berbew | 703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfdd

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfddN.exe
Size

163KB
MD5

bbfbd68bdf0c6b9785142b8f0a59bd70
SHA1

e41991159968f81e5a6a5630c0d137b4f8b146ef
SHA256

703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfdd
SHA512

879c5be34496225b217f81cc014e98140b927026103c20e763c2adb1f27a2367693fed5b9066ed0d0f747aa830ecf813403279a1bb17f083c6876f3334739252
SSDEEP

1536:P2rV4OvXkBeAVQodKc2/NzFLYnA9lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:yUOFLYA9ltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfddN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfddN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 39 IoCs

pid	Process
4076	Ajhddjfn.exe
4568	Aabmqd32.exe
4460	Afoeiklb.exe
1860	Anfmjhmd.exe
3396	Aepefb32.exe
2264	Bnhjohkb.exe
4368	Bebblb32.exe
3480	Bganhm32.exe
1488	Bnkgeg32.exe
2332	Baicac32.exe
3660	Bjagjhnc.exe
4532	Balpgb32.exe
3620	Bgehcmmm.exe
2236	Bclhhnca.exe
2244	Bapiabak.exe
3560	Chjaol32.exe
2420	Cmgjgcgo.exe
4580	Cdabcm32.exe
1512	Cjkjpgfi.exe
512	Cdcoim32.exe
1264	Cnicfe32.exe
1772	Ceckcp32.exe
3736	Cfdhkhjj.exe
2188	Cajlhqjp.exe
2176	Cdhhdlid.exe
716	Cffdpghg.exe
524	Cnnlaehj.exe
3184	Calhnpgn.exe
2900	Dhfajjoj.exe
2552	Dopigd32.exe
5028	Dhhnpjmh.exe
392	Dobfld32.exe
4900	Dhkjej32.exe
4376	Dmgbnq32.exe
3348	Daconoae.exe
2700	Dfpgffpm.exe
3092	Daekdooc.exe
2856	Dgbdlf32.exe
8	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfddN.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfddN.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3704	8	WerFault.exe	120

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfddN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfddN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfddN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfddN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfddN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 4076	4260	703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfddN.exe	82
PID 4260 wrote to memory of 4076	4260	703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfddN.exe	82
PID 4260 wrote to memory of 4076	4260	703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfddN.exe	82
PID 4076 wrote to memory of 4568	4076	Ajhddjfn.exe	83
PID 4076 wrote to memory of 4568	4076	Ajhddjfn.exe	83
PID 4076 wrote to memory of 4568	4076	Ajhddjfn.exe	83
PID 4568 wrote to memory of 4460	4568	Aabmqd32.exe	84
PID 4568 wrote to memory of 4460	4568	Aabmqd32.exe	84
PID 4568 wrote to memory of 4460	4568	Aabmqd32.exe	84
PID 4460 wrote to memory of 1860	4460	Afoeiklb.exe	85
PID 4460 wrote to memory of 1860	4460	Afoeiklb.exe	85
PID 4460 wrote to memory of 1860	4460	Afoeiklb.exe	85
PID 1860 wrote to memory of 3396	1860	Anfmjhmd.exe	86
PID 1860 wrote to memory of 3396	1860	Anfmjhmd.exe	86
PID 1860 wrote to memory of 3396	1860	Anfmjhmd.exe	86
PID 3396 wrote to memory of 2264	3396	Aepefb32.exe	87
PID 3396 wrote to memory of 2264	3396	Aepefb32.exe	87
PID 3396 wrote to memory of 2264	3396	Aepefb32.exe	87
PID 2264 wrote to memory of 4368	2264	Bnhjohkb.exe	88
PID 2264 wrote to memory of 4368	2264	Bnhjohkb.exe	88
PID 2264 wrote to memory of 4368	2264	Bnhjohkb.exe	88
PID 4368 wrote to memory of 3480	4368	Bebblb32.exe	89
PID 4368 wrote to memory of 3480	4368	Bebblb32.exe	89
PID 4368 wrote to memory of 3480	4368	Bebblb32.exe	89
PID 3480 wrote to memory of 1488	3480	Bganhm32.exe	90
PID 3480 wrote to memory of 1488	3480	Bganhm32.exe	90
PID 3480 wrote to memory of 1488	3480	Bganhm32.exe	90
PID 1488 wrote to memory of 2332	1488	Bnkgeg32.exe	91
PID 1488 wrote to memory of 2332	1488	Bnkgeg32.exe	91
PID 1488 wrote to memory of 2332	1488	Bnkgeg32.exe	91
PID 2332 wrote to memory of 3660	2332	Baicac32.exe	92
PID 2332 wrote to memory of 3660	2332	Baicac32.exe	92
PID 2332 wrote to memory of 3660	2332	Baicac32.exe	92
PID 3660 wrote to memory of 4532	3660	Bjagjhnc.exe	93
PID 3660 wrote to memory of 4532	3660	Bjagjhnc.exe	93
PID 3660 wrote to memory of 4532	3660	Bjagjhnc.exe	93
PID 4532 wrote to memory of 3620	4532	Balpgb32.exe	94
PID 4532 wrote to memory of 3620	4532	Balpgb32.exe	94
PID 4532 wrote to memory of 3620	4532	Balpgb32.exe	94
PID 3620 wrote to memory of 2236	3620	Bgehcmmm.exe	95
PID 3620 wrote to memory of 2236	3620	Bgehcmmm.exe	95
PID 3620 wrote to memory of 2236	3620	Bgehcmmm.exe	95
PID 2236 wrote to memory of 2244	2236	Bclhhnca.exe	96
PID 2236 wrote to memory of 2244	2236	Bclhhnca.exe	96
PID 2236 wrote to memory of 2244	2236	Bclhhnca.exe	96
PID 2244 wrote to memory of 3560	2244	Bapiabak.exe	97
PID 2244 wrote to memory of 3560	2244	Bapiabak.exe	97
PID 2244 wrote to memory of 3560	2244	Bapiabak.exe	97
PID 3560 wrote to memory of 2420	3560	Chjaol32.exe	98
PID 3560 wrote to memory of 2420	3560	Chjaol32.exe	98
PID 3560 wrote to memory of 2420	3560	Chjaol32.exe	98
PID 2420 wrote to memory of 4580	2420	Cmgjgcgo.exe	99
PID 2420 wrote to memory of 4580	2420	Cmgjgcgo.exe	99
PID 2420 wrote to memory of 4580	2420	Cmgjgcgo.exe	99
PID 4580 wrote to memory of 1512	4580	Cdabcm32.exe	100
PID 4580 wrote to memory of 1512	4580	Cdabcm32.exe	100
PID 4580 wrote to memory of 1512	4580	Cdabcm32.exe	100
PID 1512 wrote to memory of 512	1512	Cjkjpgfi.exe	101
PID 1512 wrote to memory of 512	1512	Cjkjpgfi.exe	101
PID 1512 wrote to memory of 512	1512	Cjkjpgfi.exe	101
PID 512 wrote to memory of 1264	512	Cdcoim32.exe	102
PID 512 wrote to memory of 1264	512	Cdcoim32.exe	102
PID 512 wrote to memory of 1264	512	Cdcoim32.exe	102
PID 1264 wrote to memory of 1772	1264	Cnicfe32.exe	103

C:\Users\Admin\AppData\Local\Temp\703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfddN.exe
"C:\Users\Admin\AppData\Local\Temp\703654cbb88889482bb3423b2715cc0815d2652085dff4ef591daa48601fdfddN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\SysWOW64\Ajhddjfn.exe
  C:\Windows\system32\Ajhddjfn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SysWOW64\Aabmqd32.exe
    C:\Windows\system32\Aabmqd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\SysWOW64\Afoeiklb.exe
      C:\Windows\system32\Afoeiklb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4460
    - - C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:524
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 404
        41⤵
        Program crash
        
        PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 8 -ip 8
1⤵
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
163KB

MD5
05b3beb7240d29857be7738b9c6b517f

SHA1
d953f76adabcd9a91169631006a148b7f80ad4d2

SHA256
5f8e885fc78290642607306214177e963f17f580f3236cad14534d459d1c5ac4

SHA512
1ecf8d8981e891eae860a0c8645814506b8bef15f98b1e0ab368bc5b26c8a6f56797bb6e89610cd0f0b5cdcdc1be1f8001639b9fec5319a38adc564dd81f574e

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
163KB

MD5
167f7b8d87e4544413bc14ca0233ac1c

SHA1
9c89b4dd2b2e8a9baa64a4bc8d190add18ea03a8

SHA256
47f05d1d3218f395f0ceeb0dd1c91259d0cf134e281970531767a5a478571065

SHA512
04130885b63abcbc179ba37997b6a7fa87596186003bf1c98d8341a26d5587a6bb8b645f2208eeb8accfffa889a386d80380de2cff9baa5d026aa2ce7aa7ba2d

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
163KB

MD5
5d312f6e9b8d6dc493f1abcb19a2629d

SHA1
664b652729aab32c65d294279368d1c6d041551c

SHA256
28c4aaa37d44ed256ccc34f81947479fc3e83b23f6aa1e91206b39762472b039

SHA512
67d20b3b83e209fc2a757482839071199e0793c8c64206259660c5dbc25c4d656b2003c28d97c304e7ce695f58abcbaca81e5c4ae9c012334babec7bac8818a1

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
163KB

MD5
6242a0f56a881dd8ddf4eaea1d8af1d6

SHA1
608e05e5685436cf77ca680f048c9b4d6905e676

SHA256
9298bedb333d131effef55dfa1fdd8e06bbcd34a4751c8c23827cb1dfc7b0670

SHA512
897b239e5a24345a1b700bc9e53211e2cc9002caa839c00c5afebf72d465a4d5983d05ff66a832b8d5d4c753da4f146f129f8c12327ee79c5d3e936949d396cd

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
163KB

MD5
a721c43ac0f8d9d87022b9e8ca9de4ea

SHA1
6b7a0e80fb0fd061cd0b826745a5b984693f4a58

SHA256
72025211068adb13d237775205644bc0da383182594a6e2b18c58adb1155d444

SHA512
12d7806083d626a26896f938bc3e1ed96b27cfb83e5c73a519cad8707c195105ae54930457756bdd293b242b6829b64b25859aec9152b2de571c3019eb32d188

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
163KB

MD5
d22fc9677a0e134de8fd7362975a5848

SHA1
29d6764d1e0b65e73b6685f1af92a6ef409d473a

SHA256
e0c13cd2819b48139dfffcf2c76553e2385b47af0eab79211f8eb7a5c1f419b5

SHA512
2112a6a8a9757560043b5f222a94b7ec8482ed94523101bbe7497e669c60f92f404bca94291a503ea0bc53b25ce6eabb2b6a7302c4196709aca03cde6a5cad66

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
163KB

MD5
d990721d4280098574e468c5455b8bdd

SHA1
456c730e3d290c5c4b2141393568579326eb4bbb

SHA256
7b9eda370b34532ca23c752ad916cbf10cede8f66cac73fb056c1ea0f98e0f21

SHA512
39c307bfd47768f74b5c403ea5eb596db2d418edeb00238770d1cdfc872ca78b6778c95ee7ac6a8a921de290354196fe6e875976fea617938905f3ae238e8fc6

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
163KB

MD5
49faeb2faafd21c193141bfd6ec29fe6

SHA1
769d18085cc5d6b5bf0b9209256386595925c19c

SHA256
56dba438cbbe5f31746f8b3661c7d68442ba4a0e89954c448e953723465d47ce

SHA512
28dfa51bf7b38f3a7f627079534cc26b2a7fa74865ac7a5f969cc4985125a8aefa73f793d52c83f11baf79bdd0d25012903702ecf7d992ef362c7917c264cb35

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
163KB

MD5
90e70dea281fca0970981ec1a8019a0b

SHA1
d4983efda2eb65a640feb5c5bfd1c6410b5e6098

SHA256
a25c6b5348dad4e5c7e99364c1c0f1b8736e1419089dfd00b07d5475c668a356

SHA512
4114b9bdd1b06380eba612c557ab6b57384b83c0fea8c94ca391f64b4758e5803a139f61d1fe1d6c557dd7a9898804dcd5f83449e74ffc0679a1b01f45215947

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
163KB

MD5
c27d646550cd7a821124d4539f94c5c8

SHA1
4e05a40caa1e39d5b9891fdd1c2a4c60ed2bf3be

SHA256
53d42e1a4b286edf925202a4b3d8ddc0602affde1666bf422df1033d6bd72315

SHA512
4c3c871a45bf4d667ff9c997230e29b862ccd56ab2e784cde30c0171904e5bfa513de1a235e3897f5f25e758b0a830fcc49eca2882bd6f66f752e316ef39bb72

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
163KB

MD5
1201c841de2afc7ffb03d5d4f6815b2d

SHA1
75c6a1163f2579a1e35a7637494c12095bbb05c1

SHA256
8c39a492490c8b03b8a9c00f600eeceaa149b86ad331a4207b7bde7a094eab41

SHA512
8830afeea4ad603d10c2c7f8ffce91c548ea5850d82ce3676d6b8c5378a7184f92fd948aff6012ce55665369402d444f1c03146268886550a9329da7efcc6775

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
163KB

MD5
40ece8f14713c5ca8bf490e8bf878e85

SHA1
6769f717865fadd6c184736f4d40a9e7f0b3d156

SHA256
dd9499de9f17725b98c12814839be56998a2d4f561c717eccf9bd98ec5f9e9ea

SHA512
01c0fdb9b07410734aee209167fd07ffb634e351288de7e712caa3162d472733c8609d0de28811f34454b62fbad4e7fcbde0fab6a8c4358c867901fba0530b5b

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
163KB

MD5
09c643dda39402a26f100ace31841e9d

SHA1
88e3b2a5ccb7da7a2cd0bca530bf307acfbf3a80

SHA256
f9cbfba67ade2d18107c5cb6524d59cd86791dcdbb82f5c2e4b9433e1aef97bc

SHA512
41bab8a173a8cc75f537aafd67fc5e577e451a47dfee320f8f9835cfad2a4a70a208b8527d118ec73625ca5b9efcf79f815087edb4a82a368f12f7684e94cdbf

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
163KB

MD5
0155d3d110a7e3dc7b06888f34aa69d4

SHA1
fb54a88afec71e40df1b612751162ae45078dd7c

SHA256
1778f6393abc90dc8168b232e203c2db5fb2df283b6da91585f498838ee5afe4

SHA512
00825c301ab70537e22c54a4776cac7b150914d7bf83ba6b0ef2427be00287f78504d5465fef1a828fcff6df0d9fccd7cf86d35d98f2fdf90ada8dead20c9156

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
163KB

MD5
cc488a6478e4d858ec83906b0136c199

SHA1
c94ea3880a337bc0fc8cbbf82644726bada7711b

SHA256
a32892fb6f011d0e913143bb9d13cba119ecdf59923e6d73299ee135d68ffbdb

SHA512
e5734c8fa13c89640365463eedcb214db59c3bd9ba2d93ffe76807d5d9d21572be82107fa03552b389e664448eca0b1c221ab03d8e7e7b53d751687f8cf05ab7

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
163KB

MD5
aa4159f3f22da16454209cce45412a5f

SHA1
c054f0330c5f60ba0d3bb8388c0bbedb1a29118f

SHA256
d9ed535bee6d18c94004c5a5809c88aedc56c961543e8921b9eee83fc2a33d29

SHA512
307a189a61e09e1eafd6b1e112c48253fb546c367fd6746f206a98bb59514631760b693d6a987e70c69021f305f8c013b90e5f3138cd5bbbbe6e9fecd7ef5430

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
163KB

MD5
65603d5c22974d60674c0c8f20e37aca

SHA1
0db72bb2db0a9bc08c13811e7ac9f2f01bf541a0

SHA256
440a34240fc3dbc0a1e09895ca7d48e706d22b96afda0d64b6e2057b37cc5870

SHA512
df8e901888c62df96587865b38e9a96e456b0aa42994f26843c41218590b5825faa64d97b3606b618ead85394bdf1e15305f2cbb45d14986bfd12e2a446452c7

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
163KB

MD5
fc7be9703f1d507c37377af8897b344a

SHA1
187c1e8c202db12327319470be8075c00b78b6bf

SHA256
25dd7dc1137ee7b859e6791d9beccd9ec0097b500fc6aed27fdf11636fd54006

SHA512
adb53e79f1108927116852e29fb949537a180b41d5029546ac903497a0518c73ae39bb91f1551bbf086401cfcdc999fe83b8e0e67169301ebca9b70c2fc9af7a

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
163KB

MD5
9689b71e84458bf1ba99d066ea6e757d

SHA1
2d7fc034d5fba2d23c2cf5771f60e8145d4ded94

SHA256
2e7d506b0cbb3bebfd51a30ae23590c32392bafe7e48f2328a075ff205f3ce78

SHA512
8606b556fd5cf031da334a24651a5face6a9cbdd7de027e36d2521977ae1d94b68e6ce635577a50e3f852383e424c409ab089cdb86e0c3df8483b4f21644b4c7

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
163KB

MD5
cd393a41d9244d21221be60076a7a224

SHA1
b0544ca51b9db3eb09156ca19b1c5a69d95f8ac3

SHA256
0c7268c586feaeeb2722a693d80d550156a44d655bc697ddcbe8516f935bdb17

SHA512
6959a9e7c784e69f2d6b2243580a70f007b86736acaf8282ecca908d36db7c6ce43e5cdc352c64904a10ac78b00b38cfa62d8723dbcab46fdd1c37f4e5f787fb

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
163KB

MD5
84cd64e67e0a54ddaa9aef32366ac83d

SHA1
1311121f7f2b9b625f601bf43ffab9dde56d73f4

SHA256
92bfc38c686f7c6679119e550823271d7a754ef58e6193a49cdfb18e349a99a5

SHA512
801217806f56400887935e2e0ed79dbc07c23eeaa9179822ce3192abdf9e53edc988855497d6f94b6eac135d7c14d6a51058bb5c9994540cf51ed0da4a6c933e

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
163KB

MD5
b6aef0816101a7b47e35f7e5a3758367

SHA1
5d3989111968390cca8cbb8178ebc3888468a795

SHA256
a868886f84fa0cf8112473b40a42b4537692064db61d39016072b8c5c9db80ae

SHA512
e01d473b4f5c91b19246692e1794822755808e88d32a54d68c67eca97d9dc1a0aa67ec563b23710b96f2fef0b8136771cee5acfcba60438e3e87c1b3d358d374

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
163KB

MD5
b3832fb6af7f6838992cf11bccf5963d

SHA1
215a2c49cb63eb1cad67c6228e6fd6fad1416d49

SHA256
de2c8570b029ae0189f6a758796da8145968c5aff64b363a4fddabb2e385f0ab

SHA512
5e20af0aee99b29ed892d8180f124b99ea3e5f89cebb24497d5d7c8f9f48e01afb9a83303aead09f436250a4dea123a73330dc2683d24dbb9f4db00e5da767c5

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
163KB

MD5
9beaa8a146d78a09fdbef9e48319bf5e

SHA1
4ce17623990944e2903e25abbbc858575b70621d

SHA256
a90e2c99f4d0e0deff3bcb07b29a2f9ad3fb0cc2a0e0718590d702c3976e3ea4

SHA512
51c4fb63cddd36ccd0cb4ba8fd05b2557f8608fedd5706648a76c5196054b7cd20c04d1af1ef4b83ad729e8866979cc027fc473abdda36e68ce4c413d2635198

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
163KB

MD5
8155598729b88151307587fb129da5c5

SHA1
2678865067ffdc5f1c7b2414013fa5d44d69c633

SHA256
624a2e474f16b130f36939f80c7aaa623abc6e6203c2d301330efc1396e8324c

SHA512
bae2f40cf61144a90ad83a136838e38b02a7060fb59dffabb4627b8119fabf2737e94219043cab663163c887a3c1874e6e0d7e4c3d0a088f17cd6e102d2a99f4

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
163KB

MD5
6b1a569c86d3462e49a1cecea041bf12

SHA1
65ca2ebbe04a872beb63aa4ba87a0bf385e81168

SHA256
22475e0fe0cfd9c20f4456eff1baa586dd8de1c54089c497603f7b77603a7cd8

SHA512
b68bbb75e609e6e104a7384880aa8f66507fbc9dc9aeb8d54b2e3cb592dc9601d63322830e3213fdacea6be0e41dd2bf722674cbb6a16b9f707bbcef92efc873

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
163KB

MD5
ebb0f6746472de64a0bc2a34c669f585

SHA1
ec9396e8a66f1873aa8ec3b4fe2e9b09f6e156e4

SHA256
c3079ff2de0ac45362e83d21fe9077026d40815056d215abc1582c9735375ca1

SHA512
0c6e6cf73cab6e765c2e8997331e538bc41f9bf450a03e70b7be3a45a2e44ded8a34b9ddb383f92e04754e8286487f64253932541968d41745d1e82b0b621672

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
163KB

MD5
75373bb7a36f1e58cc12f2d973afb5c1

SHA1
5f9c1e3507b0fa583f2c2ec5226eda1aae4169c9

SHA256
912f934c0c3681fcecbd06cae714ddfbcf9216e48f9d0d2ce4566d8969298df9

SHA512
e11860614b614c923e119c5e5bafe86c8a0f0e78bee1c471975dda371ed0236ce9800e7e3e7c79083caf53677433bc7abc46d2dd98c0cbc3735f1d4cfc666379

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
163KB

MD5
3ee00ff21c68aeaf69b58482410f2d33

SHA1
c292a5597efcfb57d347c19ce45dea1b310f9512

SHA256
a2a10e11d1b39c1cda9f72339df42272cad7cf9d19a6e34d2a98161c78dacd4f

SHA512
f5e6b5cb8a2c8cb812c067248eb5ea571e99c62490ebd7c1160ec8a7419df34eb3144613175a3e8ed09c1c33180048b46d196df9b53361948ac4e00bec7b83f6

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
163KB

MD5
fef36d336e540f2b74f2926c853cacf6

SHA1
64b3c5c68f49394c39fab0d930d849d06dec9701

SHA256
8ecad135668d44e7995db9920c3e5a6c0d6d2d0be42c4a5a11a5afedfdf0fc28

SHA512
86c03ee6bd7b8091cf9a2925868d3c16713fc701277621125eb985282dbdcf1ed7ea7f494b933368a55cbe6fbb9ee96bd05c435094c68ad6771ae501acf96483

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
163KB

MD5
536898eac627220beb73716ab5a31011

SHA1
26ff5561332ff6a284f65a3fb385cd3c5c4846fa

SHA256
f43712f04214a0d9fad9683d0622838ceccf4657fa6b275cbf6d70ee5d553e71

SHA512
da2dbae6fd189cb1484e13965febc5e8428c830a4491b38420fb56edaaa2b470eaaa1f97e0549b8818c900324da6a0d84743489c1693bad1365acb541a5535ab

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
163KB

MD5
7ea795f5ae1603cd6ef71148ea853e0c

SHA1
99411e2803380512bd590299b0aa0bb436cf28a5

SHA256
35e3a04a2778c0e2c7fce530ef31786e7797151b48de995a93c64b4fe77204ff

SHA512
6f46073f77fb2621fafadbc0e8957ede37094c829c8b85bc5d79264247865fe88649e59bc5d45c3e6c3df580eb647bf7470c125c01fc96dd397868c79e5b46a4

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
163KB

MD5
b4f23c77faeff0b1f91bc3c811a7a524

SHA1
29a6c51778032e730dad1135741f7f97d5f598df

SHA256
6cd3319c6e5a8a15291697c48486f8cca761815879701920aeb532804412ae08

SHA512
9722a85624f5dfa86f031d2788b47bc593e5e4a027f1a3e16c794834756fcccb5401a87383234cd099fb648d22d7f468c1b1d256486556a99e0c5d21c79fdaf7

Download Submit
memory/8-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/8-302-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/392-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/392-313-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/512-338-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/512-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/524-324-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/524-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/716-326-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/716-213-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1264-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1264-336-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1488-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1488-360-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1512-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1512-340-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1772-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1772-334-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1860-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1860-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2176-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2176-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2188-330-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2188-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2236-350-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2236-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2244-348-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2244-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2264-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2264-366-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2332-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2332-358-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2420-344-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2420-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2552-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2552-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2700-307-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2700-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2856-303-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2856-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2900-320-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2900-237-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3092-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3092-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3184-322-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3184-229-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3348-278-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3348-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3396-368-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3396-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3480-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3480-362-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3560-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3560-346-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3620-352-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3620-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3660-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3660-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3736-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3736-332-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4076-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4076-376-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4260-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4260-378-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4260-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4368-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4368-364-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4376-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4376-310-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4460-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4460-372-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4532-354-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4532-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4568-374-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4568-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4580-342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4580-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4900-379-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4900-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-315-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads