berbew | 4393b14974f8c378f446f8b7a785d2c80d9932300b559e38f7bb4a3345bae21c

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4393b14974f8c378f446f8b7a785d2c80d9932300b559e38f7bb4a3345bae21cN.exe
Size

78KB
MD5

e2acfa384df2f23205a8f8b3315da550
SHA1

4b0b995c6b345fbd938db2bc4861d6ffc08faa41
SHA256

4393b14974f8c378f446f8b7a785d2c80d9932300b559e38f7bb4a3345bae21c
SHA512

576e47f8ad74ca11e024689a9f3f0c265009708163c91ab022be2fa5dd3491a4638c1adcbfbcdce502b21a57b11c10b8a13d267427d74d78f619212844522102
SSDEEP

1536:rNS3id4pATAA/jiNzL1RBNTlAkIggsJVHcbns:rN9MbA/jiVLzuogsDes

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 40 IoCs

pid	Process
1476	Qcgffqei.exe
4360	Ajanck32.exe
2724	Ampkof32.exe
1916	Acjclpcf.exe
2248	Afhohlbj.exe
1992	Aqncedbp.exe
2876	Aclpap32.exe
4968	Afjlnk32.exe
4400	Aeklkchg.exe
3016	Andqdh32.exe
1300	Acqimo32.exe
1336	Anfmjhmd.exe
2960	Aminee32.exe
3116	Bjmnoi32.exe
5072	Bagflcje.exe
4232	Bnkgeg32.exe
4516	Bjagjhnc.exe
3224	Bfhhoi32.exe
4552	Banllbdn.exe
4988	Beihma32.exe
2568	Bnbmefbg.exe
4996	Chjaol32.exe
4960	Cdabcm32.exe
4504	Caebma32.exe
4596	Cnicfe32.exe
4332	Chagok32.exe
3320	Cmnpgb32.exe
528	Cdhhdlid.exe
428	Cnnlaehj.exe
1528	Cegdnopg.exe
992	Dhfajjoj.exe
4624	Dopigd32.exe
2188	Danecp32.exe
3152	Dfknkg32.exe
4808	Dhkjej32.exe
3480	Dodbbdbb.exe
4416	Ddakjkqi.exe
3404	Daekdooc.exe
3368	Dhocqigp.exe
4608	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	4393b14974f8c378f446f8b7a785d2c80d9932300b559e38f7bb4a3345bae21cN.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	4393b14974f8c378f446f8b7a785d2c80d9932300b559e38f7bb4a3345bae21cN.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bnbmefbg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4772	4608	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4393b14974f8c378f446f8b7a785d2c80d9932300b559e38f7bb4a3345bae21cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4393b14974f8c378f446f8b7a785d2c80d9932300b559e38f7bb4a3345bae21cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	4393b14974f8c378f446f8b7a785d2c80d9932300b559e38f7bb4a3345bae21cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4393b14974f8c378f446f8b7a785d2c80d9932300b559e38f7bb4a3345bae21cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4393b14974f8c378f446f8b7a785d2c80d9932300b559e38f7bb4a3345bae21cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1476	2108	4393b14974f8c378f446f8b7a785d2c80d9932300b559e38f7bb4a3345bae21cN.exe	82
PID 2108 wrote to memory of 1476	2108	4393b14974f8c378f446f8b7a785d2c80d9932300b559e38f7bb4a3345bae21cN.exe	82
PID 2108 wrote to memory of 1476	2108	4393b14974f8c378f446f8b7a785d2c80d9932300b559e38f7bb4a3345bae21cN.exe	82
PID 1476 wrote to memory of 4360	1476	Qcgffqei.exe	83
PID 1476 wrote to memory of 4360	1476	Qcgffqei.exe	83
PID 1476 wrote to memory of 4360	1476	Qcgffqei.exe	83
PID 4360 wrote to memory of 2724	4360	Ajanck32.exe	84
PID 4360 wrote to memory of 2724	4360	Ajanck32.exe	84
PID 4360 wrote to memory of 2724	4360	Ajanck32.exe	84
PID 2724 wrote to memory of 1916	2724	Ampkof32.exe	85
PID 2724 wrote to memory of 1916	2724	Ampkof32.exe	85
PID 2724 wrote to memory of 1916	2724	Ampkof32.exe	85
PID 1916 wrote to memory of 2248	1916	Acjclpcf.exe	86
PID 1916 wrote to memory of 2248	1916	Acjclpcf.exe	86
PID 1916 wrote to memory of 2248	1916	Acjclpcf.exe	86
PID 2248 wrote to memory of 1992	2248	Afhohlbj.exe	87
PID 2248 wrote to memory of 1992	2248	Afhohlbj.exe	87
PID 2248 wrote to memory of 1992	2248	Afhohlbj.exe	87
PID 1992 wrote to memory of 2876	1992	Aqncedbp.exe	88
PID 1992 wrote to memory of 2876	1992	Aqncedbp.exe	88
PID 1992 wrote to memory of 2876	1992	Aqncedbp.exe	88
PID 2876 wrote to memory of 4968	2876	Aclpap32.exe	89
PID 2876 wrote to memory of 4968	2876	Aclpap32.exe	89
PID 2876 wrote to memory of 4968	2876	Aclpap32.exe	89
PID 4968 wrote to memory of 4400	4968	Afjlnk32.exe	90
PID 4968 wrote to memory of 4400	4968	Afjlnk32.exe	90
PID 4968 wrote to memory of 4400	4968	Afjlnk32.exe	90
PID 4400 wrote to memory of 3016	4400	Aeklkchg.exe	91
PID 4400 wrote to memory of 3016	4400	Aeklkchg.exe	91
PID 4400 wrote to memory of 3016	4400	Aeklkchg.exe	91
PID 3016 wrote to memory of 1300	3016	Andqdh32.exe	92
PID 3016 wrote to memory of 1300	3016	Andqdh32.exe	92
PID 3016 wrote to memory of 1300	3016	Andqdh32.exe	92
PID 1300 wrote to memory of 1336	1300	Acqimo32.exe	93
PID 1300 wrote to memory of 1336	1300	Acqimo32.exe	93
PID 1300 wrote to memory of 1336	1300	Acqimo32.exe	93
PID 1336 wrote to memory of 2960	1336	Anfmjhmd.exe	94
PID 1336 wrote to memory of 2960	1336	Anfmjhmd.exe	94
PID 1336 wrote to memory of 2960	1336	Anfmjhmd.exe	94
PID 2960 wrote to memory of 3116	2960	Aminee32.exe	95
PID 2960 wrote to memory of 3116	2960	Aminee32.exe	95
PID 2960 wrote to memory of 3116	2960	Aminee32.exe	95
PID 3116 wrote to memory of 5072	3116	Bjmnoi32.exe	96
PID 3116 wrote to memory of 5072	3116	Bjmnoi32.exe	96
PID 3116 wrote to memory of 5072	3116	Bjmnoi32.exe	96
PID 5072 wrote to memory of 4232	5072	Bagflcje.exe	97
PID 5072 wrote to memory of 4232	5072	Bagflcje.exe	97
PID 5072 wrote to memory of 4232	5072	Bagflcje.exe	97
PID 4232 wrote to memory of 4516	4232	Bnkgeg32.exe	98
PID 4232 wrote to memory of 4516	4232	Bnkgeg32.exe	98
PID 4232 wrote to memory of 4516	4232	Bnkgeg32.exe	98
PID 4516 wrote to memory of 3224	4516	Bjagjhnc.exe	99
PID 4516 wrote to memory of 3224	4516	Bjagjhnc.exe	99
PID 4516 wrote to memory of 3224	4516	Bjagjhnc.exe	99
PID 3224 wrote to memory of 4552	3224	Bfhhoi32.exe	100
PID 3224 wrote to memory of 4552	3224	Bfhhoi32.exe	100
PID 3224 wrote to memory of 4552	3224	Bfhhoi32.exe	100
PID 4552 wrote to memory of 4988	4552	Banllbdn.exe	101
PID 4552 wrote to memory of 4988	4552	Banllbdn.exe	101
PID 4552 wrote to memory of 4988	4552	Banllbdn.exe	101
PID 4988 wrote to memory of 2568	4988	Beihma32.exe	102
PID 4988 wrote to memory of 2568	4988	Beihma32.exe	102
PID 4988 wrote to memory of 2568	4988	Beihma32.exe	102
PID 2568 wrote to memory of 4996	2568	Bnbmefbg.exe	103

C:\Users\Admin\AppData\Local\Temp\4393b14974f8c378f446f8b7a785d2c80d9932300b559e38f7bb4a3345bae21cN.exe
"C:\Users\Admin\AppData\Local\Temp\4393b14974f8c378f446f8b7a785d2c80d9932300b559e38f7bb4a3345bae21cN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\Qcgffqei.exe
  C:\Windows\system32\Qcgffqei.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\Ajanck32.exe
    C:\Windows\system32\Ajanck32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\SysWOW64\Ampkof32.exe
      C:\Windows\system32\Ampkof32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 404
        42⤵
        Program crash
        
        PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4608 -ip 4608
1⤵
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
78KB

MD5
5a2e44b7171ec0b425c295c290db7e6a

SHA1
21d52418120875536bb860f62d90fa021c76e98a

SHA256
46f371c1f71255e51a4c7214dc0ce1d437ca8f0f72330f96e5dd9b48bb323784

SHA512
692682aef2e996cfc3b591c3b1ab59a03ccd49fc48ab9d854826a6b77649f51994b62a81c6d579c34b8097b24cc74e05520f78aadc0eb226e1b48239502a9213

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
78KB

MD5
242c839f119cf442919ac23d05303aca

SHA1
d296c0464c49486209561ccf9c44bc1a58057ad7

SHA256
0e4ce2f2809658adc7a01f38dfb0346c930e6cabec50fe1fcf38ee4881f5c28e

SHA512
34a55712caa1afdb61ae50b268b45511e4fd3ba0e1493419280dbf37318945d36f5d5ca010900588d3ef77437b71a26a4f934125a7f8b050229fdd1140923783

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
78KB

MD5
9068f74b2d94993e94e4e670e943e71c

SHA1
26179dc650a0d124edd27ab00ce94913c9e54bb0

SHA256
4f736f7126f665f1051799aaf2c97077e6a80942be4b548807a9d8db4d2b1c3a

SHA512
21e32f6472df768fb9c2c199c854047c8998c67a98367924e5eb6d4f4a4fe2d34f5514858c6d1a3c340e7570b5bbeb1594e9b4636692474102929697d7b95e26

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
78KB

MD5
5e054b5fe7efa11cabe2b8b5626e9ec6

SHA1
6236ad2a33dbaf8b0e6608a38710e513fd0d8ef0

SHA256
25aee98f3b682a76553977efe5f1771d3ff1f7c993ab74a83ffe85e42fff4787

SHA512
d45c4eac1cc9a86637676ac83f3bb4b888f57c007cee130fabceee35b82b00586514f9ac15ea0906a51342b8b9d7dae45b98602c34847041fa743d7d2bfe80c1

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
78KB

MD5
ab00643b9898fdf76fdfce2e96a89832

SHA1
db87d26dacbc706e2ca6348f639b8a9646a0f2ae

SHA256
367333c1e754b6de47bdfc68e21abd50cd9b3ab860624a6b39f2724103978d99

SHA512
db43a70001f8d6c4c2570d590249c4c032e42554eed8148585ca0113ca9865de162456f16df1cb45213a7316ed0a69f2e0bc5c8d9152041bfde8515742a9dcb9

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
78KB

MD5
a63d7b0ab61067337bc85b695bd59a27

SHA1
25416fc7acc244caf33e0b0002a5da8453597801

SHA256
b7f92da493e186569b2babe0574719caf29f581eba775fcb2a78f49fb63b2372

SHA512
1791abc0618347f88ff6b39d128fd2b90f9d187c64d4ba0008bbd97ee4be12a175cd208794ca10c219839cec0b1b4160d35ab76b36682b1051527df34c9d5ad0

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
78KB

MD5
127bdf03ed55f699f3909649746b8008

SHA1
f01f114f3ca3a929e044c7ee1636fd553d10cf8d

SHA256
f17a85aedfb85344e8ac07c71605c8681fa7d509a3dfb58e92379d407df5ad94

SHA512
39376e1d1797e870289fe2f5fbae3b9fabff6efd8792fdad9578ebb85330499988ee8e5bfd9b4f8532b11baab2a7cb3084d240e129e3d1416980c5ae3ef8ecc1

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
78KB

MD5
a1e4f44de80317e69ccee67519099b71

SHA1
e92c2b9155d8108432df22cdd03ef0667e7feee2

SHA256
c58214474ccd1c95b9897a8e2ed6508c7ebd785cf866478475371405d29ac2e7

SHA512
a0ff731f55a097f27edfabcc0e10683dda51f3dc24f4b2859b62fa4a9a02c9554cf4e7e79f108c5292ce61cda81039b64a8377e39c89951faca2f4d84d1d53f2

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
78KB

MD5
3e5341519bd02233fe18237d8bd0198a

SHA1
d577c24eb8548f3c6a01f538693d30469bfa2ac3

SHA256
59fdfe99cb7f0061c092c4ab6549f4103ed5d7d6f92c87a096032d46d01b9522

SHA512
bd2bda0f08da42bdf2390dc40deaffb4e986171e127b87a52145ffaee574d9892d20baba3a49c5b6947c8bcf26c3d13263e4436a04c70737ecacd631d8c6481f

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
78KB

MD5
61799f483b03af8cec0663a8881fbe90

SHA1
a31ad2381a205cddf20f31dc824f7fd6667fab0c

SHA256
d7ac5436c6c76b874898050c10f0ce3d56611dc75c0ece62c5eaa4d633cc6e5d

SHA512
0c383dae5f1ccd807fb0ef01b21b7323d66e8f5d31b0ae40a147e5cbb6648bb7531391342e0d368cffd6fa9303fc19d5a3e69a3a77b1c5a1ce97f8878bcb4ead

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
78KB

MD5
89923f9bc1f9f19e4bdaebed99f8b65f

SHA1
30247d6477553e7e39453edae37dc2d5e7db1aa3

SHA256
abe0554df0a83cf0bd53476c01b95da444dd0540fb8515a05e8598320323a549

SHA512
7f4525b2fe70856d8cdf0c728d3f22cd702033c1877e4153f749ab22b877412d5f4117541b09c24c5adda92eab4779b2482433d24bfd07561c502ee7dc32b0c0

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
78KB

MD5
66e5b293fb754c0be814a4bc002018df

SHA1
277e1e3816b6bece8d62c3acc811187ea46e1f3f

SHA256
e0d1dc97407f296678326a1a47a9d0cfa40f607f5281ce7f7d9d416807e16a0b

SHA512
b58942aa6cd3d999e060b2df8a6a7b68c5d7ff7040dd87b934b3c2128aceba6050a64d172597bb56c87ef74248e84d58887f5f0faa8cf3b196bf32275c98b876

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
64KB

MD5
ac45c670d78f5f8b51cce72e4aa41297

SHA1
d4f49e4e08ed866c0b1bb778a690f54798b275c0

SHA256
516f9772f88f2f331f0f1fa77e89f1f8cfcbea66d226b22971ac29f582a40b33

SHA512
3593ca071a4e23a2c7ce798b0a6a3649a65a79bc0a3a1a86a2dabfa6085cd1812d39d864267ee15f181395f82d38fff5c3192c1ea1c489dea93b5cfe001b40e0

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
78KB

MD5
febbab6f69a0c4a9d58a8a7f8ebcbe79

SHA1
90f00585877664e8664ae4d76300328af7b499fa

SHA256
eefdde898413b00eeb1c36de1f3d644ed77e144c799526ec66d8eaba5f1a4576

SHA512
04b4e3024cd01a1412cbeedd682a4a3adf0b74d07166f7b1e35cc5dd57acd6ae44b746b92bcc980b23410a5e752354579bdd728bb0200788e742d1fdf0491319

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
78KB

MD5
c0fbd324a769391e6bfa6ab3f37bc11d

SHA1
78b91fbbd146e7e240d6ac7bf0282bb5aa501c12

SHA256
36b4a08e397e04c4ebfac33022eb84e38b379b74786ef79b5c6efbb73c324bc1

SHA512
bc166e242754e14280343e763b00072a2517b73944baad53933b781311626599ac6e1bc1d3174d2d1db2352ffa27596d3f2f707fd1c3a6f6fe9ce5cbc3a20af3

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
78KB

MD5
42463e29a3f8d39033b6a78825bfe817

SHA1
4ca5c09bfeb699864b089c18aaff37794eda8389

SHA256
3c97f1918bfe74c4042670fbecb4b9d4eef14fcf691bd6b156c2634cfd57485b

SHA512
3628ac01c99de9c3b9ad0166c9ac1585675a42bc4bbe67199973d1234d25bf7d9ac96d5a08de606253187141ace09bdb07552d5f29129cb76560953b8ada3f85

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
78KB

MD5
5b41567b68ef4cb27da8ceeef98ce6c5

SHA1
3fe5b8b86a985861254afd79dff013a6d436da39

SHA256
a97ebb1595128d524c0a0f3144c8144cbab5ffb0dcfb4d549aafb93fd09b56cb

SHA512
f4bba8bd03331ffed548bd712489cb934cfc5d7591d5077fa2daca6103029a17748dc8b6a4e2ada24a231a2ad66fce9360c498f6b880208d876c12ca53c3d7db

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
78KB

MD5
184883c2df5459fd3a34d225668541c8

SHA1
b6975f4f857d26439768eae579d558f61c8136d9

SHA256
ddfeb34d2b1175b753a21c44803d93dfd1d8eb7ac69e46d3e55b3296d5bb049a

SHA512
68015c2de86f2762ab8722b54f24f53f9397d3d267f6dd041fc1c8b74d10e3745c4619334aa3eab8329526a8ce6edb12ad10c052d282a2fc4abe12d641580e1d

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
78KB

MD5
279b552a631992cc29fbf7aca6c9689b

SHA1
d82c6a20fa131ba49995f48c11826dc4f274741a

SHA256
a8fc9d1f1393633c2184ace8a169102bdf692e18678ca0745fc1bcc73a993ae6

SHA512
f3af85388c34ea73b2e5d27b859ae3136b14ac84abfb3eb1991562106a02d34bfbd23ad8e62114c124a5d7e8f43972d407a8a0be2af312ca80a4160dc7c60f82

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
78KB

MD5
6ae29033acd8e912ce5c0cce115a32e0

SHA1
e83517adacd993c3cb2854457a5e9e491fa183cc

SHA256
d7edee266e32798a7999325b342d6ed93230e3575298aa7be7cea2555bc717c4

SHA512
b8919f6d1d283f27b1adf14010da4f818cce3d1d852ebce518b20f2c2973ceea8221a935911ac63ba0d7783ff7ba89acbd0dc0d9bbb9dfbacc02eb05661ebbd6

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
78KB

MD5
6bf59644ae17281070f79bab9b7b072e

SHA1
30391c1eb898f6c1120c4335341755da5cac43f0

SHA256
d5ed9be8b1d03929a150cf4b32ccae25845e9c8924a140928c53fff0067db8be

SHA512
9ac7bb98cbb64693aeb2f49ccee311d63c64426910bb8706cb70b9ad5b9c3cba38f478eb588471cb7d452c5b7a1e6f0d70d138e705c12e981c5926f958aff3bc

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
78KB

MD5
da7ebbbf1f5c98f5f6660d707d843f58

SHA1
21202c3e5a120c579ec074ae5d891c355b8bb3ca

SHA256
974420f8373650d71aa79dd1e1bf2e318938d15da61f72869e3f5c528e9c5d4c

SHA512
af1167c01a27f880be6c49b34b4e9f84562429f30fc329faf3b647a21a8c0516d12a965d9ef02499fdec6ec57315b81bf8a84c3034821a8531d35927dc3e6f18

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
78KB

MD5
4dc520fdfc82b82b16a6e8345b5a9931

SHA1
d698d294a477448cdb25d8115b99ae45319a8036

SHA256
7b0387d6975f47024d19d1ed3161b21885eb62ab95ce959b43e52b1e1ca4b414

SHA512
c2bbefd2c82391024eeff40ed0c4a50ea7a9fd830ab9b3cc63f4095b9e247874921b8682d7928d6363c472d3f44a96b8c000c4c2a1cb716c73fcea51ac2fc626

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
78KB

MD5
48bd0c2346dec5492d9c1e8063ea5f98

SHA1
1f2fa3e74fba09c6f84aa73dd4fd6687e65c1da2

SHA256
bafc684811bf4180eace659e82d15b5ed51f4da1b3f973cc4215767cedfd611a

SHA512
396b031a6d9768f6d5d401e84872ec7906bce009ce0dfb119dfb015c6d5ec04d72bb1c4d6323db2d64235579a9311ea2a7a6d1344b648e30a03845f993662a75

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
78KB

MD5
ec8a631871feb1a63c7727dfe7986770

SHA1
0a25f7c5cf9ed695332c78ca2827c2d9d3131b67

SHA256
8153fa435f9e573c73b137edba8caa43f2b780b1a3d22ecb1c49cf7ae9e66a0b

SHA512
38dffa20452cb34980815619076905a93ff4c8a84900997c3af8b9480a01a82c8e24926cd8367e0f70f9519b103baca6d41778992b68d2801448b9b99fdafc78

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
78KB

MD5
c0d5b28b5775c6773390f2ab99b1df31

SHA1
806e48a92ae1997e8784f5a77aa80b4f5836cf58

SHA256
d8c37a05662f24cb41d34ed66c9cd00d91b14b6166430bad0480af09446d3170

SHA512
4e31b39869f33fc5c6627fe1bbe24366a65dedafceca3edaed368279e2ead06905a32e7ecf4f485480925f98f46f0337e9a59798684922ca711c70de5d396e43

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
78KB

MD5
bc57f5b8ff74e5223282feea2753afe2

SHA1
47e5f0518f73186eb401f6136a1dc2c7fc4ce27f

SHA256
ac4c5f2a8912a80c014570b5fc5bc34751de8e7069adb5ba75f4044c52028e85

SHA512
be5ca2442f10f4f65833ebe62724d92e58da1c8c3eda39ab48dcd607086d38a001db561d3bb7809f4f7957d8c36743fef20714f92cc6953c045512718984c699

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
78KB

MD5
df8b9137f040b5f575734018efc9a363

SHA1
c9f32dc15b954bae50f784a8ca647bf355d6a01c

SHA256
bbc4c7bf1ab49cdb4bbb50094fb77d7515d3caf47abf8219f85684cf0e72675f

SHA512
17a691537c34434df0d943e7069ae91a4f1226288ae55952eecb55fef4a2509db76673ae0a5fcff5297b0a9ef8e5fb84e25741b496db9aa85ad989a23a3a4e2e

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
78KB

MD5
737528573a50469d2b7f1b9bd73d82e7

SHA1
bc351589b83f1508e2f5560a42ca6fbc47da5655

SHA256
e7512cf56764e5f68359ec1cacda89b25d0e15d061f405d5a358a1cbb6bc7343

SHA512
607139fa7aeeae1ab0dbc66d4e06cbe0b47bd9c5d32c131fa7b45cff78df2d28aa5e9b59a793b0f172a1abcdd8988438efa7a436d8e30afdf643fb6cdd8bb2ce

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
78KB

MD5
484c1f21ce142ca734395448d673949a

SHA1
7c82a8cc9eb32b3d81fda473e0d0809a96fa9021

SHA256
a69cf2671d89547cc0faa6e4de825424a67ba3651085396bd87fc4f658239d3c

SHA512
e0e0b210c6c8103d12b8b4c36c82072e06748641ccea83dfb9b8bdba71a074e9b1321d59dc151b65332f61bd24a0f6045a68504337efebf3ae53a6598525b688

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
78KB

MD5
c73c7e081df92fdb958c830926836273

SHA1
038200cd2c6c5a516230a01462219dbcd30303b6

SHA256
759522d3b2d955f4e3f3a8277e78ee4c94b2b1614f5a49ec27c91913d2620c50

SHA512
1cd394453e8fe54fdd662bc011fbc1242f5f173a34ff5a7f80e5036e4cd04a0cf2743f329710396bedfcfd3988a168093197970c1316621c9b68b32b6e6a8b0c

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
78KB

MD5
ebdbe870a55d05d11c9889d624512d10

SHA1
f195e363859592f0d23ba4c072a1efb8bcc1a951

SHA256
67c6c7b9dccb59b24997daf827520bee3599f73a3db4aa8c7bba979a4ad195a7

SHA512
6ea2d8f41869a3c60884ace2287c02f996ace257a3bc99e356cd5a2a2dbea3923f29a5079ec3be2dde4a44eb120dd58f52137d74e0673c993350989f8ed0f57f

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
78KB

MD5
acb6f37eb1ad7979593354a0d4e1fff1

SHA1
f174dbd7f654755f63c4c9b9d6b4556474e1ddad

SHA256
6b150799dbbcb8aee02d0ccbb7784adf823a810d486973ad480f2ac958918250

SHA512
5c77100aa812e6d75aa22959a3c69cdd855d909d94e97bb31258908dd01ba233ed998898b46800f5f779ec32fb3f2000f59ab78c2465ce3a220336f251291007

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
78KB

MD5
f14f4d32b3215b1473823550271f2857

SHA1
4fd2180ae8aecc56227712420cc23efa3b1b3ab9

SHA256
90dd63f509d0ba36afa243ea3674ff5607eebb5ac01456d624f78688d3350b66

SHA512
3cfc25ce561282be05525a470e3c5c2b37a94c13d514ef0797726c38c47143a52768235e1c092c908043d12d80a81c70410d6730e2c28fb5b85da8193d5b82d8

Download Submit
memory/428-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/428-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/528-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/528-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/992-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/992-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1300-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1300-91-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1336-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1336-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1476-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1476-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1528-265-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1916-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1916-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1992-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1992-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2108-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2108-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2108-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2188-343-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2248-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2248-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2568-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2568-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2724-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2724-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2876-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2876-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3016-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3016-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3116-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3116-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3152-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3152-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3224-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3224-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3320-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3320-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3368-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3368-337-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3404-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3404-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3480-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3480-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4232-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4232-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4332-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4332-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4360-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4400-74-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4400-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4416-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4416-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4504-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4504-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4552-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4552-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4596-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4596-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4608-336-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4608-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4624-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4624-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4808-300-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4808-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4960-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4960-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4988-264-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4988-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4996-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4996-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5072-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5072-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads