berbew | 358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0N.exe
Size

58KB
MD5

c74b3567a8669da2cff4827a676308d0
SHA1

77fb0d9907dcf08df0a1c9acd252242f3dad2f07
SHA256

358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0
SHA512

af7fcdbd579971348f48af21243d93a2ffd6480773f1cb960dd8b0be714305d55a0147a3d27967b06c7282b78409b407bb81b1d389f90575e2d6dec4ca829021
SSDEEP

768:WV9Bs+eGQS2ho31I+RQq1e/ToNkSkiSCt4S1mYAtJafdK2p/1H5qXdnhxN:Wnfz+o3BRQq1YoN5Z4SNM2LO7N

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 40 IoCs

pid	Process
3940	Qmmnjfnl.exe
2532	Qddfkd32.exe
5100	Qgcbgo32.exe
4280	Anmjcieo.exe
952	Adgbpc32.exe
3512	Ambgef32.exe
2100	Agglboim.exe
532	Aqppkd32.exe
2108	Agjhgngj.exe
3952	Andqdh32.exe
4756	Aglemn32.exe
4684	Aminee32.exe
4828	Agoabn32.exe
636	Bmkjkd32.exe
3196	Bfdodjhm.exe
2720	Bmngqdpj.exe
3324	Bchomn32.exe
1300	Bnmcjg32.exe
3476	Balpgb32.exe
4960	Bfhhoi32.exe
2216	Bclhhnca.exe
3692	Bjfaeh32.exe
2740	Bcoenmao.exe
2768	Cndikf32.exe
4364	Cdabcm32.exe
3208	Cjkjpgfi.exe
3192	Cdcoim32.exe
4432	Cnicfe32.exe
4076	Chagok32.exe
2924	Cajlhqjp.exe
540	Cjbpaf32.exe
1628	Dhfajjoj.exe
1028	Dmcibama.exe
2556	Dobfld32.exe
4088	Dkifae32.exe
4808	Daconoae.exe
2360	Dkkcge32.exe
3396	Daekdooc.exe
4028	Dhocqigp.exe
2200	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0N.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4372	2200	WerFault.exe	122

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 3940	2468	358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0N.exe	83
PID 2468 wrote to memory of 3940	2468	358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0N.exe	83
PID 2468 wrote to memory of 3940	2468	358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0N.exe	83
PID 3940 wrote to memory of 2532	3940	Qmmnjfnl.exe	84
PID 3940 wrote to memory of 2532	3940	Qmmnjfnl.exe	84
PID 3940 wrote to memory of 2532	3940	Qmmnjfnl.exe	84
PID 2532 wrote to memory of 5100	2532	Qddfkd32.exe	85
PID 2532 wrote to memory of 5100	2532	Qddfkd32.exe	85
PID 2532 wrote to memory of 5100	2532	Qddfkd32.exe	85
PID 5100 wrote to memory of 4280	5100	Qgcbgo32.exe	86
PID 5100 wrote to memory of 4280	5100	Qgcbgo32.exe	86
PID 5100 wrote to memory of 4280	5100	Qgcbgo32.exe	86
PID 4280 wrote to memory of 952	4280	Anmjcieo.exe	87
PID 4280 wrote to memory of 952	4280	Anmjcieo.exe	87
PID 4280 wrote to memory of 952	4280	Anmjcieo.exe	87
PID 952 wrote to memory of 3512	952	Adgbpc32.exe	88
PID 952 wrote to memory of 3512	952	Adgbpc32.exe	88
PID 952 wrote to memory of 3512	952	Adgbpc32.exe	88
PID 3512 wrote to memory of 2100	3512	Ambgef32.exe	89
PID 3512 wrote to memory of 2100	3512	Ambgef32.exe	89
PID 3512 wrote to memory of 2100	3512	Ambgef32.exe	89
PID 2100 wrote to memory of 532	2100	Agglboim.exe	90
PID 2100 wrote to memory of 532	2100	Agglboim.exe	90
PID 2100 wrote to memory of 532	2100	Agglboim.exe	90
PID 532 wrote to memory of 2108	532	Aqppkd32.exe	91
PID 532 wrote to memory of 2108	532	Aqppkd32.exe	91
PID 532 wrote to memory of 2108	532	Aqppkd32.exe	91
PID 2108 wrote to memory of 3952	2108	Agjhgngj.exe	92
PID 2108 wrote to memory of 3952	2108	Agjhgngj.exe	92
PID 2108 wrote to memory of 3952	2108	Agjhgngj.exe	92
PID 3952 wrote to memory of 4756	3952	Andqdh32.exe	93
PID 3952 wrote to memory of 4756	3952	Andqdh32.exe	93
PID 3952 wrote to memory of 4756	3952	Andqdh32.exe	93
PID 4756 wrote to memory of 4684	4756	Aglemn32.exe	94
PID 4756 wrote to memory of 4684	4756	Aglemn32.exe	94
PID 4756 wrote to memory of 4684	4756	Aglemn32.exe	94
PID 4684 wrote to memory of 4828	4684	Aminee32.exe	95
PID 4684 wrote to memory of 4828	4684	Aminee32.exe	95
PID 4684 wrote to memory of 4828	4684	Aminee32.exe	95
PID 4828 wrote to memory of 636	4828	Agoabn32.exe	96
PID 4828 wrote to memory of 636	4828	Agoabn32.exe	96
PID 4828 wrote to memory of 636	4828	Agoabn32.exe	96
PID 636 wrote to memory of 3196	636	Bmkjkd32.exe	97
PID 636 wrote to memory of 3196	636	Bmkjkd32.exe	97
PID 636 wrote to memory of 3196	636	Bmkjkd32.exe	97
PID 3196 wrote to memory of 2720	3196	Bfdodjhm.exe	98
PID 3196 wrote to memory of 2720	3196	Bfdodjhm.exe	98
PID 3196 wrote to memory of 2720	3196	Bfdodjhm.exe	98
PID 2720 wrote to memory of 3324	2720	Bmngqdpj.exe	99
PID 2720 wrote to memory of 3324	2720	Bmngqdpj.exe	99
PID 2720 wrote to memory of 3324	2720	Bmngqdpj.exe	99
PID 3324 wrote to memory of 1300	3324	Bchomn32.exe	100
PID 3324 wrote to memory of 1300	3324	Bchomn32.exe	100
PID 3324 wrote to memory of 1300	3324	Bchomn32.exe	100
PID 1300 wrote to memory of 3476	1300	Bnmcjg32.exe	101
PID 1300 wrote to memory of 3476	1300	Bnmcjg32.exe	101
PID 1300 wrote to memory of 3476	1300	Bnmcjg32.exe	101
PID 3476 wrote to memory of 4960	3476	Balpgb32.exe	102
PID 3476 wrote to memory of 4960	3476	Balpgb32.exe	102
PID 3476 wrote to memory of 4960	3476	Balpgb32.exe	102
PID 4960 wrote to memory of 2216	4960	Bfhhoi32.exe	103
PID 4960 wrote to memory of 2216	4960	Bfhhoi32.exe	103
PID 4960 wrote to memory of 2216	4960	Bfhhoi32.exe	103
PID 2216 wrote to memory of 3692	2216	Bclhhnca.exe	104

C:\Users\Admin\AppData\Local\Temp\358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0N.exe
"C:\Users\Admin\AppData\Local\Temp\358daee92a8fb24dddd66315319384c4fecde5d79a955f233994b3c016c81ae0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\Qmmnjfnl.exe
  C:\Windows\system32\Qmmnjfnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\SysWOW64\Qddfkd32.exe
    C:\Windows\system32\Qddfkd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\Qgcbgo32.exe
      C:\Windows\system32\Qgcbgo32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
      - C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 224
        42⤵
        Program crash
        
        PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2200 -ip 2200
1⤵
PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
58KB

MD5
81dc617c60501f4ed07ba17c7211b8b4

SHA1
98901ebd5223be29107d50dc8d0483bdd196ebbd

SHA256
0b4c09996b7d8ffbb84f631df981e66a4b4c121adb12718de936e0b3727ad40e

SHA512
7a2147e0ca2af3b07b25fb5ae17e15434b95a591144337c82dcf428d0daac65fa7f8b62b40c07f19159c93b99d3f8f6996fb03f8ae488129973eb0ed5cd1e248

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
58KB

MD5
8b29bd30c6e16bfcc0a8cf567311ef80

SHA1
5a72784dcc26cce6c279c193c782441cbfcc6ea9

SHA256
a8d9239a186fa7434bc75c6f52f26f8ab5c24659725a3594638b502007808270

SHA512
912865e1deac7f653bf90b838d79f1a3fd10fefcd1a147ed8af2b1a5a2ff7e29e861c72fb3eafd6c71fead8c1abd5ae90b5fbcb66f4e51345e3f0b031e3e0c4d

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
58KB

MD5
0abfb9d610485c85c3de07a53689548e

SHA1
d613bd79cfe935b499d4a3f6eb26d742406f2b87

SHA256
76a09ae66311afd23d292843ffe09532b73d3882d9654f57c5668254dffa5cbd

SHA512
a9790aff551734ea4b0c14dfd084e991cc61bdcd52f301cedc5d41eaff0ec1e055f9200d95748778f528ca9253e942023a04e8697c5bd830c1fa818e0b4a2140

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
58KB

MD5
51574e6f0b49e02bc958e717d6b7d4f0

SHA1
09d8c0ff64f8e340319ef529714100b2b07d983b

SHA256
9be248d598f21c3bc9f9ba2eed886c8e1acfb1822ea6525a1b8994cf51392cf0

SHA512
f86e32c37f78fa28054d52f366641381e92fec5ad020f482dd8502d8f14407877b4647d3a82b8a4d0c965adbddf60e915596cf594c4e3e1ce8f031106382c77a

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
58KB

MD5
50c63f2351a955a867e75b9588af533f

SHA1
3c8811129f63422af3b191f1073e5e816e6bf4b2

SHA256
4021d7ab32a94c99383caefc83eca6128e113f6e3daa472c43e9d88d8f2e42c6

SHA512
e4219e2b11249d4631b7226ad91ca92a59fb13e931c3d5912021e0cbe4d5873ef4fe4cfff93f351a4acb5908fe56aaa7e7be6e17c4a383a5f2758b8ab3ecbc65

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
58KB

MD5
23a922aa8659d7450ba297a7cf292aa8

SHA1
7927c495c050e945c54180c5f83e9b4487e3f400

SHA256
1d27c3fa009252e2d9efec3f2190ccc70b47b48f90f31e737b86cdb97f4eb34b

SHA512
c8d1eaf4087632b46a9c24ce08b24e2013591acb0787156416ceebdb8cac00c1b7c60c5306c9c120cae4cef8f956437ee5e733dbdce0da6769799496ed13082b

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
58KB

MD5
e3539e140db4fd51a10fb6842321d25a

SHA1
d3551c0da9177161b107beead4dc1a8c32f0650e

SHA256
318f3eea9ca0475ef32b9adb710f8dccbb2aae22a5de380deb9fb609abb050a4

SHA512
fc9e85c1609268bdb8ef8ba9a63d190fd192224583b0f6955ea2c7df501a590ca6ec05817cd9cac4bfffe95271aaa2a336a20911d69da1ee461ab764f44c3b46

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
58KB

MD5
9641594fad2f82b5bb4da6fa62bb4eac

SHA1
c38b6b848ae3adb1a7e33d979e256a8542c3e0e4

SHA256
988ba35483b94c25874d391f6055910df6aee6a85c4776f8d54fb4698a80143f

SHA512
b431aa0e393c14aa0f1f72e89a74a8762f9df098247ed22f70f5616ed340a500cc6402d396ed4480148adcd1dff092874b9b5d3086242cc96846678bce7b1f4c

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
58KB

MD5
220cc2c40d7822e8578e8917e93eddce

SHA1
659eb62c0214a6eff215eb4fe77cb8cc2ae11d4b

SHA256
d0fa3814c549c84a6c49a7a6506c28693b0b219fcedc7abf0dd3646d438c4d1f

SHA512
278367b68b3a079b2348707e53c89eb367a61da02ca9963b0b8d663900bdefcdc5a836a80f5cfec0c8be6059863e632422e3ae9b37762bf6717142279af6ca45

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
58KB

MD5
e14e25b712f6a3f932f2df46655253a3

SHA1
0c74962584915bad87d9144addabc4bc01ce70c6

SHA256
2d0730b106c99d6848daaabcbc2d8004abee00ee60665455673136320f3e7449

SHA512
ab2ea3f438da108515089c21e965f71fbf047fb5f426066826c9a07044df87122f93038e9164fb8e2ffc0890079ed09df6bb6c58c19e98c7543eccc7af48ee2e

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
58KB

MD5
140782775d2ee574e347128ddfff467d

SHA1
8a80c5993fea276897c649fc296fdb29ea9c3d9d

SHA256
5f5ace6b5cf64e77eb51b559084ff268fb61a7d84cdb6faa4a33012dd8f3c63c

SHA512
a21cef0639fd05955d6f49f81f61367aafb2f84a59ac06f522d86a4f88ef46043db6b4e4f2b694013c636522645cce903db23e3f108e75c60af54cd6358c82c5

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
58KB

MD5
8377d9b82676d2a06a6da63c0cb54ccc

SHA1
058836af3172668166a99ed670fa4fba9a75930f

SHA256
b04d6694013fec7ea7f23f4446580cdfe10517eac6d7e0f24b94c18fa5a784a4

SHA512
00f4faea0466cce860a61787cf169cc35e08a0157d45f787aeb6b3e8c50f79ac7a3f3c4f7acf4931a11334268d79bc915941098350a11a496f4e1828b6f427ea

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
58KB

MD5
c04ca606766fe93c4d12b9793c40840a

SHA1
aa81ae9c3bf2767f560fc27cced0f38ec990f476

SHA256
75221cb5b021b990dfe9ee6854d9fa0de93fed98d7fc4a3b0c17e3d5eb34d997

SHA512
2e8f579797b7ad34d8bd015a55bec58b339375aaa52fd86dfa46d91394ccb8d911d5e7ed4c2c434921189085e2249c5d6f086bf24350f1d6f7b3d1a99f3b7e14

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
58KB

MD5
e1285adc33e9719dec03626418178929

SHA1
c392dd742a99b365f93e34dca00f9e970a5798d1

SHA256
b68712cec24959a0272b74010a981ad069667009a834c6538b989c9cd2d9f45d

SHA512
35a233794233f2611177b2a499246d79acfd63f9b7401012165f204fc5ff0b2798470e139ea9f9dec164290fe1a91c3d36b8d2d4d0bacdce073c04da1afa971e

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
58KB

MD5
699b2b0fd4fae24394615adefa0a121b

SHA1
7934edc3db8baa9937bb9df776fcda9aaaf36037

SHA256
c704c9230717e0f7c91cc24b3b96f75470263b2d4d08380b3030716a0ab7fbaf

SHA512
be575b50af504656fbb685413b1baf7cbab7f9641b8cecb8592c5cff9244f5a8a8f417eb7772c6dc3a5fbb5766fcaeef4e84d1726ce974fd7490f50a3867ee1e

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
58KB

MD5
f5e6381632fd5c52de9d0cd95039ae2a

SHA1
809ff44d04deb7948f710302dce57bf0cc15a468

SHA256
ace96678ea0fb1280dd4621bcef54b296ff35a2ec3f90a05b73921aa24c48c3f

SHA512
aa4f4060ee4766153174e37a54bb450b52f7cb8966ea34cdcf116d85c50bf1c4f982a0d2eb50489c690c1cedb9ce93cb6ae59d45e4583f56db31f64c8a978d52

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
58KB

MD5
32a5eda72cb14344d98d93c93756ab73

SHA1
8a9679ee82988e9b9d51a36670cd2154bd5cbe24

SHA256
3077023b9ac7359d3244312c1df66ce763ab17822cf73f001037facf2f988fc2

SHA512
8b61c49b6863c1aa462ec44068feb496f0cf470176d7d800a9cf5c64da5b15ff1e10ea8834f3bc660d22c23eb8094143297d0c8a45daa33ef93ef562783621be

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
58KB

MD5
07edf80199ddd56c92d6d46fc254ddda

SHA1
81201ea9db09f0770d093311dcb357d2811b9125

SHA256
1e90ae593b913ce0debc48e4b62a2cb96781e7384da0ca40b1bd570e07219301

SHA512
25b051e9dd5bd6288c3dbd0c7cdfcc4dc8e110a9973fcb6dccfafa4bb4d7f66e43626f755124dbad9a127bad0df2137637b0252fc8d0d470d743d5a073bfa476

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
58KB

MD5
0559e0eafc246aa547847fde51f1faaf

SHA1
6235ef8fd8e6d59045c1122253ec381e2ba4ac59

SHA256
7e52aebcccf4ccf034aaf8bf3abdb428fbc28a4033ca4afdf28c31c5b232fc17

SHA512
1df3d4f2490a893d78a8af6d7524d9667303a17513631f1d990725a34ad48bf59422295f3e0afd0d607561df5b4af7a05458d55bb74f9e51c391c0d060e7b684

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
58KB

MD5
fcf464b9c5c4987112f43273855f27ca

SHA1
9c61bfcdf977c4480193f7f71d5ec6ac53986cbd

SHA256
f7be88384b425ae67801e6360509f09141bedec7b502106e4d7bf2a5cd9a0aff

SHA512
46bdfdd7fb685c8dff90ce5beb362c764974dfd7ad4f50c85b52263aed0690a17ccbd8cf583b06202659bea42eb07cf1387877c5a8f46c2c8d8dd68dccec458c

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
58KB

MD5
6defaaf1a88228167c24ac66956827f9

SHA1
a6accf6a0894c361ba3b6f33d97275d0e58d997f

SHA256
5cc2116e2f85c24daf8f6cc233241badf168766592bd8a1e4ee0a81388d9b42c

SHA512
4f5d09b667e0ae788ec6bc019c89c2b8029718b1ed8c0302fa85707f84d2a53a13b4309fc57faf3657e3811281cb0f0bfe99ee412a8d9ca773162b47d6e961d2

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
58KB

MD5
ab9cc9a55f78d97d69bde055a5c9da5f

SHA1
2c78fdb02f2c68ed526af187699b113c1a027ddc

SHA256
15ab90be85af6981dabf3397bb2facc5d0809f3eafe694cb4bf61947a5271c10

SHA512
3919a1d7439ea4a9e48adb23b61e8f2cb5af0b4e204957c32e15cb5aba3b06add5e226073f1e3fb5b89ad6f566aeac8bd075f8716bcd01bef5197836bf165b7b

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
58KB

MD5
67c57fe3a68c3261b6c7a5f4ed6d444a

SHA1
53a5f43f5f1fec99420fe6c5eda1ee899a1bb264

SHA256
ec4378f88a7ed60d35d6f9085b1014ea2baadd9b2ac133c4f572c5bc9df6ab48

SHA512
ad48246a06164067703e4bc6403f1f77a9de299bfae44df998ec8fc425c5d7033b5ca8cf569f0c0c53a7ac7ce56642381396b69a2f2cae39a154295c9e378176

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
58KB

MD5
35ef2689f79790c37b00779386fd91dd

SHA1
862528b029822b28f2857901e8a5c606df968b5a

SHA256
3c705a869332a65e22f23585953163720ceb5b829cc9f33e6a0534dd707e5368

SHA512
3051508efde20a3754e3dfbc94e9b8b6d6bdf916c50ee7b8cf9ae4e28ac929f5fdc9f5690ad1a4b41b4389536d8b2041f29a99e519347ded737ba14ec168548e

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
58KB

MD5
e616ca3536db1fb2d76640224bd97f1f

SHA1
45489e95f23a28aa2f884643bd66c499b30d64a6

SHA256
debda1ec7b94db1ab804388bccfab4ffa59807073975b32b0f1830e105f700e1

SHA512
c9b185685172b4359bd604d35ee916308ba834f25f025205e3a6d1e714a70a2732200b3fe87ecb8088115a1c35fe5a6a2c701f7ce44384ba336a7d60993b2874

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
58KB

MD5
0d370627a18e9f665fc53b7a805d5e81

SHA1
9d74faf965e9d08a1309ef56b6710f56bebed1ae

SHA256
43c17cde181a61fc640b3687810839989cb3740c1447ea051f777ef1f927c9bc

SHA512
da7c5f06c28629ea6df1f6b6aa730908c3f5b179ec2ded9b8f3a342240f5ab3cb3362b1df52b976c447841897742918a405e9e2f1cb0e393e7d38e7ba2ddfced

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
58KB

MD5
d59997d09e608a149f9b702b45ccb129

SHA1
57896a6bab31dffef91373bcb121c763231f8754

SHA256
f9c33b9f04f96540472ca5b139ff0be471bfd06becfc8f802f93eaac936e0c5e

SHA512
e27771a6e7d03e19a2826a013abf11ee71e717d717bba87ebb80b757a9ea73d868771d0de5998af3c525c9be73149391eb3f41f365ec2ba40f252b78b5585e2a

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
58KB

MD5
a8f3369cf658e15443bbd8dc9dd9b0fe

SHA1
5e12ae67890bfc9df354e47aaf494e571c8ae090

SHA256
f998a31cb563efb2a3f392a1d755bcce62fa7804ee4c6d5b4fd4d69ed6e2994e

SHA512
6b914826e4e1cfff2308afd3fb65f07163de8761ee2544b2be384a1b47658c01155219ea1c047ed1aa5a4716d987458b344f429919735af0f74550af08024d8f

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
58KB

MD5
bfe48beee71fd6ecd72668334f618491

SHA1
00a327504eae3d61c44b63e5e9c6b0e8f680a480

SHA256
f3e83fc6eca9f067e88c2fdf53c1cd28201c6c957b5f5d780021c1fd31323cc4

SHA512
196363fb9ea6044575a8a5012e234ea4aedd5422421dd73a5148e1ba9afb35231a1b9f28148b7b594cf630f7f864d0bf952269ab02170918baffea4c98018b83

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
58KB

MD5
ae87b06f093f838fbfc55e62b8516558

SHA1
283305d6f6a3635c8cf27053ab508320f6435db8

SHA256
145283390dfe825a641dc0112c2a84e0abb4a77eeefa67bc8dfe0c71e00310bb

SHA512
d260c23276c4102666d5589dd3c2db2784102f9ba1148ddeea4de3894526ecf531b77e656bea48cc517a7dc9362b2f3c84cd4824e1a96a0c6d0de1ef4fb2b240

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
58KB

MD5
df20cf27b3f690fd3c02e0a2d08bf1cd

SHA1
0cf1dc2300993d818493f9d557430fe760c444f8

SHA256
3f09f384a89b4bb77e958a09e5f56886421c93cc174f873a8edf2f4b5e25a033

SHA512
09fd42711503d1f941d48ccc151c0eccdc004d27d225c61800869c863277f871f25714073b623cc8de94a9af41733dd7963970d28d4425ef4d5fbe35ebf48ce0

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
58KB

MD5
2886dc638b0725d44b9671d764dfac04

SHA1
ecfc2c2666e976fdd9369660bc71cec6514296f4

SHA256
286b83ce87eb729c7d9316fd3d62c0362096fc5a6888890cc5b28408a4103154

SHA512
64b43c5685e354ddd7c14568a9a73135c66dd2e357657cf56d2d72b8eca71632ee1ae984be97546319a57b0bbe2eccd1f4348d2458c6fc34aaab8a005907245c

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
58KB

MD5
cbc8d32cccfbe378fca4d34d638316aa

SHA1
0e47e37a69f30b531bbba547178eeac2f941acbf

SHA256
f301d410221dc3549f4f7f0f2490ef9845ad267f19c6cb1e9d768eb3873df9b8

SHA512
626a541fab89c189931158b8a6c2c5976e11401beec3b07202beb8cda698ee26b72251338ea4de71a48a910111dfd8042ce85abc22a4d56df587c99f0b97e548

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
58KB

MD5
e622983c3b42335b079d11311f2d2cdc

SHA1
e296cd40ca27d04cbb74e8b0798da7a1874cf9b0

SHA256
7360ed3d26ceb107af6dfcb53114e9f64f88734362da37fc413d0bf743b8eabe

SHA512
7518c4edf1fdb5e7a6c58c60c9adc050e38e023d2e7a3f64272fe92c3c7d55ace0613300d44a517df462a63f930aa94acfa6f85d53170542806fd2903a4b29be

Download Submit
memory/532-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2468-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads