berbew | 2c5c4e6db4d6a545b6e1dee49211fb25332775e48583b426bc3dd1ebe481042f

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c5c4e6db4d6a545b6e1dee49211fb25332775e48583b426bc3dd1ebe481042fN.exe
Size

163KB
MD5

75df677a94fda2e376b71254abdc3370
SHA1

79583cb3b3dc2a144507aec0ecd32c30747039ba
SHA256

2c5c4e6db4d6a545b6e1dee49211fb25332775e48583b426bc3dd1ebe481042f
SHA512

2c21e8cb650f2e71d746efb5285cefed966475f26f9266bef978f2b14ac2ffb8d1a0d42f53811d6260d9d806b3bd3c3ca6935c2685b6fb625c74106b38da53d6
SSDEEP

1536:PkKPyhDD4aowHxXUNxDxZVloyXQQQQQQQQQQQQQQQc+ZdT1FMklProNVU4qNVUr7:MKi4aZHpI+ZdTbMkltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2c5c4e6db4d6a545b6e1dee49211fb25332775e48583b426bc3dd1ebe481042fN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2c5c4e6db4d6a545b6e1dee49211fb25332775e48583b426bc3dd1ebe481042fN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 38 IoCs

pid	Process
3628	Aeiofcji.exe
3664	Agglboim.exe
3424	Afjlnk32.exe
1580	Anadoi32.exe
3960	Andqdh32.exe
2072	Acqimo32.exe
1564	Anfmjhmd.exe
4428	Aminee32.exe
4448	Accfbokl.exe
2128	Bnhjohkb.exe
836	Bebblb32.exe
2812	Bjokdipf.exe
1376	Beeoaapl.exe
4940	Bjagjhnc.exe
1296	Beglgani.exe
652	Bjddphlq.exe
4136	Bclhhnca.exe
2720	Bnbmefbg.exe
2940	Bcoenmao.exe
4560	Cfmajipb.exe
2880	Cabfga32.exe
1640	Cfpnph32.exe
1228	Cnffqf32.exe
2008	Caebma32.exe
4956	Cnicfe32.exe
2780	Cjpckf32.exe
3484	Cajlhqjp.exe
1448	Cffdpghg.exe
2472	Cjbpaf32.exe
3828	Dhfajjoj.exe
4436	Ddmaok32.exe
4132	Dobfld32.exe
1500	Delnin32.exe
4536	Dhkjej32.exe
2216	Daconoae.exe
2400	Dfpgffpm.exe
552	Dhocqigp.exe
2432	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	2c5c4e6db4d6a545b6e1dee49211fb25332775e48583b426bc3dd1ebe481042fN.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	2c5c4e6db4d6a545b6e1dee49211fb25332775e48583b426bc3dd1ebe481042fN.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2608	2432	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c5c4e6db4d6a545b6e1dee49211fb25332775e48583b426bc3dd1ebe481042fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2c5c4e6db4d6a545b6e1dee49211fb25332775e48583b426bc3dd1ebe481042fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2c5c4e6db4d6a545b6e1dee49211fb25332775e48583b426bc3dd1ebe481042fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dhfajjoj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 3628	4324	2c5c4e6db4d6a545b6e1dee49211fb25332775e48583b426bc3dd1ebe481042fN.exe	82
PID 4324 wrote to memory of 3628	4324	2c5c4e6db4d6a545b6e1dee49211fb25332775e48583b426bc3dd1ebe481042fN.exe	82
PID 4324 wrote to memory of 3628	4324	2c5c4e6db4d6a545b6e1dee49211fb25332775e48583b426bc3dd1ebe481042fN.exe	82
PID 3628 wrote to memory of 3664	3628	Aeiofcji.exe	83
PID 3628 wrote to memory of 3664	3628	Aeiofcji.exe	83
PID 3628 wrote to memory of 3664	3628	Aeiofcji.exe	83
PID 3664 wrote to memory of 3424	3664	Agglboim.exe	84
PID 3664 wrote to memory of 3424	3664	Agglboim.exe	84
PID 3664 wrote to memory of 3424	3664	Agglboim.exe	84
PID 3424 wrote to memory of 1580	3424	Afjlnk32.exe	85
PID 3424 wrote to memory of 1580	3424	Afjlnk32.exe	85
PID 3424 wrote to memory of 1580	3424	Afjlnk32.exe	85
PID 1580 wrote to memory of 3960	1580	Anadoi32.exe	86
PID 1580 wrote to memory of 3960	1580	Anadoi32.exe	86
PID 1580 wrote to memory of 3960	1580	Anadoi32.exe	86
PID 3960 wrote to memory of 2072	3960	Andqdh32.exe	87
PID 3960 wrote to memory of 2072	3960	Andqdh32.exe	87
PID 3960 wrote to memory of 2072	3960	Andqdh32.exe	87
PID 2072 wrote to memory of 1564	2072	Acqimo32.exe	88
PID 2072 wrote to memory of 1564	2072	Acqimo32.exe	88
PID 2072 wrote to memory of 1564	2072	Acqimo32.exe	88
PID 1564 wrote to memory of 4428	1564	Anfmjhmd.exe	89
PID 1564 wrote to memory of 4428	1564	Anfmjhmd.exe	89
PID 1564 wrote to memory of 4428	1564	Anfmjhmd.exe	89
PID 4428 wrote to memory of 4448	4428	Aminee32.exe	90
PID 4428 wrote to memory of 4448	4428	Aminee32.exe	90
PID 4428 wrote to memory of 4448	4428	Aminee32.exe	90
PID 4448 wrote to memory of 2128	4448	Accfbokl.exe	91
PID 4448 wrote to memory of 2128	4448	Accfbokl.exe	91
PID 4448 wrote to memory of 2128	4448	Accfbokl.exe	91
PID 2128 wrote to memory of 836	2128	Bnhjohkb.exe	92
PID 2128 wrote to memory of 836	2128	Bnhjohkb.exe	92
PID 2128 wrote to memory of 836	2128	Bnhjohkb.exe	92
PID 836 wrote to memory of 2812	836	Bebblb32.exe	93
PID 836 wrote to memory of 2812	836	Bebblb32.exe	93
PID 836 wrote to memory of 2812	836	Bebblb32.exe	93
PID 2812 wrote to memory of 1376	2812	Bjokdipf.exe	94
PID 2812 wrote to memory of 1376	2812	Bjokdipf.exe	94
PID 2812 wrote to memory of 1376	2812	Bjokdipf.exe	94
PID 1376 wrote to memory of 4940	1376	Beeoaapl.exe	95
PID 1376 wrote to memory of 4940	1376	Beeoaapl.exe	95
PID 1376 wrote to memory of 4940	1376	Beeoaapl.exe	95
PID 4940 wrote to memory of 1296	4940	Bjagjhnc.exe	96
PID 4940 wrote to memory of 1296	4940	Bjagjhnc.exe	96
PID 4940 wrote to memory of 1296	4940	Bjagjhnc.exe	96
PID 1296 wrote to memory of 652	1296	Beglgani.exe	97
PID 1296 wrote to memory of 652	1296	Beglgani.exe	97
PID 1296 wrote to memory of 652	1296	Beglgani.exe	97
PID 652 wrote to memory of 4136	652	Bjddphlq.exe	98
PID 652 wrote to memory of 4136	652	Bjddphlq.exe	98
PID 652 wrote to memory of 4136	652	Bjddphlq.exe	98
PID 4136 wrote to memory of 2720	4136	Bclhhnca.exe	99
PID 4136 wrote to memory of 2720	4136	Bclhhnca.exe	99
PID 4136 wrote to memory of 2720	4136	Bclhhnca.exe	99
PID 2720 wrote to memory of 2940	2720	Bnbmefbg.exe	100
PID 2720 wrote to memory of 2940	2720	Bnbmefbg.exe	100
PID 2720 wrote to memory of 2940	2720	Bnbmefbg.exe	100
PID 2940 wrote to memory of 4560	2940	Bcoenmao.exe	101
PID 2940 wrote to memory of 4560	2940	Bcoenmao.exe	101
PID 2940 wrote to memory of 4560	2940	Bcoenmao.exe	101
PID 4560 wrote to memory of 2880	4560	Cfmajipb.exe	102
PID 4560 wrote to memory of 2880	4560	Cfmajipb.exe	102
PID 4560 wrote to memory of 2880	4560	Cfmajipb.exe	102
PID 2880 wrote to memory of 1640	2880	Cabfga32.exe	103

C:\Users\Admin\AppData\Local\Temp\2c5c4e6db4d6a545b6e1dee49211fb25332775e48583b426bc3dd1ebe481042fN.exe
"C:\Users\Admin\AppData\Local\Temp\2c5c4e6db4d6a545b6e1dee49211fb25332775e48583b426bc3dd1ebe481042fN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\SysWOW64\Aeiofcji.exe
  C:\Windows\system32\Aeiofcji.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\Agglboim.exe
    C:\Windows\system32\Agglboim.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Windows\SysWOW64\Afjlnk32.exe
      C:\Windows\system32\Afjlnk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3424
    - - C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 212
        40⤵
        Program crash
        
        PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2432 -ip 2432
1⤵
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
163KB

MD5
307c81b83c3f0d73a4ada4760e8872d3

SHA1
76e0527f9596ef5f4bf1c608d8439079f0b7576a

SHA256
7799b9cc0f9c54f82315f2b8de898faaea505950e2e662cf2ed3f05422b3fac2

SHA512
a62a61c2c8ca554928180af16426f57a11693348585113bef8598201fc44080f0a3c911cdbc1aa730b188661001a5520d353b0fe2038286af5af27e241efe9b1

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
163KB

MD5
723c809e71e94c6ef8015d0eeea1fa84

SHA1
9cbe9a86b18812a983926210b7d8fe0277f1acac

SHA256
e4101d8d2d4596013dfe875cc2f9231c632b9fa1f61426994c5d5b5dea5764db

SHA512
c97680d25c170d26637a604b4e7a693cd6ee972eb7f7a557c1bb35186fac9ba17ee00fd0e0ab10cdbaae9dc7434841c469e13a110541d0e9369145a03fa2b012

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
163KB

MD5
09e159cfac6ffc61647ca38585e7b212

SHA1
d128356cf57ea23882fb47ac8bec528e7654498b

SHA256
990d0c6dac312cd95b67ce7dce8320c53bfaf9eb3bf80690001061a7fe5f4164

SHA512
ae3177ec38071452249fa0d9480fcdf6bbeaf0396c3da9567e81ad20854b1864e0def41d1049602ceeecca8509a55f54b0e286400f2b7f2d058c0ed493447495

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
163KB

MD5
814e48c1ede73942be83efd6d16ef495

SHA1
76186db7412a28c8b0e2c807b7343a80ce5d9fd3

SHA256
95d60206df304dabfb0589433b290cf56c4700b28e8870c93dec3a4cecdf72de

SHA512
655291e1af2a8b9033cc9286fd482813ccb361650836bd45067fac0c543d2d448eef163d85e63067d24b3fa7dd802f7ec77b950737b269d1c5cc455837b72441

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
163KB

MD5
b78c91cc74956ceac63a0a72610747bb

SHA1
b09d59b8aafb18f97d7e7bde6fe7e16b6d354644

SHA256
2635fd2c45d21c8dc95a19f986ae13def4253d3c09ee09d2216fb22d27dca09f

SHA512
2065ac8914ad06be8afdf44e9ef243232631cbe4a53ab675a62c7f46c593904619d3f2368c04e027afa44528b1e2619a7aa632ba8e379bb7c9f553b90e1ced41

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
163KB

MD5
dd81986b32c6248406009017dd0c2c5e

SHA1
a9250ff8c3f75af641ad208a28922ea8c1e8216c

SHA256
648589d152af440bea0d48b1c22be5b6bf0c7fe3c4b15520b3f093480f10e398

SHA512
5eab61c4c8ecbfc2756872a70152ab93f8d93e2e24803e91dda7c64c09b0663011da4b750928f4c21c199e62a1ad2142b0c364ed8e0aaf3bc1a9d9580e898bc3

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
163KB

MD5
883a6f8a47fc3825e27a3898e9f01276

SHA1
40f8c818ac36c70e6c5a4606c5d0ccb944ccf9e7

SHA256
685fed5e2f9a0d917a701a1917cb14d586f40f03b98083a76df92db4d4829b60

SHA512
f603633e38b4101940f75e14d8fcf0f0c8c0257a9120208ed68575b533893b8c736099b9db68e801f640e07d48f2d54609b0a9b88a1b155211173cf9b9aa163f

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
163KB

MD5
7809c0f356734d0887a4970f0eda1757

SHA1
ee1bd579b17e8131d1000e948334aa3816d50f33

SHA256
c9ec94b9b99ecbe2083c253ae54acf44d6a9857e7ba75170d525792dab744fd3

SHA512
988b9fc7cb985cc852eb83742f3b41364834e3fd185f5bb59e4bad428ce8514b8dd4450fd348bdc0f0000fa534dfceed87b74c83c5efa2c641460d77ea5858d9

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
163KB

MD5
75e85fc9537e677a3b2a8eb9b2270151

SHA1
0600b3c66187196e2c91fc5725429c42248257bb

SHA256
b477a171215256f10ff3ea7540340a16ceaf6e85613149d30e5b2d2f219af0a5

SHA512
94a3533ea1029796f42b96c90b7a5c302d7e7a57bc6fba1a1c7ed6aa5af664f28c18cf8a266c0aa4524d0166cd80a3f4cf1dfed5d46e288cd67c17b872972eb8

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
163KB

MD5
76dd2a9b5684667c522f2a3a63b63f4b

SHA1
54cd2746b7b94e683db86384c3c9a2dbfaf44d0f

SHA256
a1b97905de0a995fd02ba9f4f0dccc21624059f6e7eae5a4a854a240c1594562

SHA512
9ebfb21edcf6a06f76385a2055b88e74d9c55c3d324ef49475ad2c1052d5359a19b3531abb5b6e283bb1f5cd94d9c35c945e0e17a8a1f23931d05a9769a95ffb

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
163KB

MD5
d56e02bbaaa4af093315f982ceeed690

SHA1
f929e401ae1d871cfcdd74c5bffe4b414841ba17

SHA256
7d83a682562b86b3f9a7595131d37f21e680fd35f98b4f5e57c88b1c69860d39

SHA512
38c231b5c149499d139dd5a1c2f7a1150996f24af6ebda83705ceaf205ba32b11de988873d63904a4d023ead1086f0d70ed748e48390bc846a0a6cd79d00fe78

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
163KB

MD5
5c4b4125f20107674c55ebd08c201613

SHA1
b1b9ce4b4cf1ebc9b7ed2fcc43e67f8025ef98cc

SHA256
3d8758dda0f544d89d9258a4231f78121787354c881ddff9fbb4d28d5f4023b6

SHA512
87ca3933d562305b22ea432628d725b8958f69ace2ed710791ecd53e74c3059f82f39f422bfb5e847345dee3392e75242cfa783be9958bd63ca1b72fd95adc87

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
163KB

MD5
5735ccf60bb3275540fa95a09112cdd1

SHA1
c5ec29af24f26cf40bba37e1a2c84b93a7c28caa

SHA256
a9d6b7f211a51940e98223f840568fde08dc5b261bb2a1d6245818a16ade6a66

SHA512
e482911fb53ef7b2cdd9bf9921fd655abe2578cde22627de89349b10b1696fca68864c4071bb0d8f8331226bfbbdf4323b039befa4f022e79ee63214248a8ac5

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
163KB

MD5
a0e9349c3467610c7d5248fe345d9066

SHA1
1f55ff653f37346bc7144e4e8629717f7710f003

SHA256
84e95d222b3c68cd539a3bd618cdc201ae9f8bb06b85b89ef31ba67de4c867b5

SHA512
f63aa76bf3f0b8108a7ab35f0cf687b8fb94f650f1f2ac9fbb3915884fc3488e803a9b9bc7387ca05b98a9b430570bc919fd168bf4c5087f3b6c47b840c67f08

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
163KB

MD5
8b8e83e854ead289d9b91777897b9417

SHA1
9e7ec3962adbb0f2352b9112950a04ff271b9a8b

SHA256
8de0831317107310662bba6604c951b74680b2b64e66801a6c960b0d0cec1112

SHA512
4394f2e989133f54e2945c46f253ab0c7231cd96455bd0fe88cd72c4d263674bae099fe4e970aac5531530245a78d43c9c1eb04a3c8fde2c90786c40af22cf4e

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
163KB

MD5
b24230b415ac35037ac70fc3b8f61005

SHA1
0dd431bd7ae89466008c6effd0544be93fd43f82

SHA256
0e62bcf7f20f39589df0492d3edd65051e2e7aaab270c45ad4fc2faacdd4dba2

SHA512
fef6dd808180cdebe9ed300baa8069cd39783a09b1ccffaafe7b6390aab7fe732b72b52231391b5e703f397312196c00741369d5ed24cbc9c77aa9d63534cb40

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
163KB

MD5
6d779bf8d1548d3af672920787b696ec

SHA1
52135bf7e8e0413a4e5ee859a5fc028aaf29ce8c

SHA256
645c288e348476cc8b6eb8792642430266f81085169b7e20ceaa7538de7f9266

SHA512
2ba020070d345054cc3a72453b1e6141b333f55a3db15a7df5878aa11f3deee7856e8dd191cbf0686465b7012da857efe2eeb5283b51f3578219ce531b2e456a

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
163KB

MD5
f1441606687b4818c06cb6cb4fdc65c5

SHA1
6cf938bcca4e8e16667ae9443c226460037cb9e9

SHA256
246e18ffc7d4a205dc4d4d82ea828b9f8899e72e8ce9c05a3847ca146e9711ee

SHA512
5c0fb8c4cb220e19e0a4d8d69a61fd13bff581cfe2383250d836faf574ef3640856ffba7354373ebcdc9f44ca22c3a27c204bfb00e96b437c9d55f08b2091955

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
163KB

MD5
ed9a908c9229866f2765b1d25cc09f6c

SHA1
f73642e5aaf6bea30404ac13bbf2c06802115ab1

SHA256
0fa89c7835bb0f9eaaab5b898e03c6bc6f1d8065870a06fba5c9465278863cf1

SHA512
cc8b05b32e9d08a4b1d7bd5d9d4348458433f6b3a9120df5de6a92dd4094bfd352ce3abe3d8b79963c4e6e0638a08fb073b2f5fb302b05aa6d7a325cd8e6f0f8

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
163KB

MD5
886b4fe957df37fec14dd3ec0d384694

SHA1
e439bb89501f15d1a8d66d0d051d074d623f9fc3

SHA256
b72812b5f8729e248a0dd7dd66179747e245343d99718420acf815621cf53c5d

SHA512
2874f9b0dc34d37d74a4c373aa4bfdb40d258f095f7316793d0cfbed0e3fb16eaf1d519e6117874633854bdb1b32a6f3679f3e708404c6c3466bf4d3ff46e0f9

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
163KB

MD5
ff4713102528e35334472b5ccd9b1a79

SHA1
e97495ad94d7db1141e3cf11c9e12ebe4e30eda1

SHA256
0e040629bd6697aa96a4aa0ed1b3b1a5cb99c9f2e23b83d71aadf3412c9f7184

SHA512
9e3d6348e922efc8a64d45fed8e2b9e3e4fae68dae059dcc7a85e9ccb0fe783de116643c0ee96bfaf6b1e651def668047ec13d967d3f459100981ba25608a77f

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
163KB

MD5
37426138012087076188fc529db87cfc

SHA1
2b4ff75e0a023b6b4b867b5ef08fe8fbcab9cd8d

SHA256
ff720b9fe4488b0fa64ca8e296bf7c6bb0bbbcea8e3e2bb577609f9b8501a60f

SHA512
4f01750ea5ff7aa1bbfe1f21a82df458910ce25cc6ff183cf5392b930f59e637d556dde9a108527dd46f2b901aca89347f830da3449ce0dc7c74ad49bc622dcd

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
163KB

MD5
182d88a56b57dbdb2a18315fa60cb99e

SHA1
a69cfac660ef3e5e459d4a723eb76b8adb8cfb11

SHA256
ca8722d049773c1cfcb1b32cd65d6ec669731a18e451117cde3758fc1295170b

SHA512
d3b720ac8ac8819e6793b479bb98019df7dd313f0d54ffcb07b5f00a61b614b921caa8550dc95333599bf9f1d83283a446d2be26b84ab5682610edcc60415bb9

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
163KB

MD5
48c76772b9b452f40b8b3134e689fb80

SHA1
1c2a8434eb04a5facece1d10a8d8799e5ddbcb15

SHA256
b6740fd212984f24ab19266d1b2a29f4de0c0b47ce5f3c9da91cebbb47878670

SHA512
54280d86013bc5e0cf1a06e4792499bee0148835ead93b60a43632a1abed2a8cfc98c9f4c1cc25f52fdb3c5476ddc798f4216a6ec796d4a2825476e4729cff9e

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
163KB

MD5
9ac177ce7ff2544151df633e56b8e520

SHA1
58a157aec8b4370dc90288b1aabc5ee8df6f00a9

SHA256
5cba2c3bae7ef5f796bfde18284d0f49e03eb0e02d70573671353dcefa690f87

SHA512
d40e1f90ea58c4e33e8b16009ed1d30078195f13c06944c2f6c2050b2a491ee0a83cb8064133f6340ec65a4571558d18e98bdc7798295c999340312062472294

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
163KB

MD5
59aa0d6546db96a8359333ea298e7918

SHA1
0bcae175468ef462855e64b3ace1ec8d1f92e702

SHA256
eb80ec9a1cd4b65c4ef02e6cb40a2b9d91e470df6fa75a01ea5d2652147d4bbf

SHA512
3a7c41f56cf827ce89232c8101cf701be7b4d72900fef55e33a9b97de7b9921761aa55cd9cdab262ea40d27eda92632abc03b4eed5550c00ebe7b3006067125b

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
163KB

MD5
8fd49f52358a730ad5f3cd0d4be368e1

SHA1
8cd1cba379e514c9d98110356cf0dee39f2797fe

SHA256
06cdb7cb7e56172ed8c6136759afd8170ff1c2b1637cc7cbc1b66327a9612e6a

SHA512
98e9a77c723e3ddf16eb88105df93475a105164180f51cb644dd7970d34a49d0247343bccb9491cbd9f137aaab33ec0b37b93cff3f44902d14069480cff8ca0d

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
163KB

MD5
23f7adc5a52870ba031a0cffd8b14d12

SHA1
d8f363f69f195818d55e0d8e95303d80ec6ca4b5

SHA256
d27a56c7923ad73dee570c52c1c9f8fc67c87e55353b7941092d451d165ac5b0

SHA512
1b7b66eeb6d309095d3fd124fb5fcc04ba0ab373d7ff1061b03fd295d9221165c45c01873acc6c49d5287930cef91a88671349faac055893940212d3104905ff

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
163KB

MD5
5b95401551992fd18ee83298ab3472da

SHA1
a2388e43c0d7cdae9e29b19cdee366cc5585d48e

SHA256
3c26b184dc70b7f8ff0c17621d428910f6c3675d28e6cea3c75f9e56d1b1192f

SHA512
5fdbbc159d4a9b9f74f7b45449ebcc20324ccdc61974cd06baa65adb697e4c33c993583478a15e96f5ea2f326ca988534dec8c0783e6d7b5a042e84b0bb46018

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
163KB

MD5
c20f539139336e8708465f3cbf4074f6

SHA1
ba4ed81a05e6f571255ac6f5646d8e1f6d96ce9a

SHA256
4527aaba47f92f94b85135b68d3ca85ee8d3000163a1f55b31571fb92b6a902d

SHA512
c02bcae269e2c1299799f8dcbfbd455843dbbd254decbb9a3a4ee1f8749561f4d4f60a3a023aa3bfb8613794f97755a986ae1c327f9cde27a9f221d0dd0384fe

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
163KB

MD5
89a140d2c5aa267bdad4cf62e9f61457

SHA1
89c0bda8947e6cb224e4576d91045553121b4093

SHA256
b60d0639efe5307364511becd9af3539446891494ff3903d315991aead7cd8f3

SHA512
5e43386038d052a69a38cc8773662bd45a72763603a1b1aafa6976f72eb58dd559d2a642f164b6e1a0b554b8bcb5d52645a73ee302432ed222582252b5ee1bdd

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
163KB

MD5
4f1e78c170a2bc2e50efa9bb425ffeec

SHA1
4149aeff5ac78eaffa27550d678fbf88dacc909d

SHA256
d479d038948abfc5aa146794dc11e778b5960cb533527259739675806267bebc

SHA512
e4ca6499ca4d063c8b4efcafc1ba06afb4f73f84c9fc33539a0a6f4bf2232f60aefc7e8c554b4eff185f061a54b5fedd37146897d45ba3f4a007589950553cb8

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
163KB

MD5
3cf594d91fa555cbb73e9dd2a34caa94

SHA1
828a815f47a3ba7458e134a19ef6537476e94aaa

SHA256
a360db7bcc8d314e1277f1129d78077e7cbddd13d7096c4d03e7e2ff82a4b7e2

SHA512
7595f91eaae92bd210eb8f4823c190ef6dfc9801f169b86e9ae29900eb6fa31cc0dd9e3fbe5a6fd6207f51c6057a50b1e8fecb45eb92ea8095affce0c4a8d0aa

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
163KB

MD5
a646fde41f4bcc07b3b6fd93637ccc48

SHA1
75ade8b191a97968a0859d6b6365d7edb3afca25

SHA256
145ae0cc07148bc0af34139dfa6dbf518b3ec2627301f245c2c7ea3139dedc0d

SHA512
b96dd1b74e9ab65d0be945d41c0303d2b5f59cacd57e5a15cf8f0e7cbc7fa81f08e688fef96c38ca139f15c7db786edca9a289aa4cdb779e96796e8bb3502c4c

Download Submit
memory/552-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/552-297-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/652-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/652-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/836-349-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/836-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1228-325-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1228-190-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1296-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1296-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1376-345-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1376-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1448-315-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1448-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1500-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1500-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1564-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1564-357-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1580-363-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1580-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1640-182-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1640-327-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2008-197-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2008-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2072-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2072-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2128-351-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2128-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2216-301-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2216-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2400-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2400-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2432-296-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2432-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2472-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2472-313-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2720-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2720-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2780-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2780-319-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2812-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2812-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2880-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2880-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2940-333-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2940-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3424-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3424-30-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3484-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3484-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3628-369-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3628-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3664-367-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3664-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3828-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3828-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3960-361-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3960-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4132-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4132-307-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4136-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4136-337-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4324-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4324-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4324-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4428-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4428-355-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4436-309-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4436-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4448-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4448-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4536-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4536-303-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4560-331-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4560-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4940-343-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4940-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4956-321-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4956-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads