berbew | 0007990c90c8f0657076d2f248c507c9fc8e9d8d762e22080f12ba360cedf592

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 04:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0007990c90c8f0657076d2f248c507c9fc8e9d8d762e22080f12ba360cedf592N.exe
Size

89KB
MD5

b2c1019f9b878ce0d08a2718f15da610
SHA1

d2920d4e5692d8df4dba2855a653df355c3c1ae4
SHA256

0007990c90c8f0657076d2f248c507c9fc8e9d8d762e22080f12ba360cedf592
SHA512

941cc42930c58d0c8427213a7de68e180ab0fe3b1398b535da1a8bd599f0e3235a7cacbe4cdc8c5172f06a304c598e8595ff07d597f846c133b3a9a50b2fc79e
SSDEEP

1536:H+7TjyRB4+shF+6S2FcjdwLhNiEXLaa7SId3rj3KARQJR+KRFR3RzR1URJrCiuip:2Tj+4adwT7XLatIVrj3KAeJjb5ZXUf2k

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0007990c90c8f0657076d2f248c507c9fc8e9d8d762e22080f12ba360cedf592N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0007990c90c8f0657076d2f248c507c9fc8e9d8d762e22080f12ba360cedf592N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 40 IoCs

pid	Process
4920	Aqppkd32.exe
1724	Afmhck32.exe
2564	Andqdh32.exe
4776	Amgapeea.exe
1388	Aglemn32.exe
564	Afoeiklb.exe
2160	Aminee32.exe
4392	Accfbokl.exe
4484	Bjmnoi32.exe
736	Bmkjkd32.exe
3632	Bganhm32.exe
1476	Bjokdipf.exe
3544	Bmngqdpj.exe
5056	Beeoaapl.exe
544	Bffkij32.exe
1572	Bjagjhnc.exe
2696	Bcjlcn32.exe
3204	Bjddphlq.exe
2652	Banllbdn.exe
1208	Bhhdil32.exe
440	Bnbmefbg.exe
4084	Chjaol32.exe
3556	Cenahpha.exe
2172	Cdabcm32.exe
4460	Cjkjpgfi.exe
3848	Chokikeb.exe
4976	Cagobalc.exe
3440	Cjpckf32.exe
2124	Cffdpghg.exe
2840	Dhfajjoj.exe
3656	Dopigd32.exe
3948	Ddmaok32.exe
1164	Djgjlelk.exe
396	Daqbip32.exe
4480	Dhkjej32.exe
1140	Daconoae.exe
4840	Dhmgki32.exe
2196	Dmjocp32.exe
2164	Dknpmdfc.exe
1944	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	0007990c90c8f0657076d2f248c507c9fc8e9d8d762e22080f12ba360cedf592N.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	0007990c90c8f0657076d2f248c507c9fc8e9d8d762e22080f12ba360cedf592N.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1416	1944	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0007990c90c8f0657076d2f248c507c9fc8e9d8d762e22080f12ba360cedf592N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	0007990c90c8f0657076d2f248c507c9fc8e9d8d762e22080f12ba360cedf592N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0007990c90c8f0657076d2f248c507c9fc8e9d8d762e22080f12ba360cedf592N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 4920	2540	0007990c90c8f0657076d2f248c507c9fc8e9d8d762e22080f12ba360cedf592N.exe	82
PID 2540 wrote to memory of 4920	2540	0007990c90c8f0657076d2f248c507c9fc8e9d8d762e22080f12ba360cedf592N.exe	82
PID 2540 wrote to memory of 4920	2540	0007990c90c8f0657076d2f248c507c9fc8e9d8d762e22080f12ba360cedf592N.exe	82
PID 4920 wrote to memory of 1724	4920	Aqppkd32.exe	83
PID 4920 wrote to memory of 1724	4920	Aqppkd32.exe	83
PID 4920 wrote to memory of 1724	4920	Aqppkd32.exe	83
PID 1724 wrote to memory of 2564	1724	Afmhck32.exe	84
PID 1724 wrote to memory of 2564	1724	Afmhck32.exe	84
PID 1724 wrote to memory of 2564	1724	Afmhck32.exe	84
PID 2564 wrote to memory of 4776	2564	Andqdh32.exe	85
PID 2564 wrote to memory of 4776	2564	Andqdh32.exe	85
PID 2564 wrote to memory of 4776	2564	Andqdh32.exe	85
PID 4776 wrote to memory of 1388	4776	Amgapeea.exe	86
PID 4776 wrote to memory of 1388	4776	Amgapeea.exe	86
PID 4776 wrote to memory of 1388	4776	Amgapeea.exe	86
PID 1388 wrote to memory of 564	1388	Aglemn32.exe	87
PID 1388 wrote to memory of 564	1388	Aglemn32.exe	87
PID 1388 wrote to memory of 564	1388	Aglemn32.exe	87
PID 564 wrote to memory of 2160	564	Afoeiklb.exe	88
PID 564 wrote to memory of 2160	564	Afoeiklb.exe	88
PID 564 wrote to memory of 2160	564	Afoeiklb.exe	88
PID 2160 wrote to memory of 4392	2160	Aminee32.exe	89
PID 2160 wrote to memory of 4392	2160	Aminee32.exe	89
PID 2160 wrote to memory of 4392	2160	Aminee32.exe	89
PID 4392 wrote to memory of 4484	4392	Accfbokl.exe	90
PID 4392 wrote to memory of 4484	4392	Accfbokl.exe	90
PID 4392 wrote to memory of 4484	4392	Accfbokl.exe	90
PID 4484 wrote to memory of 736	4484	Bjmnoi32.exe	91
PID 4484 wrote to memory of 736	4484	Bjmnoi32.exe	91
PID 4484 wrote to memory of 736	4484	Bjmnoi32.exe	91
PID 736 wrote to memory of 3632	736	Bmkjkd32.exe	92
PID 736 wrote to memory of 3632	736	Bmkjkd32.exe	92
PID 736 wrote to memory of 3632	736	Bmkjkd32.exe	92
PID 3632 wrote to memory of 1476	3632	Bganhm32.exe	93
PID 3632 wrote to memory of 1476	3632	Bganhm32.exe	93
PID 3632 wrote to memory of 1476	3632	Bganhm32.exe	93
PID 1476 wrote to memory of 3544	1476	Bjokdipf.exe	94
PID 1476 wrote to memory of 3544	1476	Bjokdipf.exe	94
PID 1476 wrote to memory of 3544	1476	Bjokdipf.exe	94
PID 3544 wrote to memory of 5056	3544	Bmngqdpj.exe	95
PID 3544 wrote to memory of 5056	3544	Bmngqdpj.exe	95
PID 3544 wrote to memory of 5056	3544	Bmngqdpj.exe	95
PID 5056 wrote to memory of 544	5056	Beeoaapl.exe	96
PID 5056 wrote to memory of 544	5056	Beeoaapl.exe	96
PID 5056 wrote to memory of 544	5056	Beeoaapl.exe	96
PID 544 wrote to memory of 1572	544	Bffkij32.exe	97
PID 544 wrote to memory of 1572	544	Bffkij32.exe	97
PID 544 wrote to memory of 1572	544	Bffkij32.exe	97
PID 1572 wrote to memory of 2696	1572	Bjagjhnc.exe	98
PID 1572 wrote to memory of 2696	1572	Bjagjhnc.exe	98
PID 1572 wrote to memory of 2696	1572	Bjagjhnc.exe	98
PID 2696 wrote to memory of 3204	2696	Bcjlcn32.exe	99
PID 2696 wrote to memory of 3204	2696	Bcjlcn32.exe	99
PID 2696 wrote to memory of 3204	2696	Bcjlcn32.exe	99
PID 3204 wrote to memory of 2652	3204	Bjddphlq.exe	100
PID 3204 wrote to memory of 2652	3204	Bjddphlq.exe	100
PID 3204 wrote to memory of 2652	3204	Bjddphlq.exe	100
PID 2652 wrote to memory of 1208	2652	Banllbdn.exe	101
PID 2652 wrote to memory of 1208	2652	Banllbdn.exe	101
PID 2652 wrote to memory of 1208	2652	Banllbdn.exe	101
PID 1208 wrote to memory of 440	1208	Bhhdil32.exe	102
PID 1208 wrote to memory of 440	1208	Bhhdil32.exe	102
PID 1208 wrote to memory of 440	1208	Bhhdil32.exe	102
PID 440 wrote to memory of 4084	440	Bnbmefbg.exe	103

C:\Users\Admin\AppData\Local\Temp\0007990c90c8f0657076d2f248c507c9fc8e9d8d762e22080f12ba360cedf592N.exe
"C:\Users\Admin\AppData\Local\Temp\0007990c90c8f0657076d2f248c507c9fc8e9d8d762e22080f12ba360cedf592N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\Aqppkd32.exe
  C:\Windows\system32\Aqppkd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\Afmhck32.exe
    C:\Windows\system32\Afmhck32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\Andqdh32.exe
      C:\Windows\system32\Andqdh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
      - C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 228
        42⤵
        Program crash
        
        PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1944 -ip 1944
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
89KB

MD5
765010cac57d4bdfe38b608c4fdc15b0

SHA1
c5179272ba8d8744aa71d97d0410e973ccf739a8

SHA256
9d1727b60a1edaa7b97b6de182ee759a0579c745cf88494d62596abc2de16de2

SHA512
ce53f58126ebb52d3fe3fc7181b439400d29c1d39cacd7931710febf018d7662b1738d354beeb5dc7f66164729988144195d1d5fd41c8b89f457862915f258b9

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
89KB

MD5
3303ca4e8d3070b3d9a48a6cd023243a

SHA1
0b85879c5d75b108f3f525d299bc21eb18d425e4

SHA256
292644c6bbab8db7c3b9bcdfa1aa786b91c8a34fe7d58235c5ae05bdec7eed29

SHA512
630d895aca603fd5877f5633abe0fead8ea6a040657ae004860d3997ac9e80759918bc2111355ee32c12a52560d5b439a96d4c499ea17a2db770327151f12284

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
89KB

MD5
e52ac93df6eb50331c6643f407d0a528

SHA1
c41044814b6f10a1a86d69d90cb66786767b15e9

SHA256
231b792f69251326a5373d9922affbd136127121f0369ec2fb145413a43a7c4b

SHA512
fa73d9143fa13fa6f3a01a0bce18551ae09a72b0148db569aa19dabd0a813e7c8670527401b3befba79c47d3b9550c6ad59580707c70de1db5ca3d2aac2a9b0e

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
89KB

MD5
9d00753c343d518e6d8375fdc76f03aa

SHA1
81d1a296189bb432540d713291cc369f7735b46c

SHA256
1711fc779c73d600ba514468bb669ff51bffa181640c656d1fff277cd54251fb

SHA512
fa8728a033502bc72970cd1d82d0287bc388ed41e13b8388fe527fb9cb9c1fb610403c5cf7d2774e8a303dc9e2297e803366c38f2fc28660e89281e5a2fac345

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
89KB

MD5
a852be166dcab20bde1b51a9b9f0aa0a

SHA1
13a2207170c7920c5e6595dc929ea4a98cea242e

SHA256
b407d531cc7bee06e1eb0518474d0974362a7a1d0b5a8eca09785dbffeebfbd6

SHA512
462a19851368a5b02e8e483c1acd0fb232d90fde2aabc5f443c0dab17425e7ba5bf7aba52784018c343862aad0829dcafaa90e6027009b6b8bf72e45aea3235d

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
89KB

MD5
7f5f35d9d1c2e014d3917e5122403aa2

SHA1
ecf5bafed89943dd5df5918dbb5ce8466cb34dff

SHA256
d40aeb7a05e57fd5582d89cbfc12d6a49fc985be4c0fb1cdf2499ee902cafec2

SHA512
2bf5a3ed9fa977ff31f09c7f83fb61c5f5dd9dcfca81ed3a1bfa1c464f6f84ed879965658dbfd6cb9f78e50f2e1854b4ed64a9f21d3ae9bc5cfa8fd36e8b0bd4

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
89KB

MD5
16e256abb2639ec709936a275bcb5bd4

SHA1
ee40864e1ebc5399c5a891660dd2e83b5b075b09

SHA256
ef455f86a5245fe8cde5dd64736e0810adaa3b10ce2f8851619cf133ff7187d7

SHA512
de4fa0a75baadc02768448c04fa88e37f9e3dfbd61be8468b1a4611bdb2873456ec5eb2070318939163688369708465880f026afc7f5e35cca1c4495b33eb2b0

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
89KB

MD5
c970ff76c3073cdfd3fd6672fdfa1f10

SHA1
1c68edb91cf83207fcf866e2286459dbf4f9fd81

SHA256
d2177f2909b19fc90c06ff329dd15c376f37fcc5fbe212d13a1c3563bbbf4024

SHA512
20dcda8c8eb873bee8cf76441d4709b33cef00d6563c6fe47b90ce888d94121a6f919f1f449f6d2384b2bbdcac2fcf56da3c843d7a2b218d3dac9fee0660bdcf

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
89KB

MD5
e7440e82837a654d8214a95b4e1a837f

SHA1
72ece467bf49954d1c2838c6f9f90f20d13c92c6

SHA256
f8b58144c6240ce495bb5046f6cbf1ae5f90e0e7f8fff6ac3ba543430bf1d35c

SHA512
6280e94245ee0e60ae5b5868e48c2eb81cf449b10d4418733e313f9ccf4b73330c3814cce1202c632446a911d8d97db2d6de2bb92c8652ce358ed7370f0d6506

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
89KB

MD5
fb410705555bfd080adffc24f3e99907

SHA1
525348b7943fc9aee28acf5956ca7e6b08c79b70

SHA256
48e780376bcc853abd576ba67cd53ba4664155c6f9fdce69b27d19f26812bc6d

SHA512
2193e07f49e9410d06e9ba7d54f6010872b8050ee86dec695f0ff25ddc420dfd5287938d2ecd8036228f047df111809bdd02008d3971ef5678ca131f8c5c390f

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
89KB

MD5
3aa72f5dd9355f5e2e0e2bf29c49a447

SHA1
6de68cffb1b854d324363e2a279a28d2abaeb01f

SHA256
2ed0309a9b1faf20e581954a57c93ec2c97adf7afea8b71de9851f98f8447378

SHA512
d022e17b8d4e685c25c9c99bfa9a441e03185a9d78a9602c8326259f7b36b40951e9c175aa1ea6042ebc29ac1b45fd82c3c84b1899b4aec9011ad7550a174985

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
89KB

MD5
cf2071fea7479cf0dcc691286d832dfa

SHA1
72de129dd1b202790568aedc162a1a3c8b2c3f5c

SHA256
75c660df1cb7479e6175567e501661af2e8dbe0724b2d3a2d792b2bb7019de19

SHA512
8c01c7f8cbb90ca67ffaa3c8448c8a42a1ef9479ec2bdbb30d8fd70db443e5d18824651e26a056be24f280a2e5658ff112685cf532c45fc484bd7d7559bf7af8

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
89KB

MD5
6eddd0fe79760d54eca8faa11e2ab31f

SHA1
624c4174d992752d4e2e7be2ad922121b59c5495

SHA256
3337d6464b5ea1a6f168ed99962b791b25d9b3837ea25796687d6a7236a163fc

SHA512
cdb4b4cbe517e3fd9897254184d5ba40e1dd0ad3505958db7d2fd0411d6d960227e7fee82fde9f5ddd1512f71502838c88b6acc4bfe809bdbb1bde52748e398a

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
89KB

MD5
f9ec07fd8387ad34d441e343118137f3

SHA1
9a2888851f18a27160f8f13035c0d1a4571e9151

SHA256
0e1d1986559d33d0373d2f309a17e9dd768a2f4e4b6a56f3f4eacb8d3284ecb4

SHA512
c8ad440d6c3e02305b06c55bd2721cf99433e07c60fc574a5ccd600a0271e79b86ad34e1ee60a03f9456a0bb40d953a694fa2e3292cf87ab374b62cf1e750371

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
89KB

MD5
657172911e27ba5f90a837bd37a42fe2

SHA1
fb2d45615b1aad463118bff9876c8743b383431e

SHA256
e106604103036a56eff480eff27750573d6c5ceee7496e23db6ba91e8d4572dc

SHA512
08758c435d1636d56fbdfdf487c0e80d9dbc6db44ff8d5970c9e925b3c0be30883de7b666f32d4bec361f47e1118593841b1636f9059bf7524ca81cd601632a4

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
89KB

MD5
4e7d7ec7144cf19387e736432c49342f

SHA1
c54f5cbade8492d776f08d9b8323a625f01e2a34

SHA256
837709031acd332d3d26db116863c75296fe307395343692d5a37209ced8b565

SHA512
6a9ae9719ded6a18d71bf8814c558afb3b846c6a271901f6c99264ed2c76e81f5d6e931b2e927488b9d3c45c667311f75cb315d791df0726c00435dc565d0f94

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
89KB

MD5
6071901f9bb0537e8b3934178d166a74

SHA1
9214fc99f1cd01c5de431b5d357d7bd19ee0eaf8

SHA256
83a90c9c57c2d3dfc8a4b9260cdf0916d3600961af38f96dbc09de76222d24bd

SHA512
2d4df5d4a429f02a2eef2d888ead69916885e1d31beb6ac49499f8bd276bd012561116c7caea86af6dafb6656b2562bf254797903c23d86a40461966f5664975

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
89KB

MD5
56ce501f6bc7d6116a43cf3f016dfeba

SHA1
86f7e27515c95d793af5bf2a592b2eaa80bddf97

SHA256
2a14e63946e015f5ffd0fb22c9ae344a480d08ead2cc8db10b4e01ae34641447

SHA512
839c56d752de7b8eb2a29ded13c602687cbfd539fd047330550c16056fd2a56507055bc7acddbf16550ecc120cda18ba2cb5803be73a5fc83b83ae4efac6e1a5

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
89KB

MD5
b221f788184d9a732093d2cb8704f108

SHA1
767a6dbbbd9a1c34d2ebd663fa302d8de452527e

SHA256
7431d98ac82682b022e4ed1094e0a10d0ead693592c16c0ff91631bd66dbabc9

SHA512
2618fc5ffd94022f8ffe14370b4722d374e289dab619534f52eb0d1085fd5a7b9b7f4032b2b43574389079a373fc2e777dd8df82b55d9133b0da75aef6c76107

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
89KB

MD5
62d97e858029c8bf72b4b8afc2eb80b0

SHA1
26020f3aa90e406c536c4bffc5400737d34e777f

SHA256
4a209b4a974da4a32b52826b02c34835d0d18d052bf4fba71cbd636e383f9d14

SHA512
620efd1a7077b96fce2e21a28dc5076b33cd9e3a21a39a8f576ce961945dc2dde49f11646b893d17277c76773e2de6355b7199e58373f41fb2e1327e33370300

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
89KB

MD5
1eadabfaf722b98bafa6dcd15aaaea4f

SHA1
16a89fdf09fb95a5a2d042c517254466ba21562b

SHA256
f88f46c26ed2c13b2437e8baab60a6230140dd741fc8a5903ca3d81e76047dd6

SHA512
f116a8211e7a581d332f3fffab86e8bc276f55e6674c2ae104aebdad17bafdcb9f143e8bacd6e4cd13c605dddc6cde2b45590b6bd777d459240fe7f7511040aa

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
89KB

MD5
9215f5aada83eee0f5bb0d2f337ba013

SHA1
7a5fe90e84b33a96bd2dfa55c9dca111ece76d5c

SHA256
2fb59feaff4f05f31bd88b5d45719d708b08b3782ce415c47085014c88bbcda0

SHA512
821c7697c28250426053751c681fe0da418fc2f09c22aa64dd7adb0aca8651039d6fe4c8c315e6c615143888780bee568ae5c25585a21100633d0952c38ef69d

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
89KB

MD5
da32429b792328660ea74229dabf34d7

SHA1
f88b17e95ebfe9a771c11f6387855a1e3f99b327

SHA256
8cfe658a0c37f23658f8ee04f012ea85026de7d365305ec3a5b180281b60bba5

SHA512
7b180483822f843ecbecd732d219be474788c91c6a8e10bc86ae331f441353f730bed51e6784fca87715e6f053f512662430a3e2457aa5ad8cb46d87c06ec523

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
89KB

MD5
c0615416ef4a143e31f9f1ebcd1f6754

SHA1
d677b44e3fae5a754c41521a9eaebd0273ce88b4

SHA256
27a61c5c2c67f7ba1e9855024251ef563bbb73b6dd89d3cb3bc16e7b3276dd5b

SHA512
61be2e2b102536c10180ce5014e30b3b809985dc5a28d6a84a33cd366877cecdd381bd3089ec3db6fbad75aaa99d45143a415876f229b9b5a9430380275f782b

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
89KB

MD5
e5d2c87b019de13fc009f19f71be4d33

SHA1
c50539a3b7b6ad81f1fcae4a5dc5b3ae62ccf1f6

SHA256
f23e9176495b27456cf07b493149e1ef957369c8d4162405e87bfe943fab7d8e

SHA512
e0e9c7b02c6f856811c2c766149a9d705b5d56680020441fb98e447932e20f65e90c54444d6434a23bba4068fea72990ece6b16f0acc273001c390ba2e1bed8e

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
89KB

MD5
7a781b97dd67f2fc5bef5e90a022fd5c

SHA1
bfe2c2d1ed809af46b8f35219532f472ecebda5e

SHA256
79be64a3fe1f817ae26f698ab4752fceaf32678bc3fd61a6edee3460de28c8bd

SHA512
ede6badc02ed60a859690b7bf82209b502fbbf300a278eafa5d914b99affcbcf8d7b1edda59f8fb08c25a389a539598414afc4e3e35eed8213ef8ee5ad339ac0

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
89KB

MD5
2232865e11eaeacec1ad39f71fcc7e72

SHA1
2ba4e08a6391eceae49cfbf8e06f103d562caadf

SHA256
ce50287939e9dd7d51d6a51b71bded47933b2e9adb7aeaaca98f16ab167e9c3f

SHA512
ef511210538b417fa743481d24496a8312cb8a6def095f7df059206feeae04aec37a4b703a3a3f1eb3a981b1d80154b43a2b4870c345f62c61063b0d9391ee59

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
89KB

MD5
c6698ffc1f6583d1d60688f6a215447c

SHA1
036fd40dfc1561dfc534a4f4a2abf48634caa78e

SHA256
4a8900df1fb343b22e3acaa4a3285c9f2a93cd15e0f3216536afdd521a494bbc

SHA512
0d2c820779e3fd8cfa4a5a0a6fd48a836f6bfa86f917d2cd32ab107f9fc8b7c276a8b8dedc391306915015b000d0a49758ea1faabe7d10fbb2e6a30d54bec70b

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
89KB

MD5
37bfc1be2079bdff9e0c426825e3637d

SHA1
0840c4af6ec71f877d082556c1af78d3054da7e7

SHA256
37c68625e23fbac577db8f66f674f0696d2886b582048f43d4df5ad8145ccf73

SHA512
35ea17536f1721f5d16dde4ad6abf896824db565f7933b57397a45a9cdae33441369771828e1e5e73a78f7231dda7f7c12a45afad51eb05609bf65807c14e02c

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
89KB

MD5
961aa76f13d62bc3a415ff3bf870e7b2

SHA1
8ffe210acaea040a5f4fe536424c38b0b0504b45

SHA256
5decc31b9eb0fd47fd68cee6d8ea40bf6c9f847db7046ba1c5f3710dd641fa94

SHA512
a49bee769e36f73291602e07f4f5fdc1278a9ce6045761afb5e8d3e3e6f440c1825b67642df02cae20a2e01d1c9997243e42f0663a9f9e6a0943ff7c2654a117

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
89KB

MD5
793e32458500b9606ae3ec77de9e4c17

SHA1
7655bfba06c039411846fe169dba955632516aeb

SHA256
b29aa3f0015f7b237c0d9711b157f5807dc302009892b4b41d0bf858cd59f08b

SHA512
593a353e87d700b17b55d75d8720d9dffb3bac025bd643c902123961028537a2f9c107b082e57c3c27436905c37f804e61e0aa37762f0aa3d4ffe8743f4e8c51

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
89KB

MD5
35e2933a1317ff25c36c1743c2157475

SHA1
3e99e3e00df75af129c730e77d52714fc6a3f40d

SHA256
92e4718a2738cb0a16b109868254d506609f886d7b6e76987565cd49eed16017

SHA512
49d5f185539bc37341edf0605c9b5df61374b63260e22559c0fae5459fd5620aea975448fdaf3961d9b285c900a02a436b0d9448fa1258216652f3b2f4afc70b

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
89KB

MD5
40244d37c2ead8964b4b85ae0c566f9c

SHA1
535d39efd64544a4b8dd9cff48ec303dfdfd5ae3

SHA256
426888ae0fc8c6dc7e7cbc92aebaaf3cb51c3c6b5f418385976639ff992dac88

SHA512
2f1730acf53885e4bee96b66b11f646c5ee0ae712f7a004f031cc1ce65d23eabd6a13049ff98f6225f5e738344bfa9e325802886c33420d49403b32430765251

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
89KB

MD5
69cdb8d4dd7358f1c29bfae8c27759da

SHA1
7a69be50d5662a272f7e8c8f122da11be6790724

SHA256
0bc51a2479e9214a9fcd0c401295f9a2c3e1f472aef5d1b9dc6286057aca1c1e

SHA512
492df0ade09803804dc0d4abcfcba4272b4cfda3c488cf14d9a041a3436c29153acccd0c882a4b1b1b4d2a0d405e5f0cde6ef3f7d40663d74548bccabd1e1265

Download Submit
C:\Windows\SysWOW64\Mnjgghdi.dll

Filesize
7KB

MD5
65b5bbd4966563164bdbc4575cb589e2

SHA1
549c0c9fadc7b2286a79995d74f3006a9feebbd9

SHA256
7cd7210a99e4e152e622dc75e9531b7c1dd6e624d09cf9ee6e37481ad02483a2

SHA512
569577594765d297d52a990027d2506219c3b48253eb72ff44d5c15d80d3efb25a2e49e3b01db70ecc7fc1717daae4afe7150ac75420a0eb11bc3f4e9fc86883

Download Submit
memory/396-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/396-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/440-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/544-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/544-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/564-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/564-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/736-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/736-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1140-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1140-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1164-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1164-343-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1208-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1208-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1388-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1388-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1476-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1476-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1572-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1572-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1724-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1724-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2124-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2124-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2160-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2160-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2164-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2164-337-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2172-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2172-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-338-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2540-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2540-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2652-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2652-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3204-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3204-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3440-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3440-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3544-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3544-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3556-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3556-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3632-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3632-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3656-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3656-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3848-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3848-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3948-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3948-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4392-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4392-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4460-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4460-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4484-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4484-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4776-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4776-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4976-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4976-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads