berbew | 35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32

Analysis

max time kernel
94s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32.exe
Size

896KB
MD5

32aa3963d36808894e2a86e7f49fae18
SHA1

70dffb80fd43b1ee26400394c4d28d79a4767725
SHA256

35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32
SHA512

71df70c8a90bc20915f12b2ea06d4382b7c2eba1b7d64fd0e4f717f62ed975e89d15f5a9c13918a2750948814c172d93399e0ac2dbececdc56b8563c663441f6
SSDEEP

12288:QDpPlmvJehMPlmv+PlmvJehMPlmvz9f0PlmvJehMPlmv+PlmvJehMPlmv:3Jeh97Jeh9p9Jeh97Jeh9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 40 IoCs

pid	Process
4104	Ocbddc32.exe
2488	Oqfdnhfk.exe
3552	Oqhacgdh.exe
2812	Pnlaml32.exe
3940	Pcijeb32.exe
2952	Pmannhhj.exe
400	Pgioqq32.exe
2948	Pjhlml32.exe
1888	Pcppfaka.exe
1708	Pjjhbl32.exe
5012	Qdbiedpa.exe
4988	Qmmnjfnl.exe
4512	Qffbbldm.exe
2020	Acjclpcf.exe
1704	Agglboim.exe
752	Aeklkchg.exe
868	Afmhck32.exe
4080	Aeniabfd.exe
5052	Aglemn32.exe
1132	Bnhjohkb.exe
2404	Bjokdipf.exe
4196	Bchomn32.exe
4160	Beglgani.exe
5032	Bhhdil32.exe
2972	Cjinkg32.exe
2628	Cfpnph32.exe
4560	Ceqnmpfo.exe
4436	Cagobalc.exe
3668	Cnkplejl.exe
2928	Cnnlaehj.exe
4872	Dopigd32.exe
4652	Dejacond.exe
556	Dmefhako.exe
3964	Ddonekbl.exe
3340	Dodbbdbb.exe
1400	Deokon32.exe
4776	Dfpgffpm.exe
3508	Dmjocp32.exe
4936	Dddhpjof.exe
4116	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3332	4116	WerFault.exe	125

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4104	4992	35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32.exe	84
PID 4992 wrote to memory of 4104	4992	35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32.exe	84
PID 4992 wrote to memory of 4104	4992	35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32.exe	84
PID 4104 wrote to memory of 2488	4104	Ocbddc32.exe	86
PID 4104 wrote to memory of 2488	4104	Ocbddc32.exe	86
PID 4104 wrote to memory of 2488	4104	Ocbddc32.exe	86
PID 2488 wrote to memory of 3552	2488	Oqfdnhfk.exe	88
PID 2488 wrote to memory of 3552	2488	Oqfdnhfk.exe	88
PID 2488 wrote to memory of 3552	2488	Oqfdnhfk.exe	88
PID 3552 wrote to memory of 2812	3552	Oqhacgdh.exe	89
PID 3552 wrote to memory of 2812	3552	Oqhacgdh.exe	89
PID 3552 wrote to memory of 2812	3552	Oqhacgdh.exe	89
PID 2812 wrote to memory of 3940	2812	Pnlaml32.exe	90
PID 2812 wrote to memory of 3940	2812	Pnlaml32.exe	90
PID 2812 wrote to memory of 3940	2812	Pnlaml32.exe	90
PID 3940 wrote to memory of 2952	3940	Pcijeb32.exe	91
PID 3940 wrote to memory of 2952	3940	Pcijeb32.exe	91
PID 3940 wrote to memory of 2952	3940	Pcijeb32.exe	91
PID 2952 wrote to memory of 400	2952	Pmannhhj.exe	92
PID 2952 wrote to memory of 400	2952	Pmannhhj.exe	92
PID 2952 wrote to memory of 400	2952	Pmannhhj.exe	92
PID 400 wrote to memory of 2948	400	Pgioqq32.exe	93
PID 400 wrote to memory of 2948	400	Pgioqq32.exe	93
PID 400 wrote to memory of 2948	400	Pgioqq32.exe	93
PID 2948 wrote to memory of 1888	2948	Pjhlml32.exe	94
PID 2948 wrote to memory of 1888	2948	Pjhlml32.exe	94
PID 2948 wrote to memory of 1888	2948	Pjhlml32.exe	94
PID 1888 wrote to memory of 1708	1888	Pcppfaka.exe	95
PID 1888 wrote to memory of 1708	1888	Pcppfaka.exe	95
PID 1888 wrote to memory of 1708	1888	Pcppfaka.exe	95
PID 1708 wrote to memory of 5012	1708	Pjjhbl32.exe	96
PID 1708 wrote to memory of 5012	1708	Pjjhbl32.exe	96
PID 1708 wrote to memory of 5012	1708	Pjjhbl32.exe	96
PID 5012 wrote to memory of 4988	5012	Qdbiedpa.exe	97
PID 5012 wrote to memory of 4988	5012	Qdbiedpa.exe	97
PID 5012 wrote to memory of 4988	5012	Qdbiedpa.exe	97
PID 4988 wrote to memory of 4512	4988	Qmmnjfnl.exe	98
PID 4988 wrote to memory of 4512	4988	Qmmnjfnl.exe	98
PID 4988 wrote to memory of 4512	4988	Qmmnjfnl.exe	98
PID 4512 wrote to memory of 2020	4512	Qffbbldm.exe	99
PID 4512 wrote to memory of 2020	4512	Qffbbldm.exe	99
PID 4512 wrote to memory of 2020	4512	Qffbbldm.exe	99
PID 2020 wrote to memory of 1704	2020	Acjclpcf.exe	100
PID 2020 wrote to memory of 1704	2020	Acjclpcf.exe	100
PID 2020 wrote to memory of 1704	2020	Acjclpcf.exe	100
PID 1704 wrote to memory of 752	1704	Agglboim.exe	101
PID 1704 wrote to memory of 752	1704	Agglboim.exe	101
PID 1704 wrote to memory of 752	1704	Agglboim.exe	101
PID 752 wrote to memory of 868	752	Aeklkchg.exe	102
PID 752 wrote to memory of 868	752	Aeklkchg.exe	102
PID 752 wrote to memory of 868	752	Aeklkchg.exe	102
PID 868 wrote to memory of 4080	868	Afmhck32.exe	103
PID 868 wrote to memory of 4080	868	Afmhck32.exe	103
PID 868 wrote to memory of 4080	868	Afmhck32.exe	103
PID 4080 wrote to memory of 5052	4080	Aeniabfd.exe	104
PID 4080 wrote to memory of 5052	4080	Aeniabfd.exe	104
PID 4080 wrote to memory of 5052	4080	Aeniabfd.exe	104
PID 5052 wrote to memory of 1132	5052	Aglemn32.exe	105
PID 5052 wrote to memory of 1132	5052	Aglemn32.exe	105
PID 5052 wrote to memory of 1132	5052	Aglemn32.exe	105
PID 1132 wrote to memory of 2404	1132	Bnhjohkb.exe	106
PID 1132 wrote to memory of 2404	1132	Bnhjohkb.exe	106
PID 1132 wrote to memory of 2404	1132	Bnhjohkb.exe	106
PID 2404 wrote to memory of 4196	2404	Bjokdipf.exe	107

C:\Users\Admin\AppData\Local\Temp\35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32.exe
"C:\Users\Admin\AppData\Local\Temp\35baddfc0c5b1c8b20643b8a042046f54b8cebe1647faaca636ba678e790ab32.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\SysWOW64\Ocbddc32.exe
  C:\Windows\system32\Ocbddc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\SysWOW64\Oqfdnhfk.exe
    C:\Windows\system32\Oqfdnhfk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\SysWOW64\Oqhacgdh.exe
      C:\Windows\system32\Oqhacgdh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3552
    - - C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 396
        42⤵
        Program crash
        
        PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4116 -ip 4116
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
896KB

MD5
9eb60996c97746d756171e2f8520d399

SHA1
ea1cfe5b5fd5751ade4c961676fc81fc23fd06ae

SHA256
be831302f37b66a9a39c1609398e2c56bd47c69826594c650a5c0645b059c22e

SHA512
5ad44bd992c160baadce6bf46fad92889dfa62b4e91dbe68b6932ff719d0b71c45c7310c69f9b14b29acdc8fc29f7c7b6909d433b1560b71f4ad5324e6234e4b

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
896KB

MD5
ebdd420cf209cb06cc89c9c43e9ff1fa

SHA1
29614b8ca91f6bdf0683925a120fc8f0874dbde5

SHA256
32575347d24bf8e302aa2500491c85186108db7b3bbac6adcadb5f395c4c44bd

SHA512
4a63347e338f68feccce5363e11a5391b0110df72e5051aab735d2441c459e7984b8344eff27bbade610a382cbcc32d35e883bcf1ea7d5ec1c88875119e33902

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
896KB

MD5
1a9ec6c2e83d1f6248fc282d3516a688

SHA1
577d250f89af93b854c1c62aaa5b34908fe833fb

SHA256
7b1f9f5f2c0c4968bc964114b2e400d390c468d88ff18422ae6a7be701fd8f6d

SHA512
e8f5c158ed1ebac3b0e1d7a2a129b175f92fcf2a0e49387681187ebbac61307f8c93befe3b06361567b9f6cb9e9c42bcb96335b87dffc725743140c702d2138b

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
896KB

MD5
b8903da89411aa910ee962a1298b33bf

SHA1
ce01db4a39a8f349449162fcac1f9e54a8e3ab56

SHA256
2f1b72ddfc03e4bac19504a0f09350e123df67fad6522a00ccfe0c05da07d544

SHA512
6010e907cec3a682fcb37ae2aac5e96e365636056ea1a9ea9cfa4becedcc9f37fa27453a7960699411fb0908a17b47428cbe920d542625e8fa858bb65df01887

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
896KB

MD5
9e9b3e7840cfd2796de2a12abda287b8

SHA1
ae12c685570d739d686f5a2e4a8878c9dd2bc4ec

SHA256
ecb99a1d56ffba8d34c645fc0347efb25702e50712c246e05ce21c249a37b784

SHA512
8f56d5b7a983d26284e6ce76b761fa82469feb2af4d6533f1055c81b49ff5754a55360ff17026a7be19ff2404d842a0fff61a91c74709be082ab757d77914387

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
896KB

MD5
674c3a3cf978930de9452bb14cd7b6bd

SHA1
4912b0760683afd77278d68fbfea3bbfa21adc52

SHA256
c83a187b0ba974d301b79b33a637f56c0ed7b02843c8ce122d868aa73eb2b0f6

SHA512
de0f176a399f45b17802066f67423808459373aa7fa624c0715858ce5bfece0021c031106808c597306b753bc330840913cae887335226dfa80b8ca24d611b3a

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
896KB

MD5
4a5fb5630584491c44e4abd1e0587ac3

SHA1
e1cfe563b8d3db0c5ad0e3908ad0b4bd0b82adbe

SHA256
1e714b7fbe966510a210ee4097709c27f90a4569e6e9a3db046544cb93bcbfae

SHA512
bc1097245978bf60cdc17900127d7842d6950e848f2428de1d0f657a63adb98f16640abb4189f492c9d1818f460e81abf023e4e27fee5ea20408e5a4d7e4f1a4

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
896KB

MD5
7985d4b5c2e5336c89e5583d02367ba6

SHA1
555e02d068ba4ed5b3f14f37c3a190ee1afb54b0

SHA256
c8b089149655e6418bf53f092da7338ad961539009938ec722a5ccf9a01091c8

SHA512
4b8cf319bce8890233b9ce6a7c96bda6ac9f5fcd4c14ed1af501692963ab3b61ee9414e3d2a59182a8325291b09d1e6899a022ae5c1e2fd8d57997aa50c3755e

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
896KB

MD5
6513d46442155e20f537f7f35284c301

SHA1
2340c0222791136d36b009537139e52d4fc773fe

SHA256
08e99f4fe0eef855d9c34b69bbb98c68f720de39707434057349a4c5d2be86e3

SHA512
1458962a92f9f4bb473975085e201b369a3faffac5b0a008d8d51665fa26954b0a69a76c9d83cfea1f046000b8a0a5e879f22226e028e7d3a47cd258de750f90

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
896KB

MD5
cefd7b3453c337e8f096dc7fddc640e5

SHA1
8e9b375e08c7304e171cfd32e03ab534bb50241a

SHA256
5c2cbd228eb275cc6bc48268aa63fc60118f373dff0a4084f17d299959f7cbf0

SHA512
c2e686515964c5d6b2cd723a079e45b3703808bc7820a54aee3d9479846d10da932738747f78cbc9722756bf434760117b68e000dda4bf9c565a3eef8ae422e6

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
896KB

MD5
f0815b3021c856f5fda970d06ad7a530

SHA1
dd587afdd926f8e3fdd7720d32017a41c45d2b16

SHA256
031813fc4d3c9dcbe333295d7eee798692cd4362bc2912914a66f75eba66e62e

SHA512
2147322d130fc37e1a5c8f2814874c024316d9aeea6082276b0d055d9fd57a3b9282ed8f63274616af8f881bd0f2248319368a65a38086d489c6fba5765e9494

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
896KB

MD5
3548526733a497e2bf3944ba988ef1d6

SHA1
443b189767560bdc8b9ff5116fc9c1d7d78ed2d2

SHA256
22b9630cae0d8963ba22e2090138f7a52fa24401c7751835cde4bc28e6f414a3

SHA512
8386c70c81f821b9a99ff64aa4757f92e16bcb4d722c583b5c91e293c2d75e120f4944ea36658faa22387f8b6f1f78196d342317a57a38bec8cd988b1cfed795

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
896KB

MD5
a9b296bd95ec8e4e144e9263f620b6b6

SHA1
26ee5ea17c342f4331959ff3b7075dc0f8c9dede

SHA256
058609b1132e146c286cbc387c968d59e45554ac96ad1260b163f5354f8cb5ee

SHA512
93b35a44177fbd2efc33f2e20f59d07dad3014e995ecba0e4f2a286ec06cd5633f304f26f1a46a0a481255da3a97b54df604363293a1d16c62d6742107fd528b

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
896KB

MD5
2b41869662ba09490a26d028dae34679

SHA1
57eea4b67bfb29cb61d78ac29652f2f8205a51b4

SHA256
8418ab1f84fe4b86176c692266b003dc22d3fd9aa3e81e81ed8d9b19c2381b8d

SHA512
a740cab13e56b2a355f79336dc7db74d88213e95196d9b9dba21d6f198d83e3c8a9b53f49b038a5c6a83dd620c43c17250b15e65c4578fb4afd3af9baeb3f459

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
896KB

MD5
659a18593cbc037a01b84966ad484984

SHA1
112385a49d3a1bb176ae7f0c12693a1e4b78cf5a

SHA256
b8713a3cbd04bc322870f492d1bff95a41dbf48774f5444baf22ee7f87baf0b2

SHA512
162d9b835e6d0d1700eac8ebe645512c8597e733599013eddbf74b0aa42bb828542c6fa9a326b7f2c5512ce05d5f046e3fc36c94114a7cdf20ddc97c63a4fc34

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
896KB

MD5
c90040429e9372210ee75bbc8771e655

SHA1
79749602c1eaec50a54bc07d96ec92d8ce18c571

SHA256
6f9fb31777af990907d70ebe5650ed93cc3f1d3245b29ff201c09d397323c64f

SHA512
c319c2448a763634e3ac73f5328ba9e50fc0d2cc264e7fe31ab6ed31a8f3176992b52d270bfb3fa44bf2daf7f0e2fb7607a1e9cd77658611dcc455861a3af0df

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
896KB

MD5
f46ebc2c7338ac95882ad38f99f16ea3

SHA1
f6ebcdcc717f31214dcc56faa1f1a12f3bf7e20f

SHA256
fffc0a7aeb28fbaf5fd1ac402bd13dd4c75df4fbd9bde76bed07b696610917a5

SHA512
e57ac7d4ccebfa288441818832d8b7b6a38604db76c9dc5e2e57dccdb07cab6214832ad0e62a7427a045d7ada261b2fb4074a82384f00a760c2f4846390ce124

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
896KB

MD5
d11568fe9ba3c53f9e1e657aec0bc7e9

SHA1
5275e437acf31c09f169446720a9a004cbe93da1

SHA256
493e6fbd6becc6d158ca818989c604f3ee3d9576aa628c3be3eca3a48c1349d1

SHA512
7bd31480588a7dcf2fa4d81d02f1d7b3330fd1d11b30fe7119276a35f38dc9971818194b19bbd17ef08eaaa437dcbc3c8f37d850cb5e0fb07701660a832bade2

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
896KB

MD5
8c5a16647a7fa17396d1d2d3b0a30b0c

SHA1
6ed690e02ba90ba8964852f09c1326e294d7fe91

SHA256
6608743c3c2c96f303df092afe99bd00b3bdd1c5ac33937251ba57c90f4b2a2e

SHA512
8383c34d1f743c80582dbfb3b9ecf506d2085b8956bfaaff3aa8a2fff7dbaff20931c7a01fafea70b377bc70de1b5ef1acfa72a0a6cbade9bd0778c6dacf0940

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
896KB

MD5
b4c9bd223b121ee0ec45ecb28b5e8ab3

SHA1
680fe0fb74509c4034af5d3b508bee1bc1fac01e

SHA256
4fbe4db5c78d8f778bd56f02f8ad1ba12dad009013cee54d984da8ba733c81a2

SHA512
914ee70462b4eba9668af8374fbdb2350b9e363c06589708389288a1ff1b796baec266017d352b24640a77281bb1f859f6e5af7cfb7d146564758756680a81c4

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
896KB

MD5
e5c8e84d619348ccb5e58774b771823c

SHA1
6d3f13f34385c4d4faff8605fc12d04ae52b8675

SHA256
ab27971fd22404a5f6d3592face155877c8098dc6389cc397a2ec1cd7c4a598d

SHA512
a24dff11ecca6f1b15baef6d56d99b51cc93852e0340c5a137a8f8ad3643f1b3aab7bd80e2b282b7cdd6d9767df922cf120f7e8bbd99b5de07e3f24dc2214f93

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
896KB

MD5
b8984f3871a54a0a945c3c9fe0d65105

SHA1
91fb7a96a37e09a2edce8ed27dfa778046cb55cf

SHA256
d2bbefc66ecdaa4ff387b8a992ebebd810ff46ff78ee5f5ca4d9db4f505d76f2

SHA512
05f7ed07f72ce8f407ccec13f35acb2d948bc82ff7a75abe7375d5f511713d9a4f24a0f69003c6e881c585d8990fc6a3f275c9c044fd80f50b4e8533fb3f3e17

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
896KB

MD5
b617df3f04ef86b4383824e150a7976c

SHA1
0690efd94176e8a83d2f4bbd4c8fb8691006025e

SHA256
e3ef67fe91dc391aad47cc6448519ecc011f79ac260fc77b9af1401e12ae7ac2

SHA512
9ea6c75638d85715a74fbcccc717ee13ed529887707dbf195c1f02de4fdf50673b73a751d9668f5e90f3d7c846f9d3278e81b21bff0e762fcc96ff26edbaca83

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
896KB

MD5
2806fb242d4369f8d894670e43e6371a

SHA1
7e2b6ad5120ff88d624ae99bc3784a75a54080c6

SHA256
bc5ea9cf9179368caac4a7b1224747c71383721f6c9a4ecfce2646a1380aa797

SHA512
632050f7b4809d5ce24c060b92279a17e980a6a60f56bf8c2be20696e0eb0f090f138f42bc901b17b788d7a5ce9c81a9f1ceada1c8f8f33ffcf070f3bd43cd77

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
896KB

MD5
00b0ae35fa0158b15ac0992bcd89fbd8

SHA1
12e77412e27c83baebf0be215325f9e3463c6957

SHA256
ca48462924e88a7e3c2930fe027e73a62f3927bb91b4d9edd88baebd167d501d

SHA512
2cf7636ba8dea31f27691a382777ee8d9dbf553cd421c169b511cd0d3baf415d2b60872bf0ae7aeacc52090539b6db6608ca5b29552e3fa2dce88a76d8df6877

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
896KB

MD5
625813c19e5305ad6b42a43e3ab6cc95

SHA1
397a5275a82a103b2ee4e8fb5195d84e439171c6

SHA256
79a0788652b62a0df189dd37b5403a8efbdc7ab0a16b61bc01bd3da651c3badf

SHA512
1b0fd8f01fdf4dfbe12c22029710b70cb393a501ed40e4b9d01ecce7ac1355882ce546d68037d5f5614749f43bdcbe8f2bcae1407453c8703c387a735a53eeca

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
896KB

MD5
3e70ccd6fa3f1287a1ba2d96bca9785c

SHA1
c1da3235111625319d943008cfb35f1cad680247

SHA256
dd795a46b70cd3627c4fb252f873aedbf3ec95626b01cfede706a4b8b075e495

SHA512
3de0149e43da25dbd5429e9b746875a0e9213034e2be4da17b2708f48dc38965eafe8cd274db736b21d36b7b8c95f33abb12e736af970dd16e32fdda5729fc80

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
896KB

MD5
ed2d1591713cf21d999112e4e5052d77

SHA1
85e8974a3cdb8eab2e2fb14877122625793a519c

SHA256
f68eaad605b0b2b49a581e088897958a7fc46260ba5e40392c53eafe17282c9c

SHA512
bb568b2d5cb900f3c66deec75bb3e86f7aa12a4629f44c88b6e139919d0d0138271b0d63b88f19355bdfe6492fd3605a9d88fb61d476571f144a717e2ed1d598

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
896KB

MD5
a861dc9ca4d7e60807c70c64c7137a60

SHA1
75dd0972b85ed113f01edfcf74bab16b44d8d6fd

SHA256
309a3b229e2a7d7c2d616f7f338852253e81374edc539409d22464a3558626e7

SHA512
331a346e9aced93aa165a405a1118b30e0d1435dfcb82e1b86d5c4dac6a3d341212120a208a4691613c1483f25f7f5a1c1a45c117a5d2c327b1ca19d2c8f8085

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
896KB

MD5
47e6aaf59d8a3b4ab4625ceabb651a94

SHA1
e14c4924d75216760b7a31d7a816679d2588e7f3

SHA256
cdf3f3a29cd3a4135bc937ed9f063b35a34d6dc45663087056a9483a856b3eec

SHA512
f88d87c98af939a72e3fe7f333604c60dc4d12ea91f09251fd9c73b352bc66891958e52fc426e406317607ff25adecebd46da4d153e30104e9914e8c9f6f631b

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
896KB

MD5
551b837c8d8adb3ff04d91394948228b

SHA1
96c567d0f64eccf3ffe9d5c3670a8026bd7090a3

SHA256
7025b582657b44bafc9f75ca4a8adc4d266118c930cc2332a6d458fc7f9f145b

SHA512
40c2c4fe0205e41045c48e4f477ca894f26077aafac752f2030598f3c810936c52b778f40ceedd5bbde9185a5cab0ce34fd0a56a3e3c47a8d34a918a3a4282d1

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
896KB

MD5
257c3d47869fa4ddd21801b1841347c7

SHA1
7d5cacc32045d5d840ea7e2f52c3eff00c270af1

SHA256
fcfbd344dfa243cc507727177be225801491742d47fc1f014aaaa8d41fa67fd1

SHA512
3536f0c85507a8feecb1474c2f6581cf36dce68f9c2bb3d96ff0b9e657e870d1d601603c0a3c39a0e3b296099998fd86d853b2e007fd4edaf4d52e1671266af2

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
896KB

MD5
506778067c2f17117f753220209a331b

SHA1
c7e8b15671e88ab83e3b8b76ce5906eb80505972

SHA256
092b9d0603ee2680d264aeeb27ee243af6761eba76afdfc637974a0005a2530b

SHA512
39680fad1baa8c634657dfe84e10ad8f9c21f6ddd69f2f74995325438ff146d9d91f011f74e6081154e461b3dc754190c9e8cf834ff55309696ee4883065ca71

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
896KB

MD5
b6757e7f3b030debb347641de7a83b54

SHA1
80d32d35847d5156b5840a044b22d4938e13141e

SHA256
709bed3ee447df5259a8ea5340b4066b90d4ae1783730ff8637653ecdec02f6f

SHA512
9b4c37ee1f8c0e106151ffa40f54b5140e5a1e5f1fbe4995bbdb87cdf03e6b076b1436ebd012338ce64eaef92e00baf71407b52dc272a29cedd99ff1c78d263e

Download Submit
memory/400-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/5012-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads