berbew | 60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561e

Analysis

max time kernel
109s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561eN.exe
Size

77KB
MD5

c259fa19d02737ed1af53a79bf96e070
SHA1

98da41f00ada056e7b64b9a91ed2f45fed8f11f3
SHA256

60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561e
SHA512

f7d3052ef84bd0114c9d6fdcdd091d204c63860eb4611bde845be80403b89adf8e86e3675a1afcab09b4ecd86d944a2a2719031b4332c71064829b4f1e72cc5c
SSDEEP

1536:19yx8c2Yk+q0WOltHwXN/xICEY4Tx69D2Ltgwfi+TjRC/D:ezY0WwtQXRx54NTmwf1TjYD

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561eN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 38 IoCs

pid	Process
2300	Afoeiklb.exe
864	Aminee32.exe
3128	Aepefb32.exe
2880	Bfabnjjp.exe
2560	Bnhjohkb.exe
4388	Bagflcje.exe
2012	Bganhm32.exe
2424	Bjokdipf.exe
464	Bmngqdpj.exe
2028	Bgcknmop.exe
3120	Bnmcjg32.exe
5104	Balpgb32.exe
3552	Bgehcmmm.exe
2156	Bjddphlq.exe
2232	Banllbdn.exe
2228	Bhhdil32.exe
2556	Bjfaeh32.exe
5060	Bmemac32.exe
756	Bcoenmao.exe
2488	Cjinkg32.exe
4292	Cabfga32.exe
3816	Cfpnph32.exe
4944	Caebma32.exe
3756	Cdcoim32.exe
2432	Ceckcp32.exe
4368	Cjpckf32.exe
2252	Cffdpghg.exe
4648	Cnnlaehj.exe
452	Dfiafg32.exe
4324	Danecp32.exe
5076	Dfknkg32.exe
3520	Dmefhako.exe
4092	Dfnjafap.exe
1688	Dmgbnq32.exe
2984	Dogogcpo.exe
2960	Daekdooc.exe
3116	Deagdn32.exe
1940	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561eN.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561eN.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561eN.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3456	1940	WerFault.exe	124

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 2300	4156	60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561eN.exe	85
PID 4156 wrote to memory of 2300	4156	60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561eN.exe	85
PID 4156 wrote to memory of 2300	4156	60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561eN.exe	85
PID 2300 wrote to memory of 864	2300	Afoeiklb.exe	86
PID 2300 wrote to memory of 864	2300	Afoeiklb.exe	86
PID 2300 wrote to memory of 864	2300	Afoeiklb.exe	86
PID 864 wrote to memory of 3128	864	Aminee32.exe	87
PID 864 wrote to memory of 3128	864	Aminee32.exe	87
PID 864 wrote to memory of 3128	864	Aminee32.exe	87
PID 3128 wrote to memory of 2880	3128	Aepefb32.exe	88
PID 3128 wrote to memory of 2880	3128	Aepefb32.exe	88
PID 3128 wrote to memory of 2880	3128	Aepefb32.exe	88
PID 2880 wrote to memory of 2560	2880	Bfabnjjp.exe	89
PID 2880 wrote to memory of 2560	2880	Bfabnjjp.exe	89
PID 2880 wrote to memory of 2560	2880	Bfabnjjp.exe	89
PID 2560 wrote to memory of 4388	2560	Bnhjohkb.exe	90
PID 2560 wrote to memory of 4388	2560	Bnhjohkb.exe	90
PID 2560 wrote to memory of 4388	2560	Bnhjohkb.exe	90
PID 4388 wrote to memory of 2012	4388	Bagflcje.exe	91
PID 4388 wrote to memory of 2012	4388	Bagflcje.exe	91
PID 4388 wrote to memory of 2012	4388	Bagflcje.exe	91
PID 2012 wrote to memory of 2424	2012	Bganhm32.exe	92
PID 2012 wrote to memory of 2424	2012	Bganhm32.exe	92
PID 2012 wrote to memory of 2424	2012	Bganhm32.exe	92
PID 2424 wrote to memory of 464	2424	Bjokdipf.exe	93
PID 2424 wrote to memory of 464	2424	Bjokdipf.exe	93
PID 2424 wrote to memory of 464	2424	Bjokdipf.exe	93
PID 464 wrote to memory of 2028	464	Bmngqdpj.exe	94
PID 464 wrote to memory of 2028	464	Bmngqdpj.exe	94
PID 464 wrote to memory of 2028	464	Bmngqdpj.exe	94
PID 2028 wrote to memory of 3120	2028	Bgcknmop.exe	95
PID 2028 wrote to memory of 3120	2028	Bgcknmop.exe	95
PID 2028 wrote to memory of 3120	2028	Bgcknmop.exe	95
PID 3120 wrote to memory of 5104	3120	Bnmcjg32.exe	96
PID 3120 wrote to memory of 5104	3120	Bnmcjg32.exe	96
PID 3120 wrote to memory of 5104	3120	Bnmcjg32.exe	96
PID 5104 wrote to memory of 3552	5104	Balpgb32.exe	98
PID 5104 wrote to memory of 3552	5104	Balpgb32.exe	98
PID 5104 wrote to memory of 3552	5104	Balpgb32.exe	98
PID 3552 wrote to memory of 2156	3552	Bgehcmmm.exe	99
PID 3552 wrote to memory of 2156	3552	Bgehcmmm.exe	99
PID 3552 wrote to memory of 2156	3552	Bgehcmmm.exe	99
PID 2156 wrote to memory of 2232	2156	Bjddphlq.exe	100
PID 2156 wrote to memory of 2232	2156	Bjddphlq.exe	100
PID 2156 wrote to memory of 2232	2156	Bjddphlq.exe	100
PID 2232 wrote to memory of 2228	2232	Banllbdn.exe	101
PID 2232 wrote to memory of 2228	2232	Banllbdn.exe	101
PID 2232 wrote to memory of 2228	2232	Banllbdn.exe	101
PID 2228 wrote to memory of 2556	2228	Bhhdil32.exe	103
PID 2228 wrote to memory of 2556	2228	Bhhdil32.exe	103
PID 2228 wrote to memory of 2556	2228	Bhhdil32.exe	103
PID 2556 wrote to memory of 5060	2556	Bjfaeh32.exe	104
PID 2556 wrote to memory of 5060	2556	Bjfaeh32.exe	104
PID 2556 wrote to memory of 5060	2556	Bjfaeh32.exe	104
PID 5060 wrote to memory of 756	5060	Bmemac32.exe	105
PID 5060 wrote to memory of 756	5060	Bmemac32.exe	105
PID 5060 wrote to memory of 756	5060	Bmemac32.exe	105
PID 756 wrote to memory of 2488	756	Bcoenmao.exe	106
PID 756 wrote to memory of 2488	756	Bcoenmao.exe	106
PID 756 wrote to memory of 2488	756	Bcoenmao.exe	106
PID 2488 wrote to memory of 4292	2488	Cjinkg32.exe	107
PID 2488 wrote to memory of 4292	2488	Cjinkg32.exe	107
PID 2488 wrote to memory of 4292	2488	Cjinkg32.exe	107
PID 4292 wrote to memory of 3816	4292	Cabfga32.exe	108

C:\Users\Admin\AppData\Local\Temp\60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561eN.exe
"C:\Users\Admin\AppData\Local\Temp\60e433b5352cd2611473d03fb838cf5f6ebb31f3f5b16126c06a73dbaf53561eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\SysWOW64\Afoeiklb.exe
  C:\Windows\system32\Afoeiklb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\Aminee32.exe
    C:\Windows\system32\Aminee32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\SysWOW64\Aepefb32.exe
      C:\Windows\system32\Aepefb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3128
    - - C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 220
        40⤵
        Program crash
        
        PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1940 -ip 1940
1⤵
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
77KB

MD5
bab4272bab00977afc43572c5381c5fe

SHA1
3d13c561b6d94adf024c379557b7fa33830a6c36

SHA256
9123be98b6cbec0f8db37c7360360f4dbfa93829036d6d6913790f0b84a14940

SHA512
8d0cbc0a37d0633d1a685da2722e8c409958ed9a6de8c8f9630e3845b47b0f6eecd05465b625566526d47706c3285e38c55c6bae413a4d554bdb12340c66b977

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
77KB

MD5
efc4fc85a47032dd5cabf7382a826ff1

SHA1
ec0fad923186fa9839217986e0a904c68f1bad79

SHA256
b57f91674757ee3f2a36d6850786fb784162549070b4be44a233a27f405acdf9

SHA512
19ff9eae6067102736d5a724c1fce503707a6b1bd48a99385cd74d3205db7d73f7ab7f55ccbe632e86e329537a77e85e10feb0e08c7bbfaf3eb2c663856efe1e

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
77KB

MD5
828d9171ecede4a2e55f8cd7c3d509a8

SHA1
4b12409cf30ba711510652e92643c87400825a45

SHA256
220985b701f7343a12a086d96de490d93e49557c52ca0a84f283943396a7a111

SHA512
3ce1465478d8c477691b781872f1bd64a240367dde5ebb54459b3962936e0494ebc432141cc76533e6ca5eab30453035f5111c7416eb58b41b6bacb6e5c28471

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
77KB

MD5
7b5b377249384934eff8d4a72d10a09e

SHA1
f11d0d99873bb64c3c04b813935a6716bbcf5313

SHA256
b092ae5f6ae13eb4416bf4f2ca98374e2b09a101ede916dd1dcb8cd5656c3ed7

SHA512
191414604fc01abe021b55abf239b5ba9b3d09ea014e8d116e009ec1b2ea906a8341ef6a81a21271d5f31c019f35ca7a274949b4d6570485f9b1aa059e111e48

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
77KB

MD5
86820e795c30059924a650b6fd6d162b

SHA1
2443f0edd39b2d5da02f15af6857737d168c3b35

SHA256
2682728e833bb8778d4a7f16dfdc9c89c02ad8859f612e6a6924b179be2741c2

SHA512
21973891f94a76a9de4dd1c4b9c9dfffa5ab54aa5bd098658a6b0db57ccb45e1dfc98ca55f369524ae7b1abb38a76c966614aed71dcc127bd73de75b1233aa0a

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
77KB

MD5
f739a930196b4d781abcbf2bcd7a9ae3

SHA1
efd43fcb5660b0c835cf142cdca2290a4def28fd

SHA256
efaa0803d315940f19cc03701af104f63c6c3a6a23b7a85b177c89a57f3902a1

SHA512
f56a1baa43939c0ffe7f25e482f8e47ce02d9e43e7739c913f81e394ec9cd2ad7d7f7c6f1e5e47fab7dfe0fedcf858ee05e8e061e5495957cab06de43ba56bb9

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
77KB

MD5
ae9bf741ed469809d77dba489e098eea

SHA1
a152ca003ecb4dd60ba676aedae63294f4520e8b

SHA256
0abea4acacc0f24f5c522ddfee1f91a0ce1ab5dc87e9c7a4dd84dcbc031ea9d4

SHA512
a6a393fd9bbf0f323ce56c59b3c55cdd8e357065bdc0a1459b9418f587a4778d763b52b32e065e38b9ae8669b29333e0599589965dede4361f080355b80d9864

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
77KB

MD5
2078150757389acaf52dfa94c36e5045

SHA1
011bd6ee0f60fd4551aa9db924a4532d9d9c9814

SHA256
8eed09ae2b5991c653c3db2cfdcde0da2f2618100686f938327717ea062b8374

SHA512
9213c62b6a598cba7bc4f884ea8bcf82c62cb47d7f235fe51bad56a4cdef48ccdde9a061546a205bf48f41f56fa1be4e7877bdd64eedfed016e525e5d610abd9

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
77KB

MD5
02dc9b826c847fb9f7c50c534a4463a3

SHA1
980390cb0a7f2401d8677b2517a2bc9438b92cd4

SHA256
ebbaf3b3590427081a04e7c06334755eb2785d18fa7850eef088825d1804530f

SHA512
ff9af4210345a9f1fb45129c8f85af5131414ac4b5934fb19ff5f336c1973a161d6d6f8fe1b98f409c14007ff0dcf6ceac73f3092510a5eea6a4f9f091b21518

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
77KB

MD5
ba64f03be4dfa5d9bc8ff193b562b602

SHA1
d214a950be1c38d68471bf62d6341320d3728e2f

SHA256
c3dfb72cacc577e91bd78c1567906c71a14a397e59e5b889d1911a5ed825c237

SHA512
16afaff108a1907682c7bb53906c4311137d7776ddd5e4b872e5065a5294e30da572ee4659c1a6c4479cdfc2e0d62c44ff2d73a4b3c7f0eb03321c858a00edff

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
77KB

MD5
e34f7a21e3063495ce5bf2f7d5b6528f

SHA1
0ddc172cac4de9948863580cbce2d7738f28c7ae

SHA256
a1048692588adea81b4c2c41a3468456dc47f8f091e0cc9e409caa7b46d71533

SHA512
0f9b787675a2b1c4953ddb8f57a3d72b36b2ad7422658ea7bcda41f9bc115da570ff5d15761804bcd59f1d044219524ddb4e46743bbd09ccecda109df13bfc39

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
77KB

MD5
793b3d967620d408c06e9f248bcf2f0d

SHA1
52cfe8d8c7f964925badc2e0a4a61d8b549eba65

SHA256
f1f0c1a20bb30987ba417e1d8b4e2bdaf410465f69207860e2da9405be436cd7

SHA512
ec7b5fde9b1b3837531edff48e0b5b8c64311e109e30ba1ec01e3832f6da61148900408154e88bc069e924c9a5710987eb8a0f7e9f1d6151dc2ef51dbf19cced

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
77KB

MD5
64e56f6bec297e0a369db07c14ed991c

SHA1
1bba8a62b594ba088c541bfed626a8f632ef7438

SHA256
dce4f729b206eb44e1a5f3a7fdd321c31c79a1df92dd32e04cc2de042bb6ddde

SHA512
462db99b4df5ec29100341ad2ed634a19e6e0f5ca1c6b8516f89a6f2f3346923d429d87ceac25959627657e155262b9df0c3010e808fb2501841667255c45c60

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
77KB

MD5
6f3449ee346ed69b086cca1555db24e9

SHA1
a1c7ec8ddaf86e3525a67541e8f51a6616d15620

SHA256
3425f7a4ef897a14d2bd780da797678784cfa781725a483f1b297c4eaaa52a06

SHA512
9cf3c60daf985cc5dc33cdc4b99a712ca275f2b6b8dd76ae1f8bd213eda3ce0fba88a889dd954ad9923ba607008c30ca7bc006de33cd2db35c7edb3c2921bc6c

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
77KB

MD5
a38aa4a07092ba62b2324b516547c03d

SHA1
0f180910b24b27c4a8b6b286fe83ab6b48f25a70

SHA256
8857cef9180852a7566f90ca3a86fbe5050d9efdadd5284423765dd77c14f3dd

SHA512
2b56c09987c9722634057251d5eb595e917ab474322f324ed3206eaa3e30032cc135a6050674d63f5541deb5ae66430d571924553d32b738cac449a6280cb5c6

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
77KB

MD5
ba33788fb05dfea7671ac1a53b1ec09b

SHA1
626a3653c4aeec275e768ff8754d65e78161025b

SHA256
9aededc15b8686c20f8ef31bb19bc04a7661ffb949489917df59403c221f6649

SHA512
6ae9bcdb909dd326d62356318f5a702395ed79a9fa9ae89e012f35a5986e3a377cb3a0120aa6b88e92162faa3786ed04d8fc158af45fc70b6432934189fd5454

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
77KB

MD5
e6f10758bb9b5eda9680c4056050bf29

SHA1
67ed5b15ab2f902caec21a1846029c3bc5863e4d

SHA256
c445755ed54a284eb02358ee6d50d149804dc57b7a812437fb952a40b2c5868c

SHA512
02dbcb72c4fe357bc3cae09cb4298ecdb0e981b3eeb33dce4587921a723d7749828ec46cfdfe9c29c70ad9acab30534b8efd907cd07f54c42feba27fafd6127c

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
77KB

MD5
134f9d10b781fd0f8a5ca47dca2ec024

SHA1
854bf0da3a4374e72db6d280fe872bb566955b10

SHA256
e44b87523f2215a052db9dcd8259e1f626312b1e9dd8075d4688db68b81b4460

SHA512
061981c8389f9d8de16903a67573af0fbe7505aace2c92d1375a1375c8ba1c6edb0cdfc5d7efe4c1bdeebc1382d3bb61429affc0fe6cee0139e00b04f6d0dfd4

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
77KB

MD5
0caefb861a2d67b3ee9fbf02006b41ce

SHA1
f29ab96599db40dd103ba82db1b6f7f807f2c223

SHA256
a8c9b10c9295f3c624a7438065ab7542ab34f05e4cb08bfd72b86e60533c4dc2

SHA512
3682dee0d835b2a1884c1dd5426c01963ebadea1f9e32052f8daa4786e479992437a0f1cbd2cce7515f24e25dfa1516e01f883abf290c99529a2da33bfb910b6

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
77KB

MD5
07544da6b6197d3d335b5cb1c34e21b2

SHA1
3fc68c7e3439d030d548fa94214f6b81984368e0

SHA256
47eae723422cc7a79dc7f55863e89c91aa1633a9f577a9321052dfa186e0e45c

SHA512
b1364b853b3070e4703757525bf603189796d67d0a8960eb7e8342e7beb6cab6367441b164bbfa78b74a0bc45232131ae1f3fc7ad4679c66f1e5e23c279ca2fd

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
77KB

MD5
c0738b08f80b81d86ed9476c6fba2131

SHA1
a515991d35382e15b8ed11b5e0741435f6b9aba9

SHA256
07d70c86fd3e160723f6bedd986fb515d1ebc28d7fb1328111a5a65c142744de

SHA512
4aa7d0ffa0c9d53700eaa698552d640ec9522db709612c517fc1405845f25f5e8907b92fe21707a62963f6167944b28dbb8335f12e95b6cc80c4a129670533ff

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
77KB

MD5
944430c9d72d71c5534e520fdc011ff2

SHA1
e664820ffc3834a921260571acd9c1dfd4cfdc1d

SHA256
ede5ece5682db009c500820021716811bfbe045a50a4bab5eb8446e44824431d

SHA512
cab2413898e9c61684e41fc82dea80b92f2c8d62f06cc7ba9606b51e1f61f9ebb958b4f841fa4824a02f8a23c7f110b46e38ea0c72439fcc3482c6aed095cd7b

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
77KB

MD5
f6317aa751377324093a031426b7cbfb

SHA1
99833b06f23bf6a53ea7707c89045ff1e6432b1e

SHA256
66ac142e949ac43f78c285856342ccf6d923b53acaa82187a8b429be1af2e40d

SHA512
f0b15eef56dac48acfb77d91eb2b7f5757f0f3b96a88c372cdafbc713e2557217d65acc0ae9f5daa063beccac06fd5460ab72810d1a642f8f25d9ac269150c6e

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
77KB

MD5
865e9f7d3f1a77cee8885814d4bfa94e

SHA1
fea178734e093a0c176a14f697eb55c42cd37f65

SHA256
bbd96cd6382e200e72be89e7a9425a2a0cca38b9c6d00977bf60891f4ed9ffa4

SHA512
e3de3e5a91ab4263467e27e9b76f12c3bfbbb0e560bf020e9c7da3de8ede5aa74dcfd8e2d332ce93fd12ca0de2633f78bcfae1d95043e4ed868716aed8e9fe26

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
77KB

MD5
dda6164e45dc95e56d2e3a3e79a9f8e5

SHA1
a77cd58f03598ea0e975e4ad18d03b9569fce6cb

SHA256
e3b5194229ae4a4848cb81377e8fde1f16cda8225c1e10070df8292acd85bb52

SHA512
992dc6526bd36507f66d8a79c8e2e698ab2fb19435bfb56c142bac3e17fa77fbc57e8197e3f25b45c5cdddc29534fa6bd8bfc2cf05c524a28610c4e8237c9e8d

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
77KB

MD5
24c9d126c8295edeccf81be46ab7b88d

SHA1
b90670622b6c48980f7419f157c2af9c1db1b8a9

SHA256
a0a853a5d4e5130fadfa1fc3bc0437db4aa78b575caa48158e82213a48ed5b61

SHA512
9ab822e4e5e6821cd98e6aa096b05af1909209aacffd137d2a2666e2148fa2aeb77c6ef81620fe8b346b9428b28665aeb88d4af2220d14c6e974581aa1198d89

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
77KB

MD5
a412f2d1b4d97512042a91c053716c90

SHA1
00b9d07be1c35cdcac48ff6133b5db11b2e94e19

SHA256
4eb2a2c0fcecb0c86871893f50a0fabe70eb75a33de8dbe0906a56f53bb77c7d

SHA512
e48d70bf887debab89fe0bd12da4d81579e382e05d24dd312d110124479e447828b76879d62d9b7109ef1315b5f4e2a1ab45c6ce1975a08e572407f1f2d06550

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
77KB

MD5
274d129148e4a77826439357db30e304

SHA1
2cb945970efb117031b0487ce5d20f09b891c748

SHA256
fc6234a9288a8f06b1c7d5192fa8d99437901cdb4a6794b6ccb722e2272e34c7

SHA512
ae9b955a371b4628c3159771d6a41ce095e24371e315b5f9337df1c21ff475aca9c551fdd92f9cdd1e497364fa0203430399b5b670fd736abb81bfe0a7c72a7a

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
77KB

MD5
5949e87c01211a5412911752ca9f5a95

SHA1
90c0b768d771ebbcf823b1dbccecf3b7a43ed22b

SHA256
1443d656a384c49f6e92b83329db48ced9b31b7227046a45e6946101937b4e4c

SHA512
56393e5ce782c600b30b6237ad96fd0b58ce51563e9c77b67f6df5f7a4966738134958c54b2e9a979013b05614dbb5c64a10b55bf112525ffc218a28f8b83969

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
77KB

MD5
713f1e1e85eaaf2bc6ba82f5376c7b69

SHA1
57cdfb7da93f223416035e57f17ea39875c5a483

SHA256
bca2ba1da3ed8db9bc2235ec8b83fa05572dfd2610d81918c4eabde55e692f51

SHA512
51914e88db477b6830bffc469c58376c198ea4d5d79a5e7e11ab3d43f2f6ae0f22a072e6ef7de9a8622427862192698bed7030d2712ff785f2b8523d589693ca

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
77KB

MD5
4958061da6e1a77a4f5a6f97ef2aceb1

SHA1
ec3dbf7a83611cd78d5237e6605f2fa07baa5e51

SHA256
d2f6f5dda2aacdb41301082bdd57a2baffb92dce1875fca586c6e202a1c3347b

SHA512
94f3339021335194afc2c4a65dcb0c5607202b01224aa1029f75fd96b86a18d3d0ab867e755dbb17595dc093deacc1fac29d10c591eedce3c696a235e542ec18

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
77KB

MD5
7896346d60f93011c9b78fb37c81b7c3

SHA1
981e82e22c35c2233f0b17659ddc7ef9868b413a

SHA256
b654f6a1bcb9f9b404a63e4ae7b6111d0b6fbd840a6d9798efb64c5e1b1869db

SHA512
31c723af07a1f18719f3bc404a2a732f637c009f7508fa10f25dbe8593284bf1b0ee2943b8cef1a76b39b01946acd22bcca1c4fe2a62d68918e74d4c7e12f763

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
77KB

MD5
9ce59c1931fe914bb8303f63b154c8a6

SHA1
1c554259f817d29ace87b493f0dc22c0a057a951

SHA256
0f338bd25246f5ad079ba7ef0cf094d124fe765c988f9ff262e1fc3003d9100d

SHA512
8e4b9fac496d5cef4052a78c9ccd0252cf042bb1e6f4384ee612e7c057604bab4b2b044c0bf2cd052c65b6481c04aeb295049d2c870c09f968ba822f301780c3

Download Submit
memory/452-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/464-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/464-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/756-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/756-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/864-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/864-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2488-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2488-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2560-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2560-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3120-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3120-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3128-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3128-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3552-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3552-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3756-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3756-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4156-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4324-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4324-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4648-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4648-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads