23fe0758eb2aedf8cd1f416f67f861fbf5

SHA512
b1caeabff773fad4bf0957f396a3b090c669cfc0719689988187d086e8ecb95dbf4f2d1385fbe3a41f69c4d6eab3920f2872c142910b1a8a0a03f5095b19b434

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
337KB

MD5
e310a1c03cf5ccf7f6dbbf1e76402ed4

SHA1
ca72fb5a7caeb20a23633b12d255ca134cc74b84

SHA256
ce7de0462aa1fc7bf9799d96112ac889fb12ee98a6678fc085dcabf73c58b706

SHA512
813ddde0ff5d0da31e8c70c4c6c5c689834df3fe36045fd5f65fc7db40b0b6b8163a93cd0e9ab7ba8b4af49f88ffb2434aa69c4e71ef448d3ab8fb4d9a1a7a25

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
337KB

MD5
d8bbc5002eb69ce56787207e1d086b41

SHA1
ae3abd9e81cd75fd76fcf0d9cb25af4294d98ea8

SHA256
6915920faecb0d8ba972b8dce8271e37b23d7d378182e20e96432216e732e6ae

SHA512
1342e48c8485070a233b20593a03b8ffa62393416cffe1f1db26b0ab8afdad0c8f1b75a8b3bc0659216d5f0952b7f840c5c8cf914602112ee6a518e5121458cf

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
337KB

MD5
e96f5e2ce3208758692c56a8fa92c3aa

SHA1
f469a3b71aa33c5d1acb9157e0ec3a77899b56e4

SHA256
e0042587db88991b6e2bd0a35f9d0faa58d2598a777caa73fac6e2c4be0a7e47

SHA512
56b51c6e215d06e4c7c095a7acb52a73cae97e0898a1018c81d5d72bd04fbee89960cbcc40907b75adddbb5b15e4a15d5f6bda803e79c89227dbf7a16c8c6e1a

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
337KB

MD5
15b87d64a6c712e5e624637435c5945d

SHA1
e638976d05dc493f1ca40720e7e778fe71c4aa00

SHA256
b46ba950c5f74e3c03703e8e3f64e2ab22a842997ed2efb23fbe42cddb1d6cc8

SHA512
1e1345454572557658b9eb64f773b215018672a42751f92fe824935f3ce222bf69db374ab2acfe744f1f3632d4911c1fe659140a06bdb0f457bad7186fb19f76

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
337KB

MD5
f7753e7c442963583818a4adc6496257

SHA1
6070a9dc77a14b673496879bcfce5f1ea4b06365

SHA256
f1c9b19c00e85a90bd778918654b635d424d04d5a7d6d5ea321dfae4ebcbd353

SHA512
e7ebc6329afddae365fa22294b8bba512d500af3637b9eae6d6c1cc38369cf4bbcab5a0e5472d3f6014254a2e7d327b6ac788e0d33a587700fb481387718aa71

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
337KB

MD5
67957a91f1f3a2a0a3ef088063c0796f

SHA1
9d155694a4f4872067c0101b493994937e13f9fe

SHA256
6cf7f85f542ad2783c53ad2e73f4b990abc862858bc195a952f43598d91ed179

SHA512
176abafd84da81fb0fb1399e66072e332d3b2702f4717a3d1c1330bad9912da34423af9140b9b20c8aa00a9baaa036c07a594edb6eaa7a5af0f6c9d4cf9910cc

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
337KB

MD5
b9181f6293a7d3831e98d3bd95e2f792

SHA1
3033c304d5c0888f567444d57e63f024dbcef1fa

SHA256
f3445da58a5f07c01b673217ace1975511604dce2f1659f6a69df79beaaa9b45

SHA512
d5c516dd951a85fdcf4687075330d9330b64f791d8008fede38a5c2222286ab7fa09e1c024a1a7d9ad477e03d4b99c8dae4742afe00bd6134cf3c9b548adae5d

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
337KB

MD5
5256a522fe17ed620c11c07dc7032165

SHA1
f22ef270853e1266f2057e1a5a295739e08075be

SHA256
21e4c71d1cdafdd7872baf40c8454ccb3d8872de427f7b5723edd3f1b3a8a628

SHA512
00fc5dee0b71fd13549e83fba18593eb1da06dc8554a21b8288b5c2da86ca35c3bc75d185485043b5d66953103a6f2d2d117392305ac467667031de12f102d05

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
337KB

MD5
a30029a97b86eabe855e2bd48b464916

SHA1
0e4f748cc9202b5e7e4e581d3ad975c3b5bdff65

SHA256
2443d181bddd9c834d11a2aff16b3922ebea505c81181d2a90a1d7272f72e487

SHA512
bda65a36b308e199d27d868625d1c26b3f9959fb0863c449845c0e6891ae9e7907329497769b8ac8c6c1a8e05eb79f9b9cc2a4d7a62a96afc7acbbb447150613

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
337KB

MD5
cccfd0787bdb6aaca3a3df70c8124bad

SHA1
279276a0eb1e908fa4c451609c1530b6f10d7214

SHA256
a368e11a88b449da955889c9ffc1e102524e73f3df15017b6157da4e4daaccd8

SHA512
cce8a7a2213bd5c88099ade7248a564f153f06fdeaebe7111fbd286f003fe1f26cc991ef43823dcbbb2e369939c4ebb554d198f9e25323250cd11671b9b1a6af

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
337KB

MD5
6c80c709ad34f8e1684a90c76ad55961

SHA1
7c4bdfac3a00cf795033fcae721803151a7b69c9

SHA256
7c69492a779d3b24228e9d2956017bc887375afbec1d499d843fbd47d57438c7

SHA512
1f9a3f2b046c78a344939597fc24adbea1c59aec7c5ce539c3d8784d26f7b5b8541cf65233b156df2cfeb839ad5b3b4bd70ab972d2f63276081e1ab203f87275

Download Submit
memory/384-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4320-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads