berbew | 23a4a1979410f81e16d5a9c63a18143177eb27429fe92e9ea79a3e7235b486ab

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23a4a1979410f81e16d5a9c63a18143177eb27429fe92e9ea79a3e7235b486ab.exe
Size

128KB
MD5

b023b0295c582fedc9f378f5fa73192a
SHA1

c679dbbf287ac04e89f9ca0488751d2970dd7114
SHA256

23a4a1979410f81e16d5a9c63a18143177eb27429fe92e9ea79a3e7235b486ab
SHA512

48422c0aa8e8f474874b0d8f1987277123f6dfbc020822d76d839592c408e397642c41dec505f8d0628d694ca26319bc08b0168245136ddac5dcf6019e875149
SSDEEP

3072:kMUp0qFrnrr999WOhHS4TVqZ2fQkbn1vVAva63HePH/RAPJis2Ht3IjXq:VE0qFrnrr999WcS4Tg4fQkjxqvak+PHH

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	23a4a1979410f81e16d5a9c63a18143177eb27429fe92e9ea79a3e7235b486ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 38 IoCs

pid	Process
3400	Pjjhbl32.exe
1856	Pdpmpdbd.exe
2640	Pjmehkqk.exe
4952	Qceiaa32.exe
3116	Qjoankoi.exe
4160	Qddfkd32.exe
4104	Ajanck32.exe
4860	Anmjcieo.exe
1540	Ageolo32.exe
4536	Anogiicl.exe
4740	Aeiofcji.exe
2296	Agglboim.exe
384	Afmhck32.exe
3464	Acqimo32.exe
3136	Ajkaii32.exe
5072	Accfbokl.exe
4992	Bfabnjjp.exe
3052	Bmkjkd32.exe
8	Bcebhoii.exe
4792	Bmngqdpj.exe
2344	Bffkij32.exe
4116	Bnmcjg32.exe
3968	Bjddphlq.exe
5080	Bmbplc32.exe
4404	Bjfaeh32.exe
4748	Chjaol32.exe
3388	Cmgjgcgo.exe
2632	Cjkjpgfi.exe
1120	Cjmgfgdf.exe
4380	Cjpckf32.exe
1664	Chcddk32.exe
3516	Ddjejl32.exe
2316	Dhhnpjmh.exe
5112	Daqbip32.exe
4572	Dmgbnq32.exe
1392	Dfpgffpm.exe
4800	Dhocqigp.exe
1592	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Omocan32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	23a4a1979410f81e16d5a9c63a18143177eb27429fe92e9ea79a3e7235b486ab.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2148	1592	WerFault.exe	120

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23a4a1979410f81e16d5a9c63a18143177eb27429fe92e9ea79a3e7235b486ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	23a4a1979410f81e16d5a9c63a18143177eb27429fe92e9ea79a3e7235b486ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	23a4a1979410f81e16d5a9c63a18143177eb27429fe92e9ea79a3e7235b486ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 3400	4936	23a4a1979410f81e16d5a9c63a18143177eb27429fe92e9ea79a3e7235b486ab.exe	83
PID 4936 wrote to memory of 3400	4936	23a4a1979410f81e16d5a9c63a18143177eb27429fe92e9ea79a3e7235b486ab.exe	83
PID 4936 wrote to memory of 3400	4936	23a4a1979410f81e16d5a9c63a18143177eb27429fe92e9ea79a3e7235b486ab.exe	83
PID 3400 wrote to memory of 1856	3400	Pjjhbl32.exe	84
PID 3400 wrote to memory of 1856	3400	Pjjhbl32.exe	84
PID 3400 wrote to memory of 1856	3400	Pjjhbl32.exe	84
PID 1856 wrote to memory of 2640	1856	Pdpmpdbd.exe	85
PID 1856 wrote to memory of 2640	1856	Pdpmpdbd.exe	85
PID 1856 wrote to memory of 2640	1856	Pdpmpdbd.exe	85
PID 2640 wrote to memory of 4952	2640	Pjmehkqk.exe	86
PID 2640 wrote to memory of 4952	2640	Pjmehkqk.exe	86
PID 2640 wrote to memory of 4952	2640	Pjmehkqk.exe	86
PID 4952 wrote to memory of 3116	4952	Qceiaa32.exe	87
PID 4952 wrote to memory of 3116	4952	Qceiaa32.exe	87
PID 4952 wrote to memory of 3116	4952	Qceiaa32.exe	87
PID 3116 wrote to memory of 4160	3116	Qjoankoi.exe	88
PID 3116 wrote to memory of 4160	3116	Qjoankoi.exe	88
PID 3116 wrote to memory of 4160	3116	Qjoankoi.exe	88
PID 4160 wrote to memory of 4104	4160	Qddfkd32.exe	89
PID 4160 wrote to memory of 4104	4160	Qddfkd32.exe	89
PID 4160 wrote to memory of 4104	4160	Qddfkd32.exe	89
PID 4104 wrote to memory of 4860	4104	Ajanck32.exe	90
PID 4104 wrote to memory of 4860	4104	Ajanck32.exe	90
PID 4104 wrote to memory of 4860	4104	Ajanck32.exe	90
PID 4860 wrote to memory of 1540	4860	Anmjcieo.exe	91
PID 4860 wrote to memory of 1540	4860	Anmjcieo.exe	91
PID 4860 wrote to memory of 1540	4860	Anmjcieo.exe	91
PID 1540 wrote to memory of 4536	1540	Ageolo32.exe	92
PID 1540 wrote to memory of 4536	1540	Ageolo32.exe	92
PID 1540 wrote to memory of 4536	1540	Ageolo32.exe	92
PID 4536 wrote to memory of 4740	4536	Anogiicl.exe	93
PID 4536 wrote to memory of 4740	4536	Anogiicl.exe	93
PID 4536 wrote to memory of 4740	4536	Anogiicl.exe	93
PID 4740 wrote to memory of 2296	4740	Aeiofcji.exe	94
PID 4740 wrote to memory of 2296	4740	Aeiofcji.exe	94
PID 4740 wrote to memory of 2296	4740	Aeiofcji.exe	94
PID 2296 wrote to memory of 384	2296	Agglboim.exe	95
PID 2296 wrote to memory of 384	2296	Agglboim.exe	95
PID 2296 wrote to memory of 384	2296	Agglboim.exe	95
PID 384 wrote to memory of 3464	384	Afmhck32.exe	96
PID 384 wrote to memory of 3464	384	Afmhck32.exe	96
PID 384 wrote to memory of 3464	384	Afmhck32.exe	96
PID 3464 wrote to memory of 3136	3464	Acqimo32.exe	97
PID 3464 wrote to memory of 3136	3464	Acqimo32.exe	97
PID 3464 wrote to memory of 3136	3464	Acqimo32.exe	97
PID 3136 wrote to memory of 5072	3136	Ajkaii32.exe	98
PID 3136 wrote to memory of 5072	3136	Ajkaii32.exe	98
PID 3136 wrote to memory of 5072	3136	Ajkaii32.exe	98
PID 5072 wrote to memory of 4992	5072	Accfbokl.exe	99
PID 5072 wrote to memory of 4992	5072	Accfbokl.exe	99
PID 5072 wrote to memory of 4992	5072	Accfbokl.exe	99
PID 4992 wrote to memory of 3052	4992	Bfabnjjp.exe	100
PID 4992 wrote to memory of 3052	4992	Bfabnjjp.exe	100
PID 4992 wrote to memory of 3052	4992	Bfabnjjp.exe	100
PID 3052 wrote to memory of 8	3052	Bmkjkd32.exe	101
PID 3052 wrote to memory of 8	3052	Bmkjkd32.exe	101
PID 3052 wrote to memory of 8	3052	Bmkjkd32.exe	101
PID 8 wrote to memory of 4792	8	Bcebhoii.exe	102
PID 8 wrote to memory of 4792	8	Bcebhoii.exe	102
PID 8 wrote to memory of 4792	8	Bcebhoii.exe	102
PID 4792 wrote to memory of 2344	4792	Bmngqdpj.exe	103
PID 4792 wrote to memory of 2344	4792	Bmngqdpj.exe	103
PID 4792 wrote to memory of 2344	4792	Bmngqdpj.exe	103
PID 2344 wrote to memory of 4116	2344	Bffkij32.exe	104

C:\Users\Admin\AppData\Local\Temp\23a4a1979410f81e16d5a9c63a18143177eb27429fe92e9ea79a3e7235b486ab.exe
"C:\Users\Admin\AppData\Local\Temp\23a4a1979410f81e16d5a9c63a18143177eb27429fe92e9ea79a3e7235b486ab.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\Pjjhbl32.exe
  C:\Windows\system32\Pjjhbl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\SysWOW64\Pdpmpdbd.exe
    C:\Windows\system32\Pdpmpdbd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\SysWOW64\Pjmehkqk.exe
      C:\Windows\system32\Pjmehkqk.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 396
        40⤵
        Program crash
        
        PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1592 -ip 1592
1⤵
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
128KB

MD5
a4d9a63c53a1b8b5543b978813690373

SHA1
f67df5170decbe2aa9670b1fef0ecc8f7b3add27

SHA256
5dce7884838cdc8999e4819522f5e73438ddb97716baa68dbe316e4db9658f81

SHA512
dd7751c84fdd5d2fd78f2aa5f71b6b7d00db11444c2745e9f3ca6a85031bf6ec622a2d1ce7158ef27d97c6b708c57c08c3c62b28e0acfe08ad0208d17aac346e

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
128KB

MD5
f6d5dfac978b27271e1ad0a1959a2aa2

SHA1
e8987f48d3514c25ad74a5126a7e5df285450454

SHA256
b2935aaa9e6b4854b70d37161846b0ca18bb6d52476039bb2e924ef868125c24

SHA512
c38806540fa6093399a261810ede846a5cb3cc6d8fe2268622c5e46fcd23179f86d3f80c2d1f1ed780e580f4f9072688cdd4f8994b62da5000262ad43cda2f0a

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
128KB

MD5
ddfe2e653dea503f3590cf59240deb3a

SHA1
e173e6263adc0f22dfca404be597f93c0dca918e

SHA256
989b2e13da875448db13aad19ad782af359fd70aee2339089a81e7da20c81059

SHA512
a4e448179644467629e40d52a9856f727216cd4c79c5603956fa21688f0649e71687ef67aebe387eb4ebd1e8fdc69333e41e4d60dedb5c1f009a62c794a6669f

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
128KB

MD5
b6ec0afd6cabe55144ff8cae4bbed7b4

SHA1
ee97885f5971cf5b69da02fdc26f637c7d28a7cf

SHA256
a7008b667d5118e1e4d10290689db21f078d0a460e87f2daa6f786de93c807f1

SHA512
f94a5c99c5e68762396f585995ff60828e862578de72373d807cc8b2421c9b019651aaa0f28f6375574bd63ca9db5c22d025a4ce26c74c612e09a8901b46b5ef

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
128KB

MD5
fba4fdd853e9fca623eb07c6edaabe16

SHA1
b5d81e50c7524182bea2beda2eaa1ecfbcb56852

SHA256
50f40242d04bc06fbf529fc4dae6497fdc86717d758b736f208edcbb3aef9e33

SHA512
0eee53054125322f9a4a10f61608f23c00a877d08eaeed6867ab2e2cc8a624c378843ad1300a660e1a25e7894d2c4bad8409fb069b367700bdf048c6c4f969a2

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
128KB

MD5
597b7c2f03651ad03c5049f378358a6c

SHA1
3ff307eb1e0a4e4a1dbcd56ee72129b894a0b232

SHA256
9181a17d92b9e2f43b44277a55f3e52643c830dbd02fee71391ca56bd3c97b57

SHA512
36b8a13fc9b5767f79cbaa3226f468335966f912bf6ffd4c9aeec7ac1fa1f23428dcf50dd3d448845d3a50edc36274f130f68ca41e819f547aeea85ea75570ff

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
128KB

MD5
f48e428d1f462d487439f1d184520421

SHA1
1ae9160c9349b0933e584fcb2b6f5a37d8cf91eb

SHA256
dd71a28ec000e21d3cc8d5995fd648baa2ac2e2136d78ffd3ce66eb818be01b4

SHA512
1305599ffc55678a19fdd94ece17c25be82405460932fb5bf3595fcb35349ab0aca1acccc12794cd0c5da8a47c51790e2ba39ba3befc4169ac1eaf0c358f5bb0

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
128KB

MD5
e6834eb1478f02ef271ab2a56c7b60cd

SHA1
014605baf68b967a4bccae7e5348c615b4c6922a

SHA256
410ab826c04280ace25cbb14c30dc82212f97ee9728e4f5698b65ce62d68f034

SHA512
400203b0d5f7ed2c4111c771e9d6f2758cec0070047b3228ac0659c05477373ca5bd08a2ae02e2693d150fcc3edf0083431ef33e76962df8514a89ca34b40608

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
128KB

MD5
b854ccd4967b926dec0ac94150eee2a9

SHA1
0edc98a9f986b3e6dd4a9a9d1801d555676aa0e1

SHA256
560adee83fbd0282c80e355de046ac3a9069b0cb5610bee2f52f22017b71025c

SHA512
8fe82bb2c604a828a54fb924e96bbf2266a96d3fc05bf5ace75c0e56ec3b2d8f307b13f7d7e9480f9e82ddf191e0f14fba809fe4d0e1a5d3f2c095a65395b878

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
128KB

MD5
9b85ac75f9cef5dc8a6cc232ffe7f56a

SHA1
de78a8a43576a5917ab846bcd9fe0e92b2546064

SHA256
b1c76aa8bf34ea0ac53117feebee44c52c624462d3dbd0346cd2fbac52e04325

SHA512
9d1ade38829ffac0a3db93566ddd4fef3514d9ab3a89c8925cbb648e8ec11aa9988cd4796f62a4ce2b5c912f52a3ae7bdabf0b41539e3206146388f864f469ed

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
128KB

MD5
d4cf2f89567eb344efda90c7dc517a92

SHA1
ceb2b16eded52b0ca01277b56a9fdc363f680a01

SHA256
a6d5e486ea013c5fdb177760bfd482f9fd15a59372a663d085d6e1ee018baa06

SHA512
d06ca9b01f0fc870d05faf607f024ff89e0f38655b5346e5f475dbd51a3e92e08bf7fdbafe600fe1189512aadd41a0efadc70ac829ef0bd3fee79209b30c75a5

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
128KB

MD5
0875c66fce954fa9efd5c995e315e9a7

SHA1
21654e2a528183274a01180dbc6f68bbd001bb9d

SHA256
2e817c8e12dbb97b92e28216dd9e305fccd7c22093c21e53c806e63a715d7ab6

SHA512
44a4924289c0c687879fa270c848165c143266956c53145bd590c729812e34bb716c2b7a7e5385f0025825b125eb179828c268d7550ab9f0479de54260e99236

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
128KB

MD5
37d72dedba5fbd28a383dcc043d189dd

SHA1
4f990cb224dbe875c0d711e08ba6aa6d443e6409

SHA256
bb0cd397c85b435686e80f43542b547914dc258256d455bacdb2b834058c3e02

SHA512
609e6d7f0c66c4ef0efc9c8b4a239e150ecdceb092ef6fd04fe7c65921017617572505145749e2e016a501847e9c93353c7a6b18d1f5be2463aaf0f8f5e21b4a

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
128KB

MD5
1634eaa16226f6d873868fb0bc9d3b43

SHA1
07553ad88cc3467def0a99aa4b95bd623d42a44f

SHA256
93980663a5abd5b74453c21d0e289a336b597262fcd4a16d40e1322af53fec0a

SHA512
0a883fbe0516e39bdcdc3a0363b4fb5d6d628a416972731f56e3c4d0deb0da92a4a0cce07c35160daf10d97a6ac4b476a2b7d48c22bedb5703222b508ede749e

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
128KB

MD5
03deca976081e3396be4d0620c8d53a3

SHA1
ddc78019afbabc52ec3dcf476cf903baf45e0af8

SHA256
fa8b2a2fbbda05f0f1d8b49d63ec3e0f5922b1c3402ade36f9ab236378fd6882

SHA512
7edf70223cafc98339054b29851f9f0d4c1241c6b143d817ec12f1d23220dc26728925050c207893fa1f980ca9054b306206a5096c61c404e236a785ac7c5e9e

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
128KB

MD5
93e3fc636ce948fc7e1acf8e6bb46452

SHA1
d2b30ea46287bea21b6834938f39aa480b8a852b

SHA256
e8e9e24c163c9015d711c99da3d2ee4a5d768c5acbba9594638b758f7827e4c6

SHA512
5fa14280f0e3b4f14f6d222633362a4a6a2d7a744c32001be6785b3ac819129e8f85fbc95ca0161f27c38a238431ef8f60cef7690df8d38a6289c76f52218510

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
128KB

MD5
16b9ee479bfc43e4201fcc7fc2769e31

SHA1
4bb06fec26dd9e8490bf1a3a34e51964620bab69

SHA256
1c17c92539b1808842c01f8535875b03b08c7281bbd07c305afddd16e0c6047d

SHA512
4a73a9bb6f7d8095734d82c6e9f7780dd7e85ca75769a96f1ca75e2de44fea4768b246cf66a2e2f9e0ca77a53902ffe051893044f8603bbaa4f5e798ae059e84

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
128KB

MD5
83d8d094620860fd1a7692ee97003e6c

SHA1
a2c4511cd19f9fe684d3353ebc2c34f8e08594c9

SHA256
aef33c399fd7f114dd2e120d06ffb61bebb06921627b065b393567a53570b633

SHA512
06c39de05da4d188fda87083690a013c6ce49b405095c9010b0942d8de062a86d026fc8f96e3f7a165da3385140cab628ea3b23102a7d0abc2ab8b627a46ee2b

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
128KB

MD5
c1da733175c738974ad6bed9fac82113

SHA1
28a8bf76e23ba16e017b888b5c370c6adc0edb8d

SHA256
4a5eb9a1155437adf9540731fa57ef0c6b3c6e81a7998e723d2f3868205da49a

SHA512
c665f43ab7b82d7048045de49883603894264e105cf629d47196fec311eb0ae68ac7855223aed6ece4d8e06138b780b7e2f15336a0a1ec0946dce60059883b10

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
128KB

MD5
a19f5b6f7e1909a29383babecf643975

SHA1
f90eb3297cad275bfe197a3e109853df515b2431

SHA256
497c35ce5812d040ad47179c6a500afcac9c3dcdeed1f1dd008070ce3fa5e4b6

SHA512
44036a11042e57359009cf4646277f39aa5f2bbe845f6916aa93152cda1d82b02ab503faa6cd0ac80d9664746da70aef42005abcc1f388a9d5e1eb46ab9110f1

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
128KB

MD5
0415f897c99ebd95359df71ff98d582d

SHA1
4845d15ccc4ae60186b8993922ae3b2b9a8c74e1

SHA256
35bc6d46bdf27fd0733d90c454cccb3460dd0601190f07b75bd67d9ddf616aaa

SHA512
a043fc6f9abafdd7b5d35435b96a4b68f1abd75e4abb01f319f66dc4e34894295b7b3cb4a467c0b505577ca5c8a1b6f47ad8e83c5a870630c82020fcfe8b01f3

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
128KB

MD5
d3fc7d46e07827776b2ca0ee619d4d42

SHA1
b30ee91aa8a4fa09800ed8723fcce483ed6c8361

SHA256
8a2ab39aba832ec46407975584175efd6418aed7c864bdc35627001109f69341

SHA512
27e8cb15bdf5170e484cfde5117d3b9d530ad77208a20c8e318183d2e4f565e16950028f041a0ca240e3ba3a99a0d85f872c18516992f8a37e92f4088aad6112

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
128KB

MD5
589e30fbbcc4c593681887cc6467d727

SHA1
3c0a898a8077ef8b304973c801b8c98878074b71

SHA256
3b731eab650ff66e1a45d22a95e4dccb877693296491694f89853cfa405d4163

SHA512
b07aec3ffd110af34f98a7dd9562a62911565a1f7aeef42c646806662d15c08ba804a6a328b1d3ab1498f4f10d01e3857c42c6425fdc13f7130ed0616844cf2c

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
128KB

MD5
b521d22bde4b30d3c66652ea2e974ad9

SHA1
c7284716dd52ca0d92207202ea8dba9c37557bb2

SHA256
248105a7099cd0dc0489b05929f807bee0eea0ea88611717cefcf6c49ada20bd

SHA512
6ee06054e503f57d142180ea0cc1311e3bc0a1dfa7c263984911083da347e5b805400fa6fe8150b094b8e5a0013936f738e18b3b587a1025bcd44198152f6b39

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
128KB

MD5
59ed208d5744b6d59f5a6ff4940fe40b

SHA1
d4fb21d040291bb9634a9ff46d7f0b899c6fcafd

SHA256
dc4acbe05111ba9bd91233708e2b12e2593640dce57f28e366ff6cfee733c292

SHA512
074868add1f35d9c4502e898888751d913c7e3571fe212669af757ef55c28211e41026464416edb39001f1119e04354c38cf745f4a39c80802020fe7fd16b5e3

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
128KB

MD5
b475a505efa6f898735e53740e8e91b9

SHA1
ca5c295cd0bd5ed9c9290b6be89f2534c640b556

SHA256
29f303d0404bfd73200306fba0119e22428376542514e37c924a3c811cc91c5e

SHA512
099b7d47926799c678a1a71bf421e99db3b31cf560848d3d856df24c65c3d2b45ceee0ef12bbb0746f79ed1383e47789b33a46172b5932c93abead74cd476896

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
128KB

MD5
341a28b3899cbfcef377a9e961fdc727

SHA1
99adbe5fa56e5e20638ad3142adde504c9387002

SHA256
f7457c863159939c073d02e442e6205e96782298199844b2f536a98c58c95b60

SHA512
26eefa4cdabb202ea8d4d3d8b77d8cdedcf32ce5759d4b7d30449156d5cbded9522170d8955f3ad56d091d2fac3e70cac2ad966aa3d1b4db49d0f7f53a203a96

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
128KB

MD5
622ea3f56ab31acec3560651a7b541f6

SHA1
7568c278201f3331e62568a3cc804eaad69579d1

SHA256
09958b888c764deab259e9285a27582deed59752db4f315e208242f2ca37de59

SHA512
0a19f52a3a4716bfeaa5d85c3ac959c0d92ec58668df6ea1736610b0d06622a88947d0a8160c954bf96abaa5b1ee04f82ff000f3cef7462711bac1ca46df0452

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
128KB

MD5
d01ad9e0c43568c42bb6e1fdd70a0c0a

SHA1
1fa87466063a99650ac9bd1109c95ec1164cb138

SHA256
b1cad2015d46b5f9e75631815a62c648ecc391b67c9011946ae7a9ec2f66460e

SHA512
1fdfc8e8dbbdeeacf6e461fd8a926295e4ed2cd362b6a4d2940af78e8c7c419842be83620dbfa95875351b5b8aa2cf869c5e44f8b78619f808c11ad236145b77

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
128KB

MD5
1bc0b8bf142190b371dabd61db5a3395

SHA1
a7c4f782b8818cea3c50f25e88bfcb54039c76a3

SHA256
753ee70577454505d2cb2741c1e95fb3998ad9d1932e40a44523efbe374c3508

SHA512
695e14739d6e3ef642626bae58b131f42456acc80d90be7d130bae0502c13bcc01f95d7f124a93e132db35853abaceed7a9143f8376dbd7dd6c94cdc83c99431

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
128KB

MD5
0c3dfe48d717c6a4af389b303a0b0c83

SHA1
58521473f2d92c64e7be694e8ec33eded4027c14

SHA256
3fd62053868e872b36bb56d96e84943a1538550cb201a157f00e108ee06f8c01

SHA512
d35d36b13f1c5f629ecb2f139a1edc6dcccdbbb970683302a8301b708598d45b2e33085b2cee0bb4be8157d3edf6fda4d36da5802a527855c4390ec6c990350c

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
128KB

MD5
75e2ea3ed3f35bfa259cdbf14d4c0042

SHA1
d5231f7c1cb893932cbd4718e0e58913a40c771b

SHA256
44c031f240e5df2f173d03af1f798208a4c9c318cd8b7c4d513d6ea4e8661059

SHA512
633ecfecdf17c984eac844fd01b136359e5fb769b1d6d75763909b6087579baf8c0754eea5a6d7c65c722725670a3dec255315eb0567ee3a92a79ca69b782d3d

Download Submit
memory/8-250-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/8-163-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/384-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/384-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1120-251-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1120-321-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1392-324-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1392-306-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1540-162-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1540-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1592-320-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1592-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1664-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1664-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1856-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1856-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2296-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2296-189-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2344-185-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2632-319-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2632-242-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2640-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2640-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3052-241-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3052-158-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3116-126-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3116-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3136-127-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3136-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3388-233-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3388-312-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3400-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3400-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3464-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3464-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3516-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3516-277-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3968-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3968-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4104-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4104-149-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4116-276-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4116-190-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4160-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4160-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4380-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4380-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4404-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4404-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4536-171-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4536-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4572-325-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4572-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-91-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-180-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4748-225-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4748-305-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4792-172-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4792-259-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4800-313-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4800-323-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4860-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4860-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4936-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4936-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4936-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4952-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4952-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4992-150-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5072-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5072-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5080-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5080-291-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5112-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5112-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads