berbew | e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe
Size

45KB
MD5

81efcc4395b0ca22b38040cf2c959699
SHA1

bb7d320a389bdba0854f13441e84adebcf1016c4
SHA256

e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef
SHA512

d2971c4696d4cc55487734aa5cd49c224c569425d6bb1b17fc3b91944313e1c441d8ce8d016c3d769688e854c5f4949769f622be040e4142c7472459c671156d
SSDEEP

768:tbTGC3MxFpji/RWHpyekciD8di4H0J/1H5wL:EC87Ww2b8dPH0DSL

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3552	Qffbbldm.exe
2432	Anmjcieo.exe
3164	Ampkof32.exe
2960	Aqkgpedc.exe
4272	Acjclpcf.exe
4684	Ageolo32.exe
4556	Ajckij32.exe
2012	Ambgef32.exe
2328	Aeiofcji.exe
232	Aclpap32.exe
1040	Agglboim.exe
2016	Ajfhnjhq.exe
3124	Amddjegd.exe
3432	Acnlgp32.exe
1536	Agjhgngj.exe
2920	Ajhddjfn.exe
1716	Amgapeea.exe
1940	Aeniabfd.exe
2076	Afoeiklb.exe
2144	Anfmjhmd.exe
3344	Aminee32.exe
2404	Aepefb32.exe
2972	Accfbokl.exe
1472	Bfabnjjp.exe
3060	Bnhjohkb.exe
4316	Bagflcje.exe
512	Bcebhoii.exe
4468	Bfdodjhm.exe
4388	Bmngqdpj.exe
2748	Beeoaapl.exe
1272	Bchomn32.exe
1692	Bgcknmop.exe
4144	Bjagjhnc.exe
116	Bnmcjg32.exe
4960	Bmpcfdmg.exe
2428	Balpgb32.exe
5068	Bcjlcn32.exe
3364	Bgehcmmm.exe
1340	Bjddphlq.exe
3680	Bnpppgdj.exe
652	Banllbdn.exe
1720	Beihma32.exe
4904	Bclhhnca.exe
832	Bhhdil32.exe
1508	Bfkedibe.exe
3456	Bnbmefbg.exe
5112	Bmemac32.exe
4768	Bapiabak.exe
3648	Belebq32.exe
516	Chjaol32.exe
4368	Cjinkg32.exe
5116	Cndikf32.exe
4372	Cmgjgcgo.exe
1372	Cenahpha.exe
3212	Cdabcm32.exe
4584	Cjkjpgfi.exe
1328	Cmiflbel.exe
836	Ceqnmpfo.exe
4140	Cdcoim32.exe
3220	Chokikeb.exe
4636	Cjmgfgdf.exe
1008	Cnicfe32.exe
532	Cagobalc.exe
1836	Ceckcp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5480	5392	WerFault.exe	179

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 3552	4664	e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe	85
PID 4664 wrote to memory of 3552	4664	e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe	85
PID 4664 wrote to memory of 3552	4664	e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe	85
PID 3552 wrote to memory of 2432	3552	Qffbbldm.exe	86
PID 3552 wrote to memory of 2432	3552	Qffbbldm.exe	86
PID 3552 wrote to memory of 2432	3552	Qffbbldm.exe	86
PID 2432 wrote to memory of 3164	2432	Anmjcieo.exe	87
PID 2432 wrote to memory of 3164	2432	Anmjcieo.exe	87
PID 2432 wrote to memory of 3164	2432	Anmjcieo.exe	87
PID 3164 wrote to memory of 2960	3164	Ampkof32.exe	88
PID 3164 wrote to memory of 2960	3164	Ampkof32.exe	88
PID 3164 wrote to memory of 2960	3164	Ampkof32.exe	88
PID 2960 wrote to memory of 4272	2960	Aqkgpedc.exe	90
PID 2960 wrote to memory of 4272	2960	Aqkgpedc.exe	90
PID 2960 wrote to memory of 4272	2960	Aqkgpedc.exe	90
PID 4272 wrote to memory of 4684	4272	Acjclpcf.exe	91
PID 4272 wrote to memory of 4684	4272	Acjclpcf.exe	91
PID 4272 wrote to memory of 4684	4272	Acjclpcf.exe	91
PID 4684 wrote to memory of 4556	4684	Ageolo32.exe	92
PID 4684 wrote to memory of 4556	4684	Ageolo32.exe	92
PID 4684 wrote to memory of 4556	4684	Ageolo32.exe	92
PID 4556 wrote to memory of 2012	4556	Ajckij32.exe	93
PID 4556 wrote to memory of 2012	4556	Ajckij32.exe	93
PID 4556 wrote to memory of 2012	4556	Ajckij32.exe	93
PID 2012 wrote to memory of 2328	2012	Ambgef32.exe	94
PID 2012 wrote to memory of 2328	2012	Ambgef32.exe	94
PID 2012 wrote to memory of 2328	2012	Ambgef32.exe	94
PID 2328 wrote to memory of 232	2328	Aeiofcji.exe	95
PID 2328 wrote to memory of 232	2328	Aeiofcji.exe	95
PID 2328 wrote to memory of 232	2328	Aeiofcji.exe	95
PID 232 wrote to memory of 1040	232	Aclpap32.exe	96
PID 232 wrote to memory of 1040	232	Aclpap32.exe	96
PID 232 wrote to memory of 1040	232	Aclpap32.exe	96
PID 1040 wrote to memory of 2016	1040	Agglboim.exe	97
PID 1040 wrote to memory of 2016	1040	Agglboim.exe	97
PID 1040 wrote to memory of 2016	1040	Agglboim.exe	97
PID 2016 wrote to memory of 3124	2016	Ajfhnjhq.exe	98
PID 2016 wrote to memory of 3124	2016	Ajfhnjhq.exe	98
PID 2016 wrote to memory of 3124	2016	Ajfhnjhq.exe	98
PID 3124 wrote to memory of 3432	3124	Amddjegd.exe	99
PID 3124 wrote to memory of 3432	3124	Amddjegd.exe	99
PID 3124 wrote to memory of 3432	3124	Amddjegd.exe	99
PID 3432 wrote to memory of 1536	3432	Acnlgp32.exe	100
PID 3432 wrote to memory of 1536	3432	Acnlgp32.exe	100
PID 3432 wrote to memory of 1536	3432	Acnlgp32.exe	100
PID 1536 wrote to memory of 2920	1536	Agjhgngj.exe	101
PID 1536 wrote to memory of 2920	1536	Agjhgngj.exe	101
PID 1536 wrote to memory of 2920	1536	Agjhgngj.exe	101
PID 2920 wrote to memory of 1716	2920	Ajhddjfn.exe	102
PID 2920 wrote to memory of 1716	2920	Ajhddjfn.exe	102
PID 2920 wrote to memory of 1716	2920	Ajhddjfn.exe	102
PID 1716 wrote to memory of 1940	1716	Amgapeea.exe	103
PID 1716 wrote to memory of 1940	1716	Amgapeea.exe	103
PID 1716 wrote to memory of 1940	1716	Amgapeea.exe	103
PID 1940 wrote to memory of 2076	1940	Aeniabfd.exe	104
PID 1940 wrote to memory of 2076	1940	Aeniabfd.exe	104
PID 1940 wrote to memory of 2076	1940	Aeniabfd.exe	104
PID 2076 wrote to memory of 2144	2076	Afoeiklb.exe	105
PID 2076 wrote to memory of 2144	2076	Afoeiklb.exe	105
PID 2076 wrote to memory of 2144	2076	Afoeiklb.exe	105
PID 2144 wrote to memory of 3344	2144	Anfmjhmd.exe	106
PID 2144 wrote to memory of 3344	2144	Anfmjhmd.exe	106
PID 2144 wrote to memory of 3344	2144	Anfmjhmd.exe	106
PID 3344 wrote to memory of 2404	3344	Aminee32.exe	107

C:\Users\Admin\AppData\Local\Temp\e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe
"C:\Users\Admin\AppData\Local\Temp\e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\Qffbbldm.exe
  C:\Windows\system32\Qffbbldm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\SysWOW64\Anmjcieo.exe
    C:\Windows\system32\Anmjcieo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\SysWOW64\Ampkof32.exe
      C:\Windows\system32\Ampkof32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3164
    - - C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        26⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        37⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 404
        96⤵
        Program crash
        
        PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5392 -ip 5392
1⤵
PID:5456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
45KB

MD5
29257d4e60a2598b75a095b002246c19

SHA1
3b29a0e978cd7ed5af263c52aedfdbdd0807ccec

SHA256
cc82bea89f1e290d119418305d4088602636508476022948d349f1d2480b67c7

SHA512
7a105bdfbd97971d3280870e2bf8521d8fb865f5de329434232e1ad51888491bcbf35bfac2db0fd16419a1f3bd71b9c9320dcfd64fc092a9ed3be6e67927be6c

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
45KB

MD5
2abadcb83ecfd31593674714768a962d

SHA1
3686e2fd0281cc0e063ca9f6a96288da827a5361

SHA256
0b2c58b4ee45c66849079af0d40cd24472c0f972a6db023cf0eed9d64e0609c5

SHA512
f70778507708f03f9f3c26a5b39f7d2717202158473f217a957632f0fec0b1a79afc566da4f475e4549dfd2bfdb206862d6f1bd0cfeb649ea43bf6f884dfef3e

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
45KB

MD5
c71bdbb3a9c22f4da3bf763ebaa6b992

SHA1
d53348f2f392e7b3e2746a44e663563b810966b1

SHA256
5332db926f5c07f7ebe3da54ca541e0b2e529e9a13f45b0d74eb03e3b515c1e6

SHA512
5770af3f2c8709df175f58de8cbc206bf4ccede8f0897a9a9613b5cf05062a3350c0a31eef912954e11ed0dc8ce33000d111e7f19d03a1b293012a201f47c65c

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
45KB

MD5
cf710c8c1a27f0f0038d457d5692bb08

SHA1
150a7fde1b3c9db101ff362f2764bbcdba5bb12b

SHA256
c73ecec82b48bddaf255d86d798f1a53bfca708aa1c1f9281e2db78837f4bb7a

SHA512
859c9a8b228d491ad3dc3a9226a8cd3eddff113de0a40adef6a1ee6d0bf4923dc6802a90ada9b0981f4618124822a3ddd049ac336c7ec01a198df5a9972b462c

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
45KB

MD5
7a7c487f74942b86b9109774b2acd45d

SHA1
c4900e792b9cce92e00d243daa7c9daad09f9047

SHA256
269782199613313892ecbe56437a744059a71df12872e8903b8ded6091b12553

SHA512
5318c9197adc4134f36de8d7d76e310e7b2de98f00689a65cb7d707aa70ce531f64fc0ae9b5e1bb5f3c169614f7482ec4349d8e2e2ec37f153f05fb01cd51873

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
45KB

MD5
fd419fc29130140324ad9918fce5e272

SHA1
9cfe8f29fef640c071814f7ce0db95427eed7fd7

SHA256
86a00775479e91979827c96d4699176ec65d61e4f7d6fbf72f3e3bdc05e7355f

SHA512
88e7061ba07ae25d02e2437b5e4cbb50e847af3d2bd648aaaace2cd5c52ca8be89128a4aa4902259218ed88a49fcfd30a7271a2587dd0465666a77468ab265ec

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
45KB

MD5
00019b105fc63eabd67dd4df2c26a4ce

SHA1
caf7e7d6e7c5cd8e6355c024ba7436f7516349a2

SHA256
ad1b2efdcc8deb80a36376f3ec4791edb09be11116108c8cf47d00cd617c795e

SHA512
52daca2fa870bcdbb3e57556f0349eb726a65490ee2c0f2356931d4d824f170bf44b3cd4f6f7bcd7fc5eee163fcec1c300b786662867f16429d7ea0d64121fff

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
45KB

MD5
da92ee7dd4898b4642b8f78427581619

SHA1
31888121f77f81ec632bade08c409f3d6b0ef429

SHA256
de6f7ab38a4b6beb1863f0f7e0ef7b51adbe4c07f5a1b4cfcd7935c0e16fe2e1

SHA512
41b225efe867014efae6bc8db25b4be36c09be13f83e4e644c2b2191f978d76efe7aa73459299936fb57e94d4fd90b22f731c3c099fb5aafd98b3fbbe517a2ce

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
45KB

MD5
bb734382c83be4253343f4125b06a622

SHA1
1661636b1352ec2d11aaf44dfb47ef03ad46f0f6

SHA256
1996e818b91664235c03d23fb6ccf8c6d2f926fde9b2685ee2403be6d1948428

SHA512
cfb69f69e404ed592836b698044b0694439707f771071a4a142f2045a3afb633fe605fdf5345a300e54515ece90cbc4bb03eeab84e394b797651f517aa13ef84

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
45KB

MD5
f37d3e542bcda38cf6092440a4f3940a

SHA1
3651b3d8a8d72935279ec09fa8da6b48a682e45b

SHA256
fe8adf4f52c69dbbda4b1956598d530800323ec61b88558163b483cd054cae88

SHA512
7a0b3d2cb8c71bdd06088120d1646055ff432aa845b9d2c3b95889db83a99bee3e0dcf94226c2afc0277b2c3922931a4cf9db4aeb6f2451faf4b061cd21c151e

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
45KB

MD5
7dbfc7a5544f90d9f848aac1b9bb218b

SHA1
e20b26936c3f9c917608103fe6cf896ce60654ed

SHA256
69414180f6ddc48226527906320f25991d4e086feb0b21f0801442416ad92e78

SHA512
a8d8aa3003bbc75a439d131b73da0f8046e4db3e50f897930c40d207532f2614c21dce95a8eb5f2a9b80c4cd765b7f9c1994aa4e955511da448ed5dd67b8a3be

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
45KB

MD5
5fd909eb0946b7c08469827e5d5fd3fd

SHA1
b1748fe2e9d751a9e5fd539d6f75956c2032d461

SHA256
213cfc0a5784d86c8be4ca2c8e42fcbe54204878c2fffc5aab97bdf08922d599

SHA512
d6d8e1586a1eafdf2f10e25e4e9a839d48af09345a7e018f1cfa160f91c24e4da46c3b268eb4c61c875261d09789577a649828f6f956b72927110835fdd63853

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
45KB

MD5
9b2924d20b2f9a702eb290114425e827

SHA1
7a1f62130941ce87598c8bff89b03452dac2f876

SHA256
37dfc8e725eb3892e03aa6ebf0cf312fcd4317a9dff0dae3035cbe1f1da13622

SHA512
e712a69e43342ed41c1174bd8e716c886137e521e5d4e24d861e36d604395dc1de8695ed28a9c0cc763a047e26538147abbd515e8de2fcd5edf920b8c4ee536c

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
45KB

MD5
023c5c5af2b185a126e9c97900776b0c

SHA1
d798a43fb51fd0b40c8281271a10731853e6251f

SHA256
287a542fbfe292eece076cc544e0d2256a9f718984f22338446a00f456964c03

SHA512
79988a5f7e37957d22acaaa0db2a9b7916892570741c96a86fa005175c6f1fe2367e754012392ae90553e2da1237bf2220ba02c7b2244ef3e184726878e97e3e

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
45KB

MD5
1396a4096197b63295e9f5552e0d4807

SHA1
111bbec8b26244ae892ba4787bf01480b04bb32a

SHA256
4720b322247d0afb8b30fcec067c80900b811a702f44990c98f0697324d5b4a2

SHA512
cce2022f12e79138254ba90e3016cedcb7c41af7bf9c78e89dab6c2cafa9ea5d8e7bb88f42071a484dc06d03ac73f2b77b11bbd9f2890b64b3a159b03787f65a

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
45KB

MD5
990231bba730ca9789b9dddb768bedfc

SHA1
bfad542542c23c1cef2c01f57345a77d9f0fe88b

SHA256
168a319f0effb4240d4be0511e2d272b6d7ee3c18a5267020e3b44a183c8cc95

SHA512
d7879d85a08b1c819c0dc11159f6d5d27c08542818931bae951587810d82883e2d22919ed968413f4737d9bc29031aab33d4ae54b97fcb97e85a4d1186a445ef

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
45KB

MD5
cf6678c6d29de701a328c164553794b1

SHA1
feaed13b5dd8f4f786e8ac3cac46c6b4d2325c0e

SHA256
447c702007690630fe55e972c7d18e2146644bc0d9c4c945424365d3dce83d47

SHA512
1eed20b48d045f8daeeff0d7d8bac8c44e0714650156c24cb8e30d7178386c0a2703a8ffa68e696da6ffddd8ee6b7c7c8d41920f491973e2f05d4d1693a6eb3e

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
45KB

MD5
84545e4a64250803aa529fba0c9877c0

SHA1
8fdcb0b30af722404c194fb86fd3fdef810b845d

SHA256
f0dd4ba810966c73a337ec01c5a64eaedb837f5fc1f49d01fb05af50ea92a228

SHA512
5b4b9311cc7eb6cd1b9707944b5b316655a1a8fff9bcd43a8fa28697d18dd7e00a80d184505f58efb5bad5ba1c2be6c49d5757a370871e2c313f710091e8c2f9

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
45KB

MD5
b84afd641413e2d92cee7e604b7b2216

SHA1
7d7144c3e864af4cad3b5b44888ebdd3e610f5bf

SHA256
6e8044398d55ff0e1a2772bc5348fbf7cbcbd0586fb1f7d18d1c54390ddcfbd9

SHA512
1b1f736f8a220bb1b77b156126447608b2154b242bf192db27d33ff323c0a03fbaed64be069f83184312a02fdae8e0973c48754f6be5c3b687cb22a38e6647bf

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
45KB

MD5
68d2c1a8c99988daac3413ad9b919020

SHA1
541f6d6a1292f35e40e8523c50596012a03fd10e

SHA256
7e5bfefa8e0ad96221422333bd0cb07470ab3db4d336762a96a23893ede2529a

SHA512
0eb8c66b2488d8898940facd09597c74610cb943994d71a7e8b1fb5925ab385acf43d48aee8917d893ee1499dd66a67d6d5a3f20bd1dd1d8654fb7f4ab2d6a3f

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
45KB

MD5
e107ce4661c6227ea6cd3e18cc89d042

SHA1
19a61a89522a9118199b6137765c7e44662acba6

SHA256
1cd8d4cb45afcf74ebf31147db522fa0c267cc6006e718bdd2a1acecbe5d1164

SHA512
d2cbe8e8a6af4ac5b595e2ae2c263f068086b68416f32ca96f03aec9e48025d9f46ecd92d3c2edfc11bd0a37dc7a4a38378d2900246489d40cc1e2b0136331a4

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
45KB

MD5
2d4d806c9e69e18abbece726b2b8494e

SHA1
387dcaf44625e73c0dd2577b37925fc86a923474

SHA256
f01554235b800018cd1f195cc44510201fe4dbf21310e6d3383a67d71386ee1c

SHA512
318e7f28653a2f0d3d5c549ae74fee4875e5d48061da724ffa3a142bb45a7a3c2d5b9a943121563599472eb201901598416d641174b7d94b2f4f8842dc7a067a

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
45KB

MD5
db94cbb60b16af0feb93acfd7a664d1c

SHA1
0e2b19b5a9392db0a8b459bfabe86a2715c6c2ad

SHA256
dcb7b09a2446892d80337622a545f388e593100a8cae4b00406d27e377dd45eb

SHA512
1e66f93077dfb52e9c2cd4568ce0e32cb3877cb13379851904ae6ee0bc3373d98ec605f12dea6a9549b80dc0559a80e802f3b71d64521432e258c867c90ea32f

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
45KB

MD5
e1766de5fc7a946bdb62a49e0202e8e5

SHA1
acf23b7f9af37cbaf360db061ed70ff7d1756533

SHA256
536bcdc4fa1f94867a1e88e006b340ae9b7d0230596e32eb1d40af183f0955d4

SHA512
dac2f084f8ea314f82a0ebf3af5cc51a525abf0dbc4a8a4deba850620a8fc0eeab74b59d1b63c99c51f1095f7f78ec4ce49ca2ce09190f332497cecb8b355abf

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
45KB

MD5
cecd067c8266bd89f100afdcd8a4087f

SHA1
abfcdd09e82f561474bf3d1da7080d27ec2addef

SHA256
9c69436fdd40170041c57eca6a06aaa82f22a95afaea4dac18f4f5657f31d847

SHA512
07dc97ff3ed8c2317ba642d4c944eed9dbd558504d8cdc57e18ad390b33c7e3d67205fab6645d9eb91f0b7efb9e4882d6de6133045fb6560a6ff3aebe1e36660

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
45KB

MD5
01c6a353d834541b686f61505aaeea3f

SHA1
5c09237454628c923ee19539f963caa54b3efc1b

SHA256
6532813957d0cf36f4a09729e162064f841261910a78e72babf49fec15130108

SHA512
206b6a5f9ac7404b0e583e1fed6d716d61c204f576af42aaef2c7eef69ac69fecf8929798df9615043a8165013b721b9dfbc545f42dbd1f7bf9fb885315c9636

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
45KB

MD5
56e33cfcfdc8d775abe6636f69981d55

SHA1
86aa2baa3c81bfad7074b847cba2cfa4da17c07f

SHA256
36989251ee51931eb54256e14151ec0454a93f96940af583a4f3c6db7da7d896

SHA512
b72b4558d4f6f876a65e638a6162714751008138286325974c3c19cd98b56a48e8c8883578eb04f8f7c551da8bc82dec94d1b165414c9bdab33ff1822751d1ef

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
45KB

MD5
9a3ff05785509c9a7174520608d10d5d

SHA1
48c1b2e62aedc8c1fe2f79b0b4bf17530067c1b1

SHA256
59e15e28e4a77ca49f3761049a0747e78955397db8a7a558f0dd380d1a540c48

SHA512
b368fae5e7a83fc8275100747acb03c3ab5811839a793b66c02b24e322c9086f584ac4d44630ac67a99298d1b29f767d536e85224bba55a6650b2d03b3ae23e1

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
45KB

MD5
0ae5c07cdf51939dfa0e24c82b189b08

SHA1
551fe3fdf612ceb66593ea094b093632e171d557

SHA256
6bea9cbffc07237b0fd9b1155d0c9b8b46503aee8edc496cfc8cea2db242dcca

SHA512
188d3bb9306f6a36610472e817b74d7616675bd9f4b4292c8cb443ca86e21e3656d3d687339f7d078f8816d0af62376892c44642b972bdebef34045196545043

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
45KB

MD5
664fa3d859f92c73fcb9a0c4f358d8df

SHA1
a8f3c8d5924984b0123dd92c828f991da0eba615

SHA256
a8a6e02a285f15441a0168281d6804fa2bae626ef05afda3117ff304effa2d15

SHA512
b7f9936216366e5025562905cb90e7d1cb43d60d460903a13a435523b16fb63215368d8439fec3b76437afe7c6072d93636363de80478fda8d3d6af1714e45b4

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
45KB

MD5
cc876b0d1df50844d5b18e7353f58456

SHA1
e809af2a74a1ccaae156e39b937d89a856a6bbea

SHA256
ae0938c6e45d4dacb098dd54d4de7e68a6901511c5e95cdb6073f45e93b6abf0

SHA512
b54b43bcef55ba926ccc526e540d049e0c967aa325fbdda7429b23b6d801a7f706e41f42d16fa85858a845f856b024fe073d1c8cede5bd5369cb508b19c4dc4a

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
45KB

MD5
42cefdc21d69b1fb15fb351d26d95bfe

SHA1
95ede840a407ca0f1f35e5f29679584a83554ba4

SHA256
603a7603a2d1d98e35a9f2c4662508169048640389bc9e7df7dc271bb827468c

SHA512
b59db624fd6a0e39f6b2604943d9f4c53f96ff593da7d17517ad34cf8c234c7ee23943193115812e069c9ccab43a3ce6ee04b5bd69f9575442d6ed05289e207a

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
45KB

MD5
68dc195e147aa0aafc01153a078c5001

SHA1
6396addd8395922c444c7518efa3c8c581cca3d9

SHA256
1eac6d8d019de49f1b54c2f3a75a28f9550b951fe1b355b83625446e1892b503

SHA512
afbb21cbf7a951c9d0dd370927256114d8f5bd73c78d156adcbc6ad5f22269363a1b1e31b1474fb3823064291b756c66d9f79a1b972dce591f644d7378b1ef6c

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
45KB

MD5
b00ffd52fd8c9e22c23aa1cd6a3470c0

SHA1
5a8c865308b0f836a03cee456961e959392f173b

SHA256
406723dc6b17496dea061bf23d5f865008c946a57e822a66840fddae34b0085c

SHA512
7a4e7644e875d77ddd36361f12b9359cab2388f45e6e7916a79a0c4c2ef8b0a3a63374ca63303b0aa31c803546c94569023eaac75ba98b22b5f9f7e1d688f7e3

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
45KB

MD5
1e5930317ff0870a9f70b28769829d30

SHA1
4250ef2f71f748921aae18a0e6cc6b2c2976c4a9

SHA256
8ce384561e80bc7c43348f8cf5be49374dcf2fb49d56d235068ad2a6f313e15e

SHA512
cd628e49e8eebafffafb4b56ad7983d176631702ed9248d4c36d8bc6714c29eb40ce4cd6eef97cf25e86b71ac17a6599a00fe881b0063ac1c2bf35f1ac72ab40

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
45KB

MD5
6444e79685c280c7101006caa278f571

SHA1
c9e68388bfdc09391acbbfec18f59fb25f5c08f3

SHA256
1c3417ab9c796cf35e6b5e926ea6e36785080371d3d1ab97b22543f88bf0a6b6

SHA512
5d73c1ba38662c7e3768126fd2b2b90f47b917bd6b34867c4f7a90430a5bcc707ab4a33e66615f059f663fd1b591dfeeec1fdf3fca156aead0f38ab9370980df

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
45KB

MD5
00fe210139d9b22bf307860802f39441

SHA1
05eded77aee68371c53f1c5737ec2c7522caaf81

SHA256
9b2aa9ced20d66c71afd01d4ddb9436e2f76f1e8000e33d98e54936dfaf70c62

SHA512
3384814aa1fb28f73de692838701b421224f9e3dc64c09ae749fd0be40324cfe84c3a689c87a73ac4861ac02c5bdf6c84ef974511a56b411fef62b844ffaac6a

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
45KB

MD5
b4fdc7a206702ea297b3b659ba553ccd

SHA1
af9a14690a9b47d6cb06f34ad9c28ff7d339b26a

SHA256
acf2927d91c36af81d7289180fb1d5beb636073bc00456e3e00775693b015c14

SHA512
d0260cc3f8fcdc9e0e7d1553d2d65378ba395db92b292f2261b5d4ce35aa8a2757d3420274bd157ba484c93a80913f5041db0422b5e77736e6bc6948072d2d7d

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
45KB

MD5
ef65db748ec470b63af65b467f3e605c

SHA1
a9918cd5186d5173499da8caca46a92d31baad9c

SHA256
0a917a4d12fb65f483aa3665bceac778bbcf17ea101568bcac288f56c0489f1d

SHA512
69717b0e9527d70fdaa6d58686e37974dd824f1a11b781f3f6803af41bba0c476b36e529fb2b4133db56aa5a105a22b60d109791d0ecc2743466f502f9ed9568

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
45KB

MD5
d4261f4dc542d579cfd8d96fd6be8dac

SHA1
5687f3fd855f1323b60207b0f5b143a04323a257

SHA256
c8b4f14ba33afd8782e3dd433ab23e84025e30e1c4a2f701a9db7b3332fd55ad

SHA512
8daf40a3a7fd405a0ffe3851e6e3d961aff3b9db7ed35ddcc1d29788907be648127b6a48233f4b98e5b7c1ddbef44e9e59b79216429772013be56a1658cb0cbe

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
45KB

MD5
84f5c6e339a238022e91553b11c95d04

SHA1
8a633fe95a227febc688fb4603540676d7a65a59

SHA256
c5e31412b46636623510d23bae93077390d75f8a6a9ff6f91168a611cbddd630

SHA512
8226a00e8e7dbdf74347ab3d07a675b8829ffee443198dd62eb84b08ed46bdf148e2b37bbc478e3c6662dd70a185b917e05a57970f82332f9b860497f3d78cb1

Download Submit
memory/116-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/232-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/512-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/516-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-702-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/648-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/652-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/832-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/836-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1008-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1260-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1272-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1340-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1356-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1360-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-717-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1748-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1836-701-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1836-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2016-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2404-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-669-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2624-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2772-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-700-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3212-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3220-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3364-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3388-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3456-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3460-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3552-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3552-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3644-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3648-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3664-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3680-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4140-709-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4140-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4144-758-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4144-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4272-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4272-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4320-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-674-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4468-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4556-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4556-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4584-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4664-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4664-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4768-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4960-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-720-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5216-652-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads