berbew | 98de9e2c17ecb5141aea0baea92abf4686504e239ccc7d081f827934251fe71a

Analysis

max time kernel
92s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98de9e2c17ecb5141aea0baea92abf4686504e239ccc7d081f827934251fe71a.exe
Size

264KB
MD5

8ed848d03a3118d687e37b46abe4e878
SHA1

c55f236d83ae838d0e4c636b34cd4b0037b1b559
SHA256

98de9e2c17ecb5141aea0baea92abf4686504e239ccc7d081f827934251fe71a
SHA512

4f545afd52f1f76bcb4dca42712aeac63b329c1e0acf8eac1330e5ea17f8c7415b9903e93f40999be54789e3124d75c4ea0c4703c9feef76ba4ebaa72e07e5d7
SSDEEP

3072:2ifGaCL3m4is24ho1mtye3lFDrFDHZtO8jJkiUi8ChpBhx5Zd424ho1mtye3lFD6:20GxL3m4iBsFj5tPNki9HZd1sFj5tw

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	98de9e2c17ecb5141aea0baea92abf4686504e239ccc7d081f827934251fe71a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	98de9e2c17ecb5141aea0baea92abf4686504e239ccc7d081f827934251fe71a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 40 IoCs

pid	Process
2700	Bganhm32.exe
4760	Bnkgeg32.exe
4524	Bmngqdpj.exe
4060	Beeoaapl.exe
3080	Bgcknmop.exe
932	Balpgb32.exe
3736	Bfhhoi32.exe
4100	Bmbplc32.exe
4792	Bhhdil32.exe
3752	Bnbmefbg.exe
1156	Belebq32.exe
1044	Cfmajipb.exe
4800	Cndikf32.exe
2420	Cabfga32.exe
4020	Cfpnph32.exe
716	Cnffqf32.exe
2428	Caebma32.exe
744	Chokikeb.exe
3932	Cnicfe32.exe
5028	Cmlcbbcj.exe
4596	Ceckcp32.exe
864	Cfdhkhjj.exe
3320	Cjpckf32.exe
3116	Cmnpgb32.exe
1792	Cnnlaehj.exe
2880	Dhfajjoj.exe
4784	Djdmffnn.exe
3056	Dejacond.exe
3052	Dfknkg32.exe
1528	Dmefhako.exe
1344	Ddonekbl.exe
4336	Dhkjej32.exe
2196	Deokon32.exe
4852	Dhmgki32.exe
3560	Dkkcge32.exe
1208	Dmjocp32.exe
1648	Daekdooc.exe
3876	Dhocqigp.exe
2216	Dknpmdfc.exe
3532	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	98de9e2c17ecb5141aea0baea92abf4686504e239ccc7d081f827934251fe71a.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4608	3532	WerFault.exe	127

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98de9e2c17ecb5141aea0baea92abf4686504e239ccc7d081f827934251fe71a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	98de9e2c17ecb5141aea0baea92abf4686504e239ccc7d081f827934251fe71a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	98de9e2c17ecb5141aea0baea92abf4686504e239ccc7d081f827934251fe71a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	98de9e2c17ecb5141aea0baea92abf4686504e239ccc7d081f827934251fe71a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 2700	3648	98de9e2c17ecb5141aea0baea92abf4686504e239ccc7d081f827934251fe71a.exe	84
PID 3648 wrote to memory of 2700	3648	98de9e2c17ecb5141aea0baea92abf4686504e239ccc7d081f827934251fe71a.exe	84
PID 3648 wrote to memory of 2700	3648	98de9e2c17ecb5141aea0baea92abf4686504e239ccc7d081f827934251fe71a.exe	84
PID 2700 wrote to memory of 4760	2700	Bganhm32.exe	85
PID 2700 wrote to memory of 4760	2700	Bganhm32.exe	85
PID 2700 wrote to memory of 4760	2700	Bganhm32.exe	85
PID 4760 wrote to memory of 4524	4760	Bnkgeg32.exe	86
PID 4760 wrote to memory of 4524	4760	Bnkgeg32.exe	86
PID 4760 wrote to memory of 4524	4760	Bnkgeg32.exe	86
PID 4524 wrote to memory of 4060	4524	Bmngqdpj.exe	87
PID 4524 wrote to memory of 4060	4524	Bmngqdpj.exe	87
PID 4524 wrote to memory of 4060	4524	Bmngqdpj.exe	87
PID 4060 wrote to memory of 3080	4060	Beeoaapl.exe	89
PID 4060 wrote to memory of 3080	4060	Beeoaapl.exe	89
PID 4060 wrote to memory of 3080	4060	Beeoaapl.exe	89
PID 3080 wrote to memory of 932	3080	Bgcknmop.exe	90
PID 3080 wrote to memory of 932	3080	Bgcknmop.exe	90
PID 3080 wrote to memory of 932	3080	Bgcknmop.exe	90
PID 932 wrote to memory of 3736	932	Balpgb32.exe	92
PID 932 wrote to memory of 3736	932	Balpgb32.exe	92
PID 932 wrote to memory of 3736	932	Balpgb32.exe	92
PID 3736 wrote to memory of 4100	3736	Bfhhoi32.exe	94
PID 3736 wrote to memory of 4100	3736	Bfhhoi32.exe	94
PID 3736 wrote to memory of 4100	3736	Bfhhoi32.exe	94
PID 4100 wrote to memory of 4792	4100	Bmbplc32.exe	95
PID 4100 wrote to memory of 4792	4100	Bmbplc32.exe	95
PID 4100 wrote to memory of 4792	4100	Bmbplc32.exe	95
PID 4792 wrote to memory of 3752	4792	Bhhdil32.exe	96
PID 4792 wrote to memory of 3752	4792	Bhhdil32.exe	96
PID 4792 wrote to memory of 3752	4792	Bhhdil32.exe	96
PID 3752 wrote to memory of 1156	3752	Bnbmefbg.exe	97
PID 3752 wrote to memory of 1156	3752	Bnbmefbg.exe	97
PID 3752 wrote to memory of 1156	3752	Bnbmefbg.exe	97
PID 1156 wrote to memory of 1044	1156	Belebq32.exe	98
PID 1156 wrote to memory of 1044	1156	Belebq32.exe	98
PID 1156 wrote to memory of 1044	1156	Belebq32.exe	98
PID 1044 wrote to memory of 4800	1044	Cfmajipb.exe	99
PID 1044 wrote to memory of 4800	1044	Cfmajipb.exe	99
PID 1044 wrote to memory of 4800	1044	Cfmajipb.exe	99
PID 4800 wrote to memory of 2420	4800	Cndikf32.exe	100
PID 4800 wrote to memory of 2420	4800	Cndikf32.exe	100
PID 4800 wrote to memory of 2420	4800	Cndikf32.exe	100
PID 2420 wrote to memory of 4020	2420	Cabfga32.exe	101
PID 2420 wrote to memory of 4020	2420	Cabfga32.exe	101
PID 2420 wrote to memory of 4020	2420	Cabfga32.exe	101
PID 4020 wrote to memory of 716	4020	Cfpnph32.exe	102
PID 4020 wrote to memory of 716	4020	Cfpnph32.exe	102
PID 4020 wrote to memory of 716	4020	Cfpnph32.exe	102
PID 716 wrote to memory of 2428	716	Cnffqf32.exe	103
PID 716 wrote to memory of 2428	716	Cnffqf32.exe	103
PID 716 wrote to memory of 2428	716	Cnffqf32.exe	103
PID 2428 wrote to memory of 744	2428	Caebma32.exe	104
PID 2428 wrote to memory of 744	2428	Caebma32.exe	104
PID 2428 wrote to memory of 744	2428	Caebma32.exe	104
PID 744 wrote to memory of 3932	744	Chokikeb.exe	105
PID 744 wrote to memory of 3932	744	Chokikeb.exe	105
PID 744 wrote to memory of 3932	744	Chokikeb.exe	105
PID 3932 wrote to memory of 5028	3932	Cnicfe32.exe	106
PID 3932 wrote to memory of 5028	3932	Cnicfe32.exe	106
PID 3932 wrote to memory of 5028	3932	Cnicfe32.exe	106
PID 5028 wrote to memory of 4596	5028	Cmlcbbcj.exe	107
PID 5028 wrote to memory of 4596	5028	Cmlcbbcj.exe	107
PID 5028 wrote to memory of 4596	5028	Cmlcbbcj.exe	107
PID 4596 wrote to memory of 864	4596	Ceckcp32.exe	108

C:\Users\Admin\AppData\Local\Temp\98de9e2c17ecb5141aea0baea92abf4686504e239ccc7d081f827934251fe71a.exe
"C:\Users\Admin\AppData\Local\Temp\98de9e2c17ecb5141aea0baea92abf4686504e239ccc7d081f827934251fe71a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SysWOW64\Bganhm32.exe
  C:\Windows\system32\Bganhm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\Bnkgeg32.exe
    C:\Windows\system32\Bnkgeg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\SysWOW64\Bmngqdpj.exe
      C:\Windows\system32\Bmngqdpj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4524
    - - C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4060
      - C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 216
        43⤵
        Program crash
        
        PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3532 -ip 3532
1⤵
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Balpgb32.exe

Filesize
264KB

MD5
d7c01e7c5041d1437cacdf28848d7c2d

SHA1
c54da4a1a6420be31d6acabd98fb84db0fde0ad5

SHA256
66249c49cddeba818287a44a4bb61c9ad8e04e22521818c0b82fd17718ec3f4d

SHA512
71c822516605742e17935956bcf71f2335983a33385ca4164d319d55ef881d2812449dfcddcc3eead1c722094927424753a230d0aa019496871406db836744d2

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
264KB

MD5
02d489233692b1047356570f8a874bf1

SHA1
32f9256c08c9d44afdccc5a4d25af34e278e7b50

SHA256
4645fcb5810b9779fd3476bce0f1d7007c88c59e1809eea0cddb29e4eaf54c15

SHA512
fe914a6ecc9a62100244d81a4c00d02ba0727548238167af9b405143c67790dce22aa4fdbd7b2722b2577b9cfbcf781275a7430f1bbfd19d444c1f2420e20d1b

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
264KB

MD5
5d2cbee03093b83310ce69d3b002b6dd

SHA1
0d442d79526704d0ba366e98a1a8d3ecf25eefb0

SHA256
92aae0798c3989b55e8182eec3eeb5f772c01f63bd1d68e26c16a56b4ea4b3e6

SHA512
11b5edfc53fa27729491fa2192bf14e2376316617fd35c4771341cd7f46f6a1523751994f72b71fc3aee99e914dd0f17c66448d9f40e1ee1c84fca0bf32a1dbf

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
264KB

MD5
a58671acaa92c360d0ffd1182c2b7f08

SHA1
b1a8c2af0fc8323d637c0e60ac6d3d4e60bf5c60

SHA256
97885a8c51f410e833f1897bb9ebc414ac2d3ce92edf33c15c67e5cb37d26d43

SHA512
ec9875520f09ed84b4fe06dbb293fe960f55b5b14f3aebc469aa9585c7a83e7f778629cb5c3f664e51004b9615afb93b4f16130b2b71d4af2e831b58f6de6593

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
264KB

MD5
6ad8427ef48456da1f7bbcc74121020b

SHA1
b4040349a845c28ecaa0c4a8bdbf8d77b7f3f1c1

SHA256
97404fc61a6f23538239d37fbf8ec11d241f7662c9df39375da462e14fbe237c

SHA512
9a4363361273362ac8df3ec3af190e4c8e9140922f0861a826ea890926df66f4e3efac47330f77c62f847e891ec645400efe66ef2d8d508e4774aeab13c34d07

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
264KB

MD5
1f41b279ba440cfb6e994892e5466d59

SHA1
f79336fd941b871d592286d3d40a4a6695a331b3

SHA256
5ab7ff956433eb5760dc45c073c2447f8805cb601ce48e64f10e841de4bf0856

SHA512
46df17d47b492e17fd76c727b48096d6a4de94b2a424b99f41b6312a4d579bdd8fc8fa27c89335f766548527dfbd4a8516b74257fdf86c344b2bacc196f84468

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
264KB

MD5
548160e2ede1a242e991127ab7a66788

SHA1
6a3d76c4bb400a2954e2cbf8eddd47a00c212df6

SHA256
72def021fa72a0f3833b568c31a3b4861013a01e73cd99dd93a3400598949dbf

SHA512
5456e66cb341be726b7b7a845d2c84aced9ec8285d033e7664fb22e6e9a854d9d016a67fa12e0a87baab49c8be00b9d23c4a579193cb68d993dc4f6eb9a17104

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
264KB

MD5
f9b6c94f47abe264a71aeb512c4d8d9b

SHA1
8c64ba71edbe0d9a1b60fa07fccf8bf4316171dd

SHA256
9769db5022ac888063f8dc595f5d29f9ed197865c0d93b20d2dbbb849ad71af2

SHA512
5b6d52d6fbaf22d59aef9efbed0ff0acba334b7ad9e71934a8c671524cec6f2d89e85e004ab3920e3d0a34d6812c78c7258a573c9531f4c2c749de24d1031d6f

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
264KB

MD5
20b7ea921c3c16277baa19ce0e4bc881

SHA1
9f16f558a42df862f1692733c6857a7f94a9ad7e

SHA256
e9c186811eae98451a6757bdad9b1092f48d4dbfd2b88da23af4eef11a4b539b

SHA512
4717d0b8b926fa8bf7fe85172444f219dc1fc1431a6b3457386c899b804ea165ff7942918afa9b859bfc6b4c9b86d95483f18fbe67773c40c268d722e097624e

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
264KB

MD5
e9f05ded62dd188ab09e02a4899bd7b8

SHA1
42a29f620b1572249e3fc3cb66ac827c450a0e9a

SHA256
efeb1fcab014792bb2aacf3047e4291045cfed175f0334cd9d3bbf589c5ae7b3

SHA512
2971fe75e356f2aa03f7dc656e64d282f3ea7921b8a040de928312eaecba74c4d61a9a0f7199c14cb78429a763780cefb059549057fca4f67d1cf4de9b4f91fe

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
264KB

MD5
e733f32222fb097a802e871d9beecb82

SHA1
e67f3f55429abba74094e50e42e94a282b82c4bd

SHA256
09912e4905ebaef58a3ff3f44bc5560f82dc742e97413affbfc3626a1a42d505

SHA512
80596335f78fa988f55d2733c5a5976167d747a1b1ed78e139c629ba0c62b3437209a2119d9b7731005f625c13d4fd99b4adaf6495a147da066df2f04ec981cf

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
264KB

MD5
69ef7ca3e3ad126fa9a80940a0a400f9

SHA1
273363cad7b7a0d4a7a4ca4cece4f94d5f09b283

SHA256
653d08766ef1d13476d65b93fec1d8e67cbbcdcbc983b4fb39e5315985ae4c5d

SHA512
42411287cd4881cd2cc451a2c40e3a0fc9436a9be4b9bedfcb528f2a5e61deb7666f4debc6ee0db3b7a25760b5d7cfbb4b17b81cc286f11380f0b15e2e46436c

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
264KB

MD5
33955adaf40956dab1c0acfeb7bcbdd8

SHA1
5904e1f638f094d021949187fe31a7ae8bf95641

SHA256
78c88131e8b211018dd2c94a0dc50a0f528782506c92aec2da1aafa01bec69c2

SHA512
e32c4619ad6e68adc28c4ac31433d91638277dce8d105123ea3a0ba71ecdf0ec8fb75274dbb3bd02494a0f315f44844e7d9cd05b50e461c2c98d67ad0aa7b879

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
264KB

MD5
0bc457ed4d5b2b1fd22e778c495f82e9

SHA1
623b02ee5c33e15a4e2386be0b7f33ff8e055aac

SHA256
c9d724eff064351c2a6cee18944a58205e6e7eb0459e76712e0d27c598ea305f

SHA512
83a7def5610a5f0c78a2da982e6b9c7a7c1ce736f54cee5fe6d9184106b386c02cb6a9d5b5686895bc2cb8822930b53cd0fbc4b4c9fb679a5c161c0a25a7bcdf

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
264KB

MD5
e91165c7e9507be2eb27874ac5d49034

SHA1
cc160a3eb52d23e27025789a6a65bbabcc4ab94d

SHA256
a3c701a064f355cacca61d4701fdd756231f8dfdf2797468fa27a08597899fae

SHA512
e2722c652294333466cd19d86cad9efb71358a6724448bcb05f18438047e2a7cafa9d00aadf8735f83f3cc224790d91b4fb8783d6ee4c86abf43a5b301b28b3e

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
264KB

MD5
3e310b59a4efeb9084e393304a5d3a9a

SHA1
aff670759ec0a360e4917ad3cb47e7ad71fc878b

SHA256
f286ec0bcbe00d25d2b19ed86fc1c99365af54248e7563b543312cddc82467c3

SHA512
114f67d0295fd438998a7d5dec41e2c2950d6df8854beba58c99f9e069e857c2624a413c0c0865ce122e9f0454fbf6ec3f69ce52ebf1302073a5df036422f026

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
264KB

MD5
4b0fca352de91ec4b14c25724bdb7216

SHA1
dd5e32cef6aeda24bbab96e1c50992f99d6605a0

SHA256
a68b6e8b74a650b733e5b3c6daa6ac439bd1bfbf4d30a149b1d292c699f3c473

SHA512
df504549f5c172fac684a4263a120f75a3817bbde10d0d51a032a4b8aaf655fa17b6cf99920bccb6f877620eb559d7ba7803ee86d8fb6cdde73befff55a6616c

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
264KB

MD5
fd7eeccd1a06b0a9932e11dfb0ea12e4

SHA1
5aa654cf0c5fcd1c8f639d4b761402cbd7a9cd1e

SHA256
0a45e6399de31b6753d18449d2cde5d8bfc8d6d57ed0f3fd5399d7785d07b785

SHA512
4099bf5d3f8345dc47f690325664828dddd6b7f66c104b8e89594619493d10271cbf3724c41e19e7a129c7ab03d6bea9a005e038675c8214faa8fece373566a9

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
264KB

MD5
5619e8c27dff397ce2043a49208553e2

SHA1
e57cac06d680344d96faca053e12de1b90b7156e

SHA256
61e2e83fb2a3edcef8df67338e0e1dc8cb74f939a37ac21a5006e5ec89c08567

SHA512
fd3c58a7ac6306faf339d59ed8a575d4c259150202b16941753d3930f013beaea6628c9dcea67c7bf0b8810b7c87914094081f1cf23adec24f3c2cc046ff76ca

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
264KB

MD5
c02ffea05bedcb08c1948f8b3f9aa26d

SHA1
5803e238a6cd09963eaf263c03f5d5389f3f6393

SHA256
edf32635115e60697abaa15ee9a916ef10edb77aab9ccdb6457e818174f3a574

SHA512
9dcc4b1bd39d8c748c46a6f2da77138bd89b1dbb6fc25b19c9a54e8883527918da75034b277238b35aa88d6aa193d97d7147bab2cb50ee2c05a0852666dfa6c8

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
264KB

MD5
45d24e98f7b465cd98b458d567cf7f86

SHA1
7dbcf81bfa9fb8bb9156052cbbc3d49ec086aec6

SHA256
183e86202544c7ef805f70ef14314b031c9952b9e9fb18ca2e424281d3633d67

SHA512
34426b4052230523949d99306f790798bdfee5dcd35f2f868221c87c62e4b34a7701ea9da544467fdd63090b804acfc330e8d22988f75632bace2414f2b8057e

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
264KB

MD5
1ac489849216d51395bd3f342a2de274

SHA1
623d6097e13902f50dce6b312361a2ab8481ef52

SHA256
81a6c19a09c37e3890ef5a8690b7b47ee3558b80dc75dd6aafa825a0e4906803

SHA512
110fd85cd95908e28b699abb71ac8f5e9203c13a0bd367f7f9460b924c0d76353827520537c7d7d68b7de168f5f64f8b350d5c269cdd76877655b54d2539039c

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
264KB

MD5
3c6c6387a26fd3575cfc5f8356a483ae

SHA1
d4c9645c11a9ec40d57c5c518f8d8b0ad2b246f6

SHA256
6c1292caaec5c1eb07335c07c08e6747bc3f47f2b2f2fc79c75b41139f5c8064

SHA512
489b4f02bf542b83be47d5bf25798f6358f870a268c3403017cf7addf727fd6248e84cd623be3200edbab6fb22fcd7f0b34a55412cbb202c575098224e2aefd7

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
264KB

MD5
ad2b7691923f5bb6749e666bad75fe07

SHA1
d85cc43bf7918d07728a49cf056c12c7a9b44ae7

SHA256
a0af54f4c32f80d6255165937fa3d65e031a327a90ea3220de4bb9cb0499ff75

SHA512
0b171f34a56b3578ae793a64789a04845991eaa4d65cfdc93a992f5d0f4b74c2d0e084a1fedf1488dd423b023e7a3ebeb1f0e9e317566d1737d3c18220910c30

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
264KB

MD5
88f6747efd4ce58dfaca401d91f5391d

SHA1
a0413c642f40369ba33c1063de0fc279330ff352

SHA256
4495fc2387b249b54944e146e75559155d1c96922bb2418d38efdcc2282bac05

SHA512
79551d18ef73ea4590b7a97303b432e5f6c391aa07b7ee4a43c5763baf63a70adba39a5478024516b89b2860dd5531f7a577b8408f061fd3ba9c55ac0fe8223a

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
264KB

MD5
230156de192f3e3a7a717f4d299bc00c

SHA1
c3319d110d0d9ae14d6e1924d7f1b4fab0cecc78

SHA256
8f8a83771c9db0dd1fe186ee58e7fccfaa060312c61d681a581501b8c2e9cc3b

SHA512
d629b50fbc7778ee8218290cf32245650a566df223168fb42757cd65d068f61a378c597e7c3b2ac2623db60f1e2f8123e9d90ed841f78ca69d4b0eb5492ec5a5

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
264KB

MD5
281daa45d8586bec874840251a074004

SHA1
c2a90bc1c508cb86818fdfeaa4db01f611c08c6a

SHA256
e20c9592e88fae782597a09c85b3f5cd14bac1c5425d7cde71e17759d42aae91

SHA512
839b8af709984a509e3bc18d330df6560f2088dbf7d3efa8f98d30279c706f06a5109f33b5d53689952ea0950cc338b87ba32e492374419a44547376b7c8aa64

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
264KB

MD5
4bf67ba4f4417ea65fc1cc0903ae6fef

SHA1
2c394fc57034acc6714b0a6291f687634fd76d6e

SHA256
68463758d29b533648beb13447dd8de283059b3b1c48045e5f1f1a77f5140f08

SHA512
d0396eff4413c5496ecb453e29aca115f6126bb57a91e755cfec5c0ece6d7bef3f6bae6ecd11a43938d5b3d9c5a5fe6a1cdaedd23aad4bda977d7627032652e1

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
264KB

MD5
f6da301a54d3d1d8240c247e73acf0fe

SHA1
d04458a4cb827965012da7fd6807f910b8f5501b

SHA256
409220972f4d923035ecde4652e5d92c75cd01a9cc3b4f92d2e790c566b239fb

SHA512
9b73137bb972f0ba7f72d509a1791c74a3b5217fca10bd727fd393ae6037bfb3d455500cd1e1ff93f353f8109026ba7cb6c0d4d151922d67f67bfcdd33cf98a6

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
264KB

MD5
d0f4b4002f98f8d566d29858c50eb59d

SHA1
027f77e822144171896beab7667c993b6065a88a

SHA256
451429c78236d0dda6ec0b2cbdc1a01cb67868441934da9e6088d1797fc4bd10

SHA512
a526552893a8bdb7d8a34874188c6bc76d4aa440fe3c1364ae301633bd2746fe56fbc4cc371ffacb0dcc528ed160f27bb46b604cee528928f801798b2a38cffe

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
264KB

MD5
75030b3ac90031b8a8e14c21ed1bafa0

SHA1
05fa1a5f6dcf44d28792789bf174709746073010

SHA256
2d8c23df7fa97c9390b6cee783d7d403d3ac7a1e17c6f2fc5240f7bd098aae85

SHA512
283a4f14be79c377ac662bebe0b80181f93aff677809e789df29af5a9eadc467dc38d59eb82fcabcec6a598059eca677eed8949067afe3ff963171682127080c

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
264KB

MD5
f9dd63b597685b74663fd1fea43f01f2

SHA1
ff513dcafa89b76eaf666b2f5f5c885c6dd8a38f

SHA256
68a44be15f392e30c7204dfc54f598408982eab2e282545ed173bd05c66eed23

SHA512
6d4b7860135152772b96bb83bd7d94bcfeede2e4f7f11d5be83f02ccf1896a8f5beade8b046123fc5a6963a2c4b1b993d2873ec78ba0b69e2492a9f8db0ed328

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
264KB

MD5
b6d07209e02b2189951d50c23985fa6b

SHA1
9fbf5ff4c16079c2753f8374981328ebf8adf992

SHA256
cddfd8eadc204c860e67d8d0893381c636334c88913f182cd3269c7d40f1764a

SHA512
a7dbcc06122f787af516e3ac7ebe78c05bf3f4fc82568a508b6340a6769339a9f8dc0b809833f76a1b0d0f4c39f599f3cdbe4e0b5351afd3e373593869d905ca

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
264KB

MD5
9cc8b4c1004c7526b5ef6ec5c8c338c3

SHA1
5c0df2fdd978ffd8105e29085917666421de74de

SHA256
f3f65c171ce1f9cf89964d7e031a8b00af298ffbdd44b32a7a7d44c8c285b9e4

SHA512
58b6f0af8d9ff8328baff3c7917a705506a3b9086762097e067910f4ec5edbea156e62fd4580e048273c046a95c3222e2d4994f84114647ed24a8c1153c74292

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
264KB

MD5
36093b844346204b7a9a6e6f3642bd81

SHA1
baa871487c5329b030fcfeca35b55f6635d538bc

SHA256
71eb758f82e5f31d578a5021b208244b4fe4c55e9e58d318f5b44026d8afff79

SHA512
4f3f9686c8ee48709f703bbdfb066a6c031075d2edc216699978e5e15446fcdca32a558e6f8578e8cb73a53af30c34bb50434d753f5cab964a4e45625722556a

Download Submit
memory/716-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/716-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/864-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/932-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/932-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1156-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1156-361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1344-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1344-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-313-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2420-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2420-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-349-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-327-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3080-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3080-373-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3560-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3560-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3648-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3648-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3736-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3736-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3876-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3876-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3932-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4060-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4060-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4100-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4100-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-342-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4800-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4800-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-319-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads