berbew | 3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Size

477KB
MD5

078322411e766bf6b3965c0f640b4930
SHA1

318d832e55e3a51f9177e5ac5665dbafea3c5e1a
SHA256

3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538
SHA512

09d2ee79a69b80492f4396011277622a0fe9d925a6c2cd73e86556d26f2f9436874c0c099f1b0b014c2c30e6e167984cff2401a92b4ac6ca3dbc93565e32d639
SSDEEP

6144:nxMDZ0g6on/TNId/1fon/T9P7GSon/TNId/1fon/T2oI0YokOsfY7Uony:xMt0eNIVyeNIVy2oIvPKO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 37 IoCs

pid	Process
3880	Anmjcieo.exe
3608	Acjclpcf.exe
2852	Ajckij32.exe
4676	Ambgef32.exe
4244	Anadoi32.exe
1216	Acnlgp32.exe
3896	Andqdh32.exe
2588	Acqimo32.exe
908	Aminee32.exe
3520	Agoabn32.exe
3604	Bagflcje.exe
2636	Bcebhoii.exe
4568	Bfdodjhm.exe
4776	Beeoaapl.exe
2340	Bmpcfdmg.exe
3856	Bjddphlq.exe
4852	Bhhdil32.exe
4796	Bcoenmao.exe
3476	Chjaol32.exe
920	Cdabcm32.exe
1452	Ceqnmpfo.exe
2240	Cagobalc.exe
4036	Cdfkolkf.exe
4760	Cmnpgb32.exe
4472	Chcddk32.exe
2176	Cmqmma32.exe
2864	Calhnpgn.exe
4856	Danecp32.exe
3824	Djgjlelk.exe
3368	Ddonekbl.exe
2344	Dkifae32.exe
4108	Dmgbnq32.exe
1512	Dhmgki32.exe
3876	Dogogcpo.exe
508	Deagdn32.exe
2576	Dgbdlf32.exe
8	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5096	8	WerFault.exe	122

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 3880	1664	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe	84
PID 1664 wrote to memory of 3880	1664	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe	84
PID 1664 wrote to memory of 3880	1664	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe	84
PID 3880 wrote to memory of 3608	3880	Anmjcieo.exe	85
PID 3880 wrote to memory of 3608	3880	Anmjcieo.exe	85
PID 3880 wrote to memory of 3608	3880	Anmjcieo.exe	85
PID 3608 wrote to memory of 2852	3608	Acjclpcf.exe	87
PID 3608 wrote to memory of 2852	3608	Acjclpcf.exe	87
PID 3608 wrote to memory of 2852	3608	Acjclpcf.exe	87
PID 2852 wrote to memory of 4676	2852	Ajckij32.exe	88
PID 2852 wrote to memory of 4676	2852	Ajckij32.exe	88
PID 2852 wrote to memory of 4676	2852	Ajckij32.exe	88
PID 4676 wrote to memory of 4244	4676	Ambgef32.exe	90
PID 4676 wrote to memory of 4244	4676	Ambgef32.exe	90
PID 4676 wrote to memory of 4244	4676	Ambgef32.exe	90
PID 4244 wrote to memory of 1216	4244	Anadoi32.exe	91
PID 4244 wrote to memory of 1216	4244	Anadoi32.exe	91
PID 4244 wrote to memory of 1216	4244	Anadoi32.exe	91
PID 1216 wrote to memory of 3896	1216	Acnlgp32.exe	92
PID 1216 wrote to memory of 3896	1216	Acnlgp32.exe	92
PID 1216 wrote to memory of 3896	1216	Acnlgp32.exe	92
PID 3896 wrote to memory of 2588	3896	Andqdh32.exe	93
PID 3896 wrote to memory of 2588	3896	Andqdh32.exe	93
PID 3896 wrote to memory of 2588	3896	Andqdh32.exe	93
PID 2588 wrote to memory of 908	2588	Acqimo32.exe	94
PID 2588 wrote to memory of 908	2588	Acqimo32.exe	94
PID 2588 wrote to memory of 908	2588	Acqimo32.exe	94
PID 908 wrote to memory of 3520	908	Aminee32.exe	95
PID 908 wrote to memory of 3520	908	Aminee32.exe	95
PID 908 wrote to memory of 3520	908	Aminee32.exe	95
PID 3520 wrote to memory of 3604	3520	Agoabn32.exe	96
PID 3520 wrote to memory of 3604	3520	Agoabn32.exe	96
PID 3520 wrote to memory of 3604	3520	Agoabn32.exe	96
PID 3604 wrote to memory of 2636	3604	Bagflcje.exe	97
PID 3604 wrote to memory of 2636	3604	Bagflcje.exe	97
PID 3604 wrote to memory of 2636	3604	Bagflcje.exe	97
PID 2636 wrote to memory of 4568	2636	Bcebhoii.exe	98
PID 2636 wrote to memory of 4568	2636	Bcebhoii.exe	98
PID 2636 wrote to memory of 4568	2636	Bcebhoii.exe	98
PID 4568 wrote to memory of 4776	4568	Bfdodjhm.exe	99
PID 4568 wrote to memory of 4776	4568	Bfdodjhm.exe	99
PID 4568 wrote to memory of 4776	4568	Bfdodjhm.exe	99
PID 4776 wrote to memory of 2340	4776	Beeoaapl.exe	100
PID 4776 wrote to memory of 2340	4776	Beeoaapl.exe	100
PID 4776 wrote to memory of 2340	4776	Beeoaapl.exe	100
PID 2340 wrote to memory of 3856	2340	Bmpcfdmg.exe	101
PID 2340 wrote to memory of 3856	2340	Bmpcfdmg.exe	101
PID 2340 wrote to memory of 3856	2340	Bmpcfdmg.exe	101
PID 3856 wrote to memory of 4852	3856	Bjddphlq.exe	102
PID 3856 wrote to memory of 4852	3856	Bjddphlq.exe	102
PID 3856 wrote to memory of 4852	3856	Bjddphlq.exe	102
PID 4852 wrote to memory of 4796	4852	Bhhdil32.exe	103
PID 4852 wrote to memory of 4796	4852	Bhhdil32.exe	103
PID 4852 wrote to memory of 4796	4852	Bhhdil32.exe	103
PID 4796 wrote to memory of 3476	4796	Bcoenmao.exe	104
PID 4796 wrote to memory of 3476	4796	Bcoenmao.exe	104
PID 4796 wrote to memory of 3476	4796	Bcoenmao.exe	104
PID 3476 wrote to memory of 920	3476	Chjaol32.exe	105
PID 3476 wrote to memory of 920	3476	Chjaol32.exe	105
PID 3476 wrote to memory of 920	3476	Chjaol32.exe	105
PID 920 wrote to memory of 1452	920	Cdabcm32.exe	106
PID 920 wrote to memory of 1452	920	Cdabcm32.exe	106
PID 920 wrote to memory of 1452	920	Cdabcm32.exe	106
PID 1452 wrote to memory of 2240	1452	Ceqnmpfo.exe	107

C:\Users\Admin\AppData\Local\Temp\3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
"C:\Users\Admin\AppData\Local\Temp\3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\Anmjcieo.exe
  C:\Windows\system32\Anmjcieo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\SysWOW64\Acjclpcf.exe
    C:\Windows\system32\Acjclpcf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\SysWOW64\Ajckij32.exe
      C:\Windows\system32\Ajckij32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
      - C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:508
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 396
        39⤵
        Program crash
        
        PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8 -ip 8
1⤵
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
477KB

MD5
02a9abe1b3c4f36dc842269423fd2540

SHA1
169b0e7951b6386540ca669cce6ca913c043bdc1

SHA256
e814f77bf5ea48242cca230f1b3b3a288d7f3825e85d434e7c6b9f3d4c5eddde

SHA512
24fe364cc9dedf007e75ec1e34820244b94de6e3029e24a964f462f5491d00d0d75b7ca7dfbd015e9836efba51d3df2cb39a0c9c24829b838e0d5190a06c428d

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
477KB

MD5
9e2ddf2990bd318fdee7817b00500f39

SHA1
831ade9c0d599dd92511f5004d53eb9d6323dedd

SHA256
0edefd89ab077ddd1396e7e18fc064d76ee4d65bc2b381a62148170b2ab853af

SHA512
8f6368d10392b303b7b83d6ebc933c8a948221421bb5c3057eb497ff0f17d1b12f9651cf1dd2f4e0566a992ea0fb83c77e23b6e8f06cc09f3b1965b1f9429192

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
477KB

MD5
de2646024227464751098740c0cefcb4

SHA1
3ba1d1e57c5d4eb9c348241dafcbc3505cdc6a90

SHA256
caee2974c3fdf2e5ae0fa13cad25f41a6271769976284c2e13e5a016516a8ce5

SHA512
e9810f0b1efe35d11066017b312a7aee27e517c0165a83543243d5a94e15fe951012bcb038ea95301a31f3aef5dab6cadb16d97433f9693175136d27e377dd2e

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
477KB

MD5
ffef72c32e1d967ffc4b70576e406571

SHA1
9da120d083ce6ecfb46bfe651733e8bed8306cd8

SHA256
64f5a6f07b59ee0e5a20825ce47b09eab448f7b7c7623af4748181600cf9c0f5

SHA512
aa824570dc23610add47f02a97d59b3d59d5fee73d3ac0d5c151ed2fbccdc2fe9334757540694918ac3ee1a5b92fe593fd7242067014b635a60b3bdfd017f8b3

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
477KB

MD5
f5164b5e09142c73ef3336dbb38b3cab

SHA1
f845724879cf282d674766ea76bd64c12507e6cf

SHA256
c59abc07205d8db9c8c6fe31a94d4ea47bee1e05f42ad77f8f124cba8b67705f

SHA512
a99fac6f1b08418fb5cc261b043fe9f55e74383bdab1e5f92b7ae2a064005ee8787d5b71e18ae69816f03fe3a73dd99ade7bc18350cf22109a22ad7f7af4ed40

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
477KB

MD5
9890377c6e1e014c6ba5cfcdc25d8397

SHA1
b0c2cb6e4550d5ef0d49c23f3cd5b5c47aa98e3f

SHA256
12d4e274a5ae55bce0b930c6a56f3a902367c6d0079d83d238c6ecf6ed9779cb

SHA512
877e98fbfa97bfdb55e38ee6aa616afb1b461419a21543d71bd216345b585249e198aa8ad1f3a1adc9d58424558150ed2e14bfc4a0906d687ad254efc56b79eb

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
477KB

MD5
55f69e9903690316dea4ae4a9286c898

SHA1
bc35d251c9f88dd6d55c83eb4ea828db2e6cf336

SHA256
e72c8a52bfd88fcf337444a03da9fbe9ff1ea38ea4750d9ad7c711309d481a1f

SHA512
539698263d5aa9cc2d41f592bdc813990d3d289839196402cdb796690ff5c5c26914b1095d31eff0d7b36b874173e85a33f30fa68f4b76777e394a2241a446b4

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
477KB

MD5
f8506104061cf775654af691d04cda53

SHA1
6beae45bf70fcf63d5ed6c84f1a1fb3f77363628

SHA256
5bd6159f4e659cfe3fbee14b72898367347b4a1ca76ef3cc008521ce44eb625b

SHA512
8f4b588f719baead4c9c66996aba3a9bfa4698ad4a9d26eba680f7b2742a6aa0a45cf2984e8397be56a4854c5a0af048a25576307ed653adc910d777e0eb788d

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
477KB

MD5
96d80254a54122b77f3b33a66c56c928

SHA1
7c2191316398de735d52b5187bc6ae1fb9c27170

SHA256
e2384438a1fde1dcb33af23494cc58279af07ad62ae30978c2d255bd68194acd

SHA512
672a6f5c430754d36c3ef6cd4e6fadcb1b950f611be7710dd5093a740adc2f2b5848c557db60c0fd02551c516730f3b53a00585e86a640d698f9e13e478324d7

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
477KB

MD5
52a9886061c4413dc332465f7d22ad3c

SHA1
f5fb25f2d4bf27afdddebcbf2f4d47830c0d288f

SHA256
c06967ef3e1c3e6ae0e6468a43c056eb1e102823b8928384dbe7b1e3fc914665

SHA512
b9a137f61a8e9c9e4e92c2d9f05af50713c98905bad14853c8827eb4359a2d72c0c4a5513bbd12bdea70e66d353ad04073c64fd56bee6ecc14e6a4f25dac4282

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
477KB

MD5
de488543c1e03c514d5ce8b87f5265bd

SHA1
d18cb13be08ad92f7511eb68dde67edc7a7851e3

SHA256
81d6fd2fa49b41396cbb0790d040c1f27f69fdb8daafd94ba1b1ac013ad4b689

SHA512
af9654b1ac20c2713019c7c3dff286b325e2f5cce328b992ba0f63334f23e77d54010655483292995e5d615408b2090c8b6eaef2cbf78f3bebdd3fe4801bed57

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
477KB

MD5
13624f0b983ef5f2c150f8f829a11b2c

SHA1
9a3a8360244351d0aa33ded246e276e649ae1b37

SHA256
4fb9a86af21611e9d63247eb661532d2410216985566bdbc6b30db6f608c3de8

SHA512
46a04ee6cf552630cfe4240fbb5ec209a427b19532be3630051a9d03f032414f46c5d6b258321eae2e1bbf9f27013fba964ea500e05ea2cb2fd63191f67f6da5

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
477KB

MD5
86b45628f197deb88639fe972083c39b

SHA1
7669ae6398ccc1622da105e2d536f389e2d5a621

SHA256
c87b30f06aabacf0d8d96bc1851a0d66dec4cb54fe531af278760e41e38d3969

SHA512
3de67150dd929dffa4118e29bc1fc50ce39dd20db598925b214c42381b280984bb8ef21902c86326e78abf7710bd2b7508e373274eb9729ce72f2092ab24146c

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
477KB

MD5
068618849b64658c3eaf1e48fdd5fb44

SHA1
ef148009c84b6ec70fd4a3c11db0952ba3ed0511

SHA256
77e11eef99d359f013c7f39500061dbf8951fef9b1ffc84e7a0daf88be4006b0

SHA512
9e18fc223f368683dc87593a6006de981b3c1c2d81fc094251a1529d3f63254eaca98f5305c51ec54cfa02378963f73ff94c072c98ab8664340bf6f5c3949b88

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
477KB

MD5
563566fa7cc8c1f3e2d1c6e0890e0460

SHA1
8cbe9795487fd163bdb3a9c1ba5254ab2207a404

SHA256
781a6fa432a9c62aa8230829267dd6db5541ce4fe8181e31a71e92bf141378c7

SHA512
b0ed5c56d000a5f298588232e99b1aed4059fa9c4ddf122852eb676d31f3d4c9cd090033a523496d5caf58799b50c0b0c4096a90492ad54423525a0127c45c23

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
477KB

MD5
dfc2a804e0338579054b93bbcc1b3152

SHA1
689aaae609edace495adcf5bb8f269ecbf3fab81

SHA256
55e5c820cc66c8b8c2a10d35bb8dac697fc3ff5ed053849bba5f92366ac5fb51

SHA512
bdad32c44c338ea304dd1c5388ad0774756c2864648f6a5302b288e0c19715f7ea3f2359c16132f3f4c47a533c1a699bc4d35f234a1ec5c777d74e81aad140b2

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
477KB

MD5
43a6c08a54b2bf3e21262aa87df8b34c

SHA1
68b4f927883b9defaae7f25b34dfaa5c5d0174b3

SHA256
d89e45831e3f2101ef297958adbbee5bd39d5ccf04f82093308d8405131fd932

SHA512
4840a3d60025cc0dcc67d4d6f65c2512bcd07a8a79097459049ca0776889400cd499c4227029e7ee78be2ce72a584c21136d5282ae4bf13d0731a72981bbabf6

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
477KB

MD5
ee804500fc712cad61aa4d2259840141

SHA1
45b21963f889ffdb7e58d754031018794f19cbf0

SHA256
8b0bae0b69b0a2bcc5dfd354229c403bd8cb01106d136f1ad7a9632b3483ba10

SHA512
42845f2cd477a32ad1a1b700b08f89b7586cf0fcd065161d1b221df3c654b7fe608d63bba356fa51554005c9d4211a3db70fc3425155dcc0ad4b0d180665f433

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
477KB

MD5
9b07ee0012487178e6f7905e9848d21f

SHA1
6e29f71456b16c16a2af04605cc14b0ec5be3d0a

SHA256
c9054403b977a3be4b3a3eb46039b3c9bc78999d1908139868338833fd9ce52c

SHA512
161d20e7dd4e39955709e22cdfb8c988fa09772cb2e2c00d25498d82739b094d3d14d4b903f7181a6daeecc0b6e25f879dbea90fae57ae99498a2245b20ebeb1

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
477KB

MD5
932426b1b7322714fbb41f9a7c8f8255

SHA1
daa0c785d5f25d7c2e9350476dbaa6da5028bf88

SHA256
541c0f5dd65cbe700433a61bd043943a9f92de3ab4d794a7086a82b19fcc921b

SHA512
8cbaf12b92ca22f6972b415cc385742d5e1528c4b0a3550d5393ad747b5d586bde00e4225301be392dc59920cef0156a0d0f002c779997dff22acb647215f502

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
477KB

MD5
8d21658df24f379f28c8eb672aa5ce6b

SHA1
40934dc0d483142bd56c67dfbec60aff7cc56622

SHA256
d3e1834a4f3ecaef42d9a60e51be65bdb3af62f24cbeead9d8134c48363eac84

SHA512
f09eb245bd2a1bf1e1fa3b92933d3fd1e4083d8e3892d1e0bb98b7a36a5a38b73684eab279df779e9928f2b0263e80942c71c8133c3d7c877b9b8470aff62a93

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
477KB

MD5
681e06020cfda0cca60e932a8b065a32

SHA1
8ed709959de2ac90dca3a55f5fcb09263838d3d4

SHA256
e73e9213947a45972e874cc94bc6a02491903ec784475eb410e9fc9d3d1f2a06

SHA512
873ecf20d3c13ed7149af56016e655ef992df35072a713678e8ad975fbd8a79d63ab496d6a028c3ddc582f93a03ae381b4ea0785c9dc27d316de349bead19ecc

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
477KB

MD5
87d9dd0229536c41f00957d1a231de7e

SHA1
c0509f66ba6c71aacc092a9bd56a2bdcdf478050

SHA256
77bee4e7723aed764ac4e4872b4c5310575ac029b2a735ca9c0a337ab66f48ce

SHA512
a46de2b7e48464cd2986c91ca50e427644847f86cf8c64bb804e18969316f8ad9b1b11e50e410c7d416d05cfce7280279843dd775c53faaf832532f62a67a072

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
477KB

MD5
02fe5e3697d165e8d1b235448bff0eac

SHA1
7f7d76d1b69bfdf2d898bf431cc93e54ae338b74

SHA256
d3fafe16434eb198b2938d3b345467155a58f2bd77bdb795e1389969f829999f

SHA512
1103ef4791f0194f69b1610b2cea8416fe57d3d66e8d1466a478ea8c6dd8b7414a0ce1d0cb5625619b471039270519660ed82c195aef70b322b6bc505cf11bb2

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
477KB

MD5
6a7fcfa6dd2e0bfcbbed1ad33f6ff6a9

SHA1
8e4f75ca9e6111e2331778ff6888a3590db840ad

SHA256
3e3f80ca0121ea2de0987a5fad008141c82f175fbafb40400e518899aef99a1e

SHA512
22cdc674eee65f3a4d945e4acdb60b0ba16114bcc03c6d64514f8b3f7d76f819279ba20d47f0eb90ef2838bcd5fcac82ddaac8068c0ba2b500d6ad3d3cc90480

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
477KB

MD5
b817de5dcb75b82cccd3acb136cebdb2

SHA1
c0a6d2843d0a9d2d791a69d4d1eddc901c9809f4

SHA256
c9432d7df58b6dbf91f42dd9187b88489a6edef036cfb31bac8278543b9854ee

SHA512
6c0611c3a92aa6c07cc7d7f60a7d768e4847a7a6b18074b3808daba9a3a735672aa41ab520ca53145a9bce3d9f6a5da9a9c6784ffbfcd3ba46b0371568a9c34e

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
477KB

MD5
fbfbc9ec48d5250789e3876c4f7962f2

SHA1
1187d95dae8d0935c467515893d81e63467552b4

SHA256
d4b440998beafff2d24f9533a90634a787401c6b1ec55e50622adbff3b9339cb

SHA512
2fdd97c8e0dda5b4803e1fc3a6bb2a805c0cf833875dca37528cd2dda058736ffb6923a958c5ccc1d0540013f4f39d884f9c003e02907f9c86909699f318188e

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
477KB

MD5
1277934bae1f556deab1210c491ecd98

SHA1
7da6a7078a099d4b92a0a8a37a544462b0edd9c0

SHA256
03796bc8bd8de80ed7cb96ee2f4cae477a51cdb4349bab0c712bf86afe37d791

SHA512
47acec93dcec7b9bad0a52de74d9e5e3f11b8c56d024d7d8287a0035ca010c286a2a78d3b6c76e30e1c060a30f955bbfa95133940a7b5ae23933182ad34b461a

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
477KB

MD5
bc2d0cd965636fcf2ff75e8a09560c00

SHA1
d526b2cebddf6764485e792dcb2654a56062aa6c

SHA256
42065a7ecaeef257355bb0843c041a4013af8a3e8784fbd9d2a2fa9d409a6f19

SHA512
244344acf2c589541f1719fdfae33485661de4220de6b23d9d337ec48c682c3310023f6c1b150f765304c0734d1a3f68fca66e47c45888d4bad41e245247ac27

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
477KB

MD5
a293648a6e637a322937d5334e1a1aea

SHA1
2167a3bfe5f0e738b26164f687b3bce1bcc2a6f4

SHA256
78670cc1eda0bd6f2700e0ad13ccc3e868d4d3d86a6a91a7c5b5cbe53811ee8b

SHA512
a3a62618a4653649330d991aec08ca3729bc22dbe2c992b32433d0d8883b677a6d7214b87fbba71004a42e5cddf15974662ea6289db95609dd8dcdfc4eb46b49

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
477KB

MD5
285b3fe5379e71798bf845dd5734c070

SHA1
9e8a3e2df1d0576ab70f134bdfe1a5c4c4dd0cb8

SHA256
9ae6034a8c95475fdc5018ce9c1eee0bd85344d1cd967c78741529f9d8b562bc

SHA512
d45ff715603cda35097a6f0fedfe878c6e20a2540767c0dd7003da84f938fb70868f3373180547431bc4d809cc60aa0e1680654cd8e2210c7529ac22bd88fd53

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
477KB

MD5
d46f69f73a2f26be8548ede585138986

SHA1
506d6a133d65959dc46b63e644302a84eb361ee6

SHA256
8c83177679ba8815f770fd5058ad415ad89b51101c2298cad9735777b29fcc0b

SHA512
78f5a879b7e9fd182aeff9c8e83b95cf2a0a915b498caf9ba4054cda48e19a31ad713de067e61bfbd9c42664a4f46320114274dbf0e652d19dda819edfb4997f

Download Submit
memory/8-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/508-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/508-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2176-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads