berbew | 7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8d

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8dN.exe
Size

479KB
MD5

f148b2b9a4faa10677a38142cf9c7db0
SHA1

1c67ec040b556c79ea42b44c51616b61143c44ba
SHA256

7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8d
SHA512

e7604374b8b7e95056da121682e7befece6f9911a92127a0d41962af7c6fc9ed2ab678a4c47b7514c277af19be29e13de73595705d7ef4ad215008a28c75c30b
SSDEEP

6144:Fvo/Yoz9RkXPOwXYrMdlvkGr0f+uPOwXYrMdl2MPnhd8+ZDI:i/N9wIaJwISfPI

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 44 IoCs

pid	Process
4720	Qceiaa32.exe
5068	Qjoankoi.exe
2096	Qgcbgo32.exe
2396	Qffbbldm.exe
4388	Ampkof32.exe
3948	Ambgef32.exe
2984	Agglboim.exe
3080	Aeklkchg.exe
3264	Ajhddjfn.exe
5072	Amgapeea.exe
4872	Bfabnjjp.exe
3568	Bnhjohkb.exe
552	Bagflcje.exe
1392	Bcebhoii.exe
4628	Bfdodjhm.exe
2132	Bcjlcn32.exe
3548	Bfhhoi32.exe
4676	Banllbdn.exe
4504	Bfkedibe.exe
824	Bmemac32.exe
4332	Cenahpha.exe
3108	Chmndlge.exe
3296	Cdcoim32.exe
3312	Cfbkeh32.exe
336	Cjmgfgdf.exe
2940	Cagobalc.exe
4484	Cfdhkhjj.exe
4476	Cnkplejl.exe
2820	Cjbpaf32.exe
3564	Calhnpgn.exe
4268	Ddmaok32.exe
3368	Dfknkg32.exe
1992	Dobfld32.exe
624	Daqbip32.exe
3704	Ddonekbl.exe
4204	Daconoae.exe
2028	Ddakjkqi.exe
4432	Dkkcge32.exe
3916	Dogogcpo.exe
3056	Daekdooc.exe
3836	Dddhpjof.exe
1620	Dgbdlf32.exe
3456	Doilmc32.exe
4220	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chempj32.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8dN.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8dN.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1124	4220	WerFault.exe	129

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 4720	1416	7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8dN.exe	85
PID 1416 wrote to memory of 4720	1416	7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8dN.exe	85
PID 1416 wrote to memory of 4720	1416	7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8dN.exe	85
PID 4720 wrote to memory of 5068	4720	Qceiaa32.exe	86
PID 4720 wrote to memory of 5068	4720	Qceiaa32.exe	86
PID 4720 wrote to memory of 5068	4720	Qceiaa32.exe	86
PID 5068 wrote to memory of 2096	5068	Qjoankoi.exe	88
PID 5068 wrote to memory of 2096	5068	Qjoankoi.exe	88
PID 5068 wrote to memory of 2096	5068	Qjoankoi.exe	88
PID 2096 wrote to memory of 2396	2096	Qgcbgo32.exe	89
PID 2096 wrote to memory of 2396	2096	Qgcbgo32.exe	89
PID 2096 wrote to memory of 2396	2096	Qgcbgo32.exe	89
PID 2396 wrote to memory of 4388	2396	Qffbbldm.exe	90
PID 2396 wrote to memory of 4388	2396	Qffbbldm.exe	90
PID 2396 wrote to memory of 4388	2396	Qffbbldm.exe	90
PID 4388 wrote to memory of 3948	4388	Ampkof32.exe	91
PID 4388 wrote to memory of 3948	4388	Ampkof32.exe	91
PID 4388 wrote to memory of 3948	4388	Ampkof32.exe	91
PID 3948 wrote to memory of 2984	3948	Ambgef32.exe	92
PID 3948 wrote to memory of 2984	3948	Ambgef32.exe	92
PID 3948 wrote to memory of 2984	3948	Ambgef32.exe	92
PID 2984 wrote to memory of 3080	2984	Agglboim.exe	93
PID 2984 wrote to memory of 3080	2984	Agglboim.exe	93
PID 2984 wrote to memory of 3080	2984	Agglboim.exe	93
PID 3080 wrote to memory of 3264	3080	Aeklkchg.exe	94
PID 3080 wrote to memory of 3264	3080	Aeklkchg.exe	94
PID 3080 wrote to memory of 3264	3080	Aeklkchg.exe	94
PID 3264 wrote to memory of 5072	3264	Ajhddjfn.exe	95
PID 3264 wrote to memory of 5072	3264	Ajhddjfn.exe	95
PID 3264 wrote to memory of 5072	3264	Ajhddjfn.exe	95
PID 5072 wrote to memory of 4872	5072	Amgapeea.exe	96
PID 5072 wrote to memory of 4872	5072	Amgapeea.exe	96
PID 5072 wrote to memory of 4872	5072	Amgapeea.exe	96
PID 4872 wrote to memory of 3568	4872	Bfabnjjp.exe	97
PID 4872 wrote to memory of 3568	4872	Bfabnjjp.exe	97
PID 4872 wrote to memory of 3568	4872	Bfabnjjp.exe	97
PID 3568 wrote to memory of 552	3568	Bnhjohkb.exe	98
PID 3568 wrote to memory of 552	3568	Bnhjohkb.exe	98
PID 3568 wrote to memory of 552	3568	Bnhjohkb.exe	98
PID 552 wrote to memory of 1392	552	Bagflcje.exe	99
PID 552 wrote to memory of 1392	552	Bagflcje.exe	99
PID 552 wrote to memory of 1392	552	Bagflcje.exe	99
PID 1392 wrote to memory of 4628	1392	Bcebhoii.exe	100
PID 1392 wrote to memory of 4628	1392	Bcebhoii.exe	100
PID 1392 wrote to memory of 4628	1392	Bcebhoii.exe	100
PID 4628 wrote to memory of 2132	4628	Bfdodjhm.exe	101
PID 4628 wrote to memory of 2132	4628	Bfdodjhm.exe	101
PID 4628 wrote to memory of 2132	4628	Bfdodjhm.exe	101
PID 2132 wrote to memory of 3548	2132	Bcjlcn32.exe	102
PID 2132 wrote to memory of 3548	2132	Bcjlcn32.exe	102
PID 2132 wrote to memory of 3548	2132	Bcjlcn32.exe	102
PID 3548 wrote to memory of 4676	3548	Bfhhoi32.exe	103
PID 3548 wrote to memory of 4676	3548	Bfhhoi32.exe	103
PID 3548 wrote to memory of 4676	3548	Bfhhoi32.exe	103
PID 4676 wrote to memory of 4504	4676	Banllbdn.exe	104
PID 4676 wrote to memory of 4504	4676	Banllbdn.exe	104
PID 4676 wrote to memory of 4504	4676	Banllbdn.exe	104
PID 4504 wrote to memory of 824	4504	Bfkedibe.exe	105
PID 4504 wrote to memory of 824	4504	Bfkedibe.exe	105
PID 4504 wrote to memory of 824	4504	Bfkedibe.exe	105
PID 824 wrote to memory of 4332	824	Bmemac32.exe	106
PID 824 wrote to memory of 4332	824	Bmemac32.exe	106
PID 824 wrote to memory of 4332	824	Bmemac32.exe	106
PID 4332 wrote to memory of 3108	4332	Cenahpha.exe	107

C:\Users\Admin\AppData\Local\Temp\7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8dN.exe
"C:\Users\Admin\AppData\Local\Temp\7663473227db6af1570f001f87218f7eb7d99871d3a8c143a3aee0821333fa8dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\SysWOW64\Qceiaa32.exe
  C:\Windows\system32\Qceiaa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\SysWOW64\Qjoankoi.exe
    C:\Windows\system32\Qjoankoi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\SysWOW64\Qgcbgo32.exe
      C:\Windows\system32\Qgcbgo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 396
        46⤵
        Program crash
        
        PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4220 -ip 4220
1⤵
PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
479KB

MD5
607fec347c0ca986c8cfaa6c3b7b83b5

SHA1
9794d30a540220af4ac675c30ce92adff006370f

SHA256
65988fb0894ad0cfbaa6ba52969eca3f216b220197703b557cfe193236748063

SHA512
2095cbac3fa2c1fbba8c6930538f5d1b42e2fa838e809c700a79f07907947e1a6779926fc37c8d252474293b299c5222e25cc707a585f1e94e14ae3267dbf987

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
479KB

MD5
aa9f468ee28e65db03a0c3fb8c504679

SHA1
b7bc28784ff3f7f18f24ff2e795d9103513a933f

SHA256
b87931a6eac5c2628f19f519f426949e15c58ecc7d718e41967f3ba1a226af5b

SHA512
8f92294ef6b11665b5a12cabc6fd4c87c41759b5d8b4dec3dadfa6788c486ef9557b0e13f6154df0cdefa259ec925184c8973cbb41aa425b471d7b068cf1971e

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
479KB

MD5
32340904edfeb3a865626f486975a773

SHA1
818a971969d4b8e11a009f935f446d3cd4131048

SHA256
e372e083b3781bd4a61e534a15f9b550ae1bb1a4af26f40ad881e5f0b893273e

SHA512
2d5ab48588ab0c099aaab10c54159be319fff9b1039f3f6d0345b23dcae0352e50185d56e72d5f10a768156b4317613e4dfe072a8827c28713f68b84b3fa515c

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
479KB

MD5
9c9e0b0f0136e2cd9443021431fa02e3

SHA1
d38d8704e462341aa6eac065b6002583866d30ea

SHA256
64a92f18438004111c9e9a27e2487121daf4859b15ed3640652c0d281b19bc9d

SHA512
164a15b496cbbf76be2f11f58eec081d1af2e99c4ecf5140936fb1cecc168ba88c6e40740df3badb19cbe13614c46e97b92a1ca58f47e32c6335b12ece93d5df

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
479KB

MD5
6741df3756f64e923e2faf392bb6002c

SHA1
9b810ccd8fef70504424ebe804f52ccf2437ea52

SHA256
a4bc1fa6ad4871ea225fd8c69fce086958d8a26ab5c012d0eb5c7a6e7d1ada71

SHA512
d4c665cf566539cdbfed59e95bebd5ee59e2ce67011c24dd81e73331550f9bef1bcab970bedfe0ef545afa2f824e7cb0b302d3688089338dd76fbf717182a0ed

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
479KB

MD5
a22e95d0d8c49f64ef816df5fe31946e

SHA1
37ab1278cc54db97c4ab95251535268f012c34ee

SHA256
297b89ce6610884a95c3e199025776d36161897cb5e2bba242a0b28955b7aa8f

SHA512
4f93da214305b899ba988fd1dc5e9d026ee953a231642a86a6abba1e53bb617b1c3b2b332838b965e5c15cd149895279cbe74f2b404461410ab122d72a6328d1

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
479KB

MD5
e7615d58622e6a5f83e82176f3aa7b4e

SHA1
70fe9c994f9e707fd0bd1a0ed418dfed12d661c9

SHA256
c3a1eede707eb93f9e8b2c954757cf7532dd75cf8adce4996ac2b53dfd46e821

SHA512
915d4f2164eb2a334bdfc1a7b701e97570aa02f4f18ea73b3bde531ccb91e6ed1c8045d2e12d5fc3629a99a22e047d1f95cab18878f86d8b42134359dffb12b2

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
479KB

MD5
3aceee51f64477730d351046cda5b2ab

SHA1
ca2f0e647c3068c0e8b03fb4d2f94b297709495a

SHA256
5b008cf702662f39eaeb38c8c3feb87e2993dfe40aa7aeff1a41b63843877ee5

SHA512
0883f215ace9bb0e7b0d700182f75ab445e5d9da2b27ed103e84e707f9ff61de8a27c15ddfc28d4f5c0350b550be5c4c3e12383a2b94f1a9acf7263cc1e5ce0e

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
479KB

MD5
d08af1d33545ebc1f0a0855bd4860297

SHA1
9235b8db83b0172109b0caa07f9a1138e8aeedd9

SHA256
7724a20f90823b4a2e214241f41d7f5efd8e3239e46e4d1ae561db3771ff232e

SHA512
90687170ffd55877268902537813e562d3ddf8a6db5c9ec9f4cf723f9c25475070bbcc694a511eaf5af88c0e563e8471add897f53cc280d9965b6b972a012ef1

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
479KB

MD5
a435238e7561da1ed3e7dc346b9848dc

SHA1
f0f3bded1af273c205ccd9273fb9c99fe6fbac9a

SHA256
984767ac82eae5aaf6045578357b24df5bf1351cdb694818469e523bcb327e56

SHA512
e68fbfadbceb886e491536cdbd0a79a7ee1f1b3ea48b2ff9b0971a3d0bd3b82264efc82ca68626705f0543c7d6c57dadc98b23e335c94b01870b6fc9140a03a4

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
479KB

MD5
55fa0a82f0befea7174b4c6475762a69

SHA1
c65209de201f0088d6964b8506bdca8d35a83b39

SHA256
2a2ab713287a328a9bd268947ecea36e7f442866ed0f34a04cce9d15a4b11973

SHA512
ebc787b4495de88bb09bdd80e127e72d70520619ed4758177d1d5766573726e5c8ce2cb18eda37b784047a37c5788cc46e054a6c351ac946dab639824b7c7603

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
479KB

MD5
19a69425856c67a9919ce3a37e838a40

SHA1
ccd52d14a0315cd5b256132947d6de4e7325a6a2

SHA256
b1a75e075237a72a8965c2243714b4a6880f8b99e46e059b473929bbdcb22073

SHA512
a4e9e5601df1efe04de46f825dd606c27d45c927925290761e0e55f4e4ad18bd8557ef6ac56a54366fb75ee21d8fb3dba3591077197131c84433c196528462cd

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
479KB

MD5
d1492f0642bc64b1d06a9ba8d09ea8d5

SHA1
7f2f04069e3508a35dc0e01dbd1266f914c3e80b

SHA256
dad4ad08f2d55ea1573552ada63c371cf602d89545b89d53478b1fc9712cf7e5

SHA512
17926b51d998f62d7b1b69f0a09d9bd030dd634dfe9f038a13ee7bb05610f71dea8286e81acd03b08cdebf0fe9874a7617fa003995db0b3be0d1ea5df553ef0b

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
479KB

MD5
91bbcb5ccfb343b3a1bbd4f733b80e6a

SHA1
fe3e5310a328b1cd3a827b5c1f938e082455929d

SHA256
d78966da9fa4d82330b1280b4dd6636aa535571cb044d3e75b950359fb3619bd

SHA512
55aba6f5101e6f4376a681b297721a0a141ac9fb0f84dbc057d81a4b1e2db0a9d56a69e2c26666f1b806dc23292f530ef234e1bcac4a034b8c219d68f1b04103

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
479KB

MD5
f63d7bc1ddd1a4fc5f149345a34a7dd7

SHA1
6fd29e7ad517bd2ca0d361430745ef0a950d428c

SHA256
456c81089e032cb77f739751cae767992b2c24fb9c41b39df9f2c85e318d34b6

SHA512
8fe98e58c2672fc2af17972d7c6d0419cd56e18bdf75e2ba19be80fdb8e5a853ee1067af50138161cd3123ba32760e52cca208add70e5997dbe66b632e7a7be3

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
479KB

MD5
3db6e8b3fbad2be605c85a033b576423

SHA1
b7a77c23c17e2111342b64591d28c71ffda62cef

SHA256
a2b28f9c802f58d9a46bc9859122e9a8914718b07cf06495f02a958f3dcff266

SHA512
d535ada08fb75972338b12192cdc2002ed55d9b91c86c3c43c7d71e848269b2725dcbd8a8970eb8a611c4cc283a9bd410ca41029905881dd8a116fbaa5fd28b4

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
479KB

MD5
d959a8e4ee5b92ecccd01eba8812148a

SHA1
c23910b62d0b6b2297ae72144e3137c113e60831

SHA256
2a5e96b3849a946700c7bf65b6654af45af701f72267573c174ec16e975f1c11

SHA512
e123f606b59a58bcdf6f5b4732d1c40fe54b55c051eb0779f649a71d9cef417507b0be0f9299d4910080d046af92b221c273cfea06870aef0d4c006879fc9d49

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
479KB

MD5
96f4cae858910205a5aeb48a2b66968d

SHA1
552c5272f88b9f58a95f1468930749272f5297f6

SHA256
0785a7b11f737aa525d0acc7a0057b761689ded3e2a8280dbcc514a54fc50791

SHA512
e6946f87a0b1aa2784ccbdb3c7a0f071c7b9f55e44f0aa1c76d5c80a35bc048945828f4326a9ad2b9efc088413e39f00804825c9233af5e53f825e051687dc3a

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
479KB

MD5
21cf1fd9c2ba02402f59cfe25d8bdd37

SHA1
83dd17495380d4bc2c87bf414b74b26bcc87f5e6

SHA256
e6ae169e1181dc99dd92a46332359f40f80f4fdb22300c77c079380a86314bc9

SHA512
96237a538b4c87fcdebf52de441d5608faf8d4ac4c984e823c4ed6035c6fff5949d1b56fd1ec728d5f950c62963a04ee4933d978b6ec36496b1bab40969fa999

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
479KB

MD5
b15aae0122e5aa77e1b758fb0f36e6bc

SHA1
43f76d415d6f48744dcc0b79ab15064d59971845

SHA256
85168d82ec7b12d9b782b95a55c808d4967b5d6ab3b6dc92e318ec624ecaa0aa

SHA512
ee578d4074df02c9461692adb13d6b716601a70c302f2d15216ef9baa7f8bace548857e90f34ab50b58cc0bc0503356d76eab2f2b086235baca3f1c199599d51

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
479KB

MD5
a3b6cb8e09d0b0033b4ce1340b2a1b2d

SHA1
e2aa9a00e33d4b2937da4d7b59fb178fb8f66cf8

SHA256
3ace70a54e1b39e79c7651c4d4ef881119a854c89a1f475e2fcefdd1c3a734a8

SHA512
22bf922e5f2a1c6fdbc84adbcb1174f0b4d8b09cdeb959753218b2d50ef99ca19ccc8508daecd82779d45fcb314f015eb40507d96948bd6e546bd08095fe9df2

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
479KB

MD5
7aa1f93cf10c9ac648de700b126d7b6f

SHA1
5639c5a2bb49c5a1d515ad71d8714c1dbf136109

SHA256
106349a73f15d9b5793f9d4883c39107e9a545438af015ae28ac5562b80c2daa

SHA512
d40756761326e27bd091c4085f60d7edf173b8ca04c41d78f6b874bbb763dc6fe4271a1fe2e0dc3a56520aaf74d46bfac2e064ad9293c633927a2488d3e8ec74

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
479KB

MD5
e637753f61f0dcd45384172957a4071c

SHA1
e7840d7d62ce9c828a92b0526d9aa0949a0a9491

SHA256
eb98072d12631302f74ac339a9bd668f67fc4ad06d867ebcb52d352c6b0dbfeb

SHA512
fd4f8ffc52b1808b19c86bd617f643b505eb672c68e531fb1192d314f0bd14e16b8db8ff0fdb0dd8f4d6e7de603b6bb874a3b7994155ede366025fdc8e60c80d

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
479KB

MD5
239cb240e32d7d415206e16beb3d314f

SHA1
7c9dfd65ebcded345f31fc67d892c9e6948a9602

SHA256
02e30d47f97bd3eec80f3a42d75cea7aff14dbd28c8c367aadd4069ff1ca5619

SHA512
1b42d419307c2a2082faf974faa8227029921da53a47ec6c68b9599e3ce9b75e2c14cd2ac169911e6f886b800ce669bb12ddf430d29eae9c2c18c5b0c31c065c

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
479KB

MD5
073aa088e7038dd7c503f2bfe8206e23

SHA1
6cd04dedc8a82037fb585130037ad91bec3b4955

SHA256
ae717172e8742e450214320c1299a71dc0ac9aa0df0a9dbb2a8530f60f283f0f

SHA512
41624fa0b88b9cd93274c133de551302167c235180d1b51d6ef74d1c0459bff0168f0a8be5410530f104a998c89a5e358ffa63f22c558bb08d33e87cae6babd1

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
479KB

MD5
fa1803573630a63584fb6a8586e23b36

SHA1
b1f045ab17a34441b6ebf63f94ee96b57cb57df0

SHA256
10ed3f9074faec73834b55707c3f5847869553a122cf9db58699353aec188333

SHA512
b23a37db64bf03095977abebe77b9012f86b993955b95d8cf8b4e1585e51d03d391547de850bc3355cbedf31f5b3c9aab2cfcbc50633b1cb7c2b9f853fe8aed8

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
479KB

MD5
7566ed599e7aec69572ea667d2a40cd2

SHA1
a5ba91ac6fe3eade0dd43120fd967508d77f6c55

SHA256
307daefe124752967eb9646a709d52c04b3a7cda8cbea8859bd8fdf4052e1167

SHA512
5f82cd6f3a9920d73d1fa2c2b8feeecf0cb5b803fc69f0644a58b80f1498a62c664d38013e682c755ff4478ad4b683a58192770d34b3c9a08417c3f7f7feae8e

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
479KB

MD5
0a476da26805a260523b6c425a441246

SHA1
ca4577c0e3265685d6abe8bd678f2d72c36bd6c6

SHA256
97c00bb77637fc036402b8c5333c297a5acc349933d05026b73242412dc0706f

SHA512
f6c17032801b6d48cb06e5f245e9a9bbaace0b5941b042e05aef22743828473204c20ff01998b7eb5284f334663369d9bdcbe0c7700bc7f5f18d3ca7b531ecb7

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
479KB

MD5
38b25d18e23cb9656b393c078954e10d

SHA1
e68ada95055d0249fc9251084f1437fb035d6525

SHA256
10212d077cae8aa02a7a41b0d664ee28c660b2a93a091a096ff58089df5f8d80

SHA512
059cd3bff5d43a565ab27fb9606ed46fc63b08981f1b083a271b33d13e51bd471c48125f35967ee0beaa8500e971176f1783f100710b66335604ccc1f4fd8f48

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
479KB

MD5
078f5adc91a26da415e3e672734d2ac9

SHA1
3bf7363706eda85f69b5788fa2a0b31476bdff99

SHA256
7556146de0780feea5fc3b12997ef3204dba94f3e6683fcbb08c36be2bd41ceb

SHA512
9fdb647352eaa3b8890a7cd6f26ac96952a82341527d648429c46864a68e6607fc3f38f9dff8d3a65a9073c4e793daf95893d40a7d21dd6c246323f7e7b8720e

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
479KB

MD5
2c9793ee67fdadeea096cafe3931c5ba

SHA1
8dd2ae0d099529c54687d1d05092ff2ec44b0730

SHA256
5f4252e2361fa21e6c374ea1233e9f6ba0d7b34055d741634b7600d5e3f773e8

SHA512
4a4940a1c1d8c9cf4027dd8b7f1cc11162369e57f23cbea4dda342f9705e4cdc0a79fbd85f203f8954151105e90787c40b2a7ae412881a9640f8172d21a8d08e

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
479KB

MD5
b8b8345125357386b66c79308f437423

SHA1
26c990e21d7c3143c4285a47726b81ba5550610c

SHA256
0961aa8e754bb7d43294731fe51887dce6d6aa85895dc0880305f601d45fb356

SHA512
8f216b68fc313065c2b1b6fa19928ee446ad820753307a07b1a1a9cf61a59b7a5484443fd4896705283ca1b611f091876c9e3189eb4d5bfbb872fb856483e0e9

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
479KB

MD5
a707b472e0a3df0f9aceabcd804acb54

SHA1
58400ea129e58d7d6e52c363d8ba833b42b64818

SHA256
72dafa4df03de48973f2de71f174d046fd0931586de0d93b93be30056c8df9b4

SHA512
089e33d7d5c8c3862bd4a80ac29df06f92324ea2b06da321fe37ebe9c1dd05864b7ad7ca001ef74deccef29af98c745613180a7dd30f2f9a6da51674b230a9bf

Download Submit
memory/336-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/336-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1416-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads