berbew | 126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e.exe
Size

276KB
MD5

d0ab9a053df6768272c49feaaec70af9
SHA1

b8008066c3edd118dc1e0939528bdc132a47b45d
SHA256

126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e
SHA512

8a1dc9a2f4e323d94671ef13318a6cef79d26e3d2e15ddc3898c21205fcd6cc4db403bf2511e09740f50c5af04192c18d630f9e1c7ff6c7a528d0ec5efb3a10e
SSDEEP

3072:qvDTU7wpEwHiPCcjbuLl90FA7qOc44eS5pAgYIqGvJ6887lbyMGjXF1kqaholmtS:qJpEEmBM4dZMGXF5ahdt3rM8d7TtLa

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 38 IoCs

pid	Process
4528	Qffbbldm.exe
4508	Aqkgpedc.exe
1708	Afhohlbj.exe
4752	Aqncedbp.exe
3720	Ajfhnjhq.exe
3988	Aqppkd32.exe
2260	Afmhck32.exe
3600	Andqdh32.exe
536	Acqimo32.exe
3208	Aminee32.exe
4960	Agoabn32.exe
1328	Bnhjohkb.exe
232	Bfdodjhm.exe
1040	Bffkij32.exe
3160	Bgehcmmm.exe
3640	Banllbdn.exe
3984	Bfkedibe.exe
3432	Belebq32.exe
1536	Cndikf32.exe
2920	Cdabcm32.exe
64	Cnffqf32.exe
1640	Cdcoim32.exe
3660	Cnicfe32.exe
1008	Cdfkolkf.exe
532	Cajlhqjp.exe
3132	Cffdpghg.exe
3452	Calhnpgn.exe
1836	Dfiafg32.exe
4472	Danecp32.exe
3188	Dfknkg32.exe
2688	Daqbip32.exe
5116	Dhkjej32.exe
4832	Dkifae32.exe
1268	Ddakjkqi.exe
2444	Dogogcpo.exe
2316	Deagdn32.exe
4468	Dddhpjof.exe
3960	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2684	3960	WerFault.exe	120

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 4528	4632	126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e.exe	82
PID 4632 wrote to memory of 4528	4632	126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e.exe	82
PID 4632 wrote to memory of 4528	4632	126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e.exe	82
PID 4528 wrote to memory of 4508	4528	Qffbbldm.exe	83
PID 4528 wrote to memory of 4508	4528	Qffbbldm.exe	83
PID 4528 wrote to memory of 4508	4528	Qffbbldm.exe	83
PID 4508 wrote to memory of 1708	4508	Aqkgpedc.exe	84
PID 4508 wrote to memory of 1708	4508	Aqkgpedc.exe	84
PID 4508 wrote to memory of 1708	4508	Aqkgpedc.exe	84
PID 1708 wrote to memory of 4752	1708	Afhohlbj.exe	85
PID 1708 wrote to memory of 4752	1708	Afhohlbj.exe	85
PID 1708 wrote to memory of 4752	1708	Afhohlbj.exe	85
PID 4752 wrote to memory of 3720	4752	Aqncedbp.exe	86
PID 4752 wrote to memory of 3720	4752	Aqncedbp.exe	86
PID 4752 wrote to memory of 3720	4752	Aqncedbp.exe	86
PID 3720 wrote to memory of 3988	3720	Ajfhnjhq.exe	87
PID 3720 wrote to memory of 3988	3720	Ajfhnjhq.exe	87
PID 3720 wrote to memory of 3988	3720	Ajfhnjhq.exe	87
PID 3988 wrote to memory of 2260	3988	Aqppkd32.exe	88
PID 3988 wrote to memory of 2260	3988	Aqppkd32.exe	88
PID 3988 wrote to memory of 2260	3988	Aqppkd32.exe	88
PID 2260 wrote to memory of 3600	2260	Afmhck32.exe	89
PID 2260 wrote to memory of 3600	2260	Afmhck32.exe	89
PID 2260 wrote to memory of 3600	2260	Afmhck32.exe	89
PID 3600 wrote to memory of 536	3600	Andqdh32.exe	90
PID 3600 wrote to memory of 536	3600	Andqdh32.exe	90
PID 3600 wrote to memory of 536	3600	Andqdh32.exe	90
PID 536 wrote to memory of 3208	536	Acqimo32.exe	91
PID 536 wrote to memory of 3208	536	Acqimo32.exe	91
PID 536 wrote to memory of 3208	536	Acqimo32.exe	91
PID 3208 wrote to memory of 4960	3208	Aminee32.exe	92
PID 3208 wrote to memory of 4960	3208	Aminee32.exe	92
PID 3208 wrote to memory of 4960	3208	Aminee32.exe	92
PID 4960 wrote to memory of 1328	4960	Agoabn32.exe	93
PID 4960 wrote to memory of 1328	4960	Agoabn32.exe	93
PID 4960 wrote to memory of 1328	4960	Agoabn32.exe	93
PID 1328 wrote to memory of 232	1328	Bnhjohkb.exe	94
PID 1328 wrote to memory of 232	1328	Bnhjohkb.exe	94
PID 1328 wrote to memory of 232	1328	Bnhjohkb.exe	94
PID 232 wrote to memory of 1040	232	Bfdodjhm.exe	95
PID 232 wrote to memory of 1040	232	Bfdodjhm.exe	95
PID 232 wrote to memory of 1040	232	Bfdodjhm.exe	95
PID 1040 wrote to memory of 3160	1040	Bffkij32.exe	96
PID 1040 wrote to memory of 3160	1040	Bffkij32.exe	96
PID 1040 wrote to memory of 3160	1040	Bffkij32.exe	96
PID 3160 wrote to memory of 3640	3160	Bgehcmmm.exe	97
PID 3160 wrote to memory of 3640	3160	Bgehcmmm.exe	97
PID 3160 wrote to memory of 3640	3160	Bgehcmmm.exe	97
PID 3640 wrote to memory of 3984	3640	Banllbdn.exe	98
PID 3640 wrote to memory of 3984	3640	Banllbdn.exe	98
PID 3640 wrote to memory of 3984	3640	Banllbdn.exe	98
PID 3984 wrote to memory of 3432	3984	Bfkedibe.exe	99
PID 3984 wrote to memory of 3432	3984	Bfkedibe.exe	99
PID 3984 wrote to memory of 3432	3984	Bfkedibe.exe	99
PID 3432 wrote to memory of 1536	3432	Belebq32.exe	100
PID 3432 wrote to memory of 1536	3432	Belebq32.exe	100
PID 3432 wrote to memory of 1536	3432	Belebq32.exe	100
PID 1536 wrote to memory of 2920	1536	Cndikf32.exe	101
PID 1536 wrote to memory of 2920	1536	Cndikf32.exe	101
PID 1536 wrote to memory of 2920	1536	Cndikf32.exe	101
PID 2920 wrote to memory of 64	2920	Cdabcm32.exe	102
PID 2920 wrote to memory of 64	2920	Cdabcm32.exe	102
PID 2920 wrote to memory of 64	2920	Cdabcm32.exe	102
PID 64 wrote to memory of 1640	64	Cnffqf32.exe	103

C:\Users\Admin\AppData\Local\Temp\126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e.exe
"C:\Users\Admin\AppData\Local\Temp\126dba27133a60116ae3ae64e2d5237d6d74668dfa78ae27d5a84d9f1e881a6e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\SysWOW64\Qffbbldm.exe
  C:\Windows\system32\Qffbbldm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\SysWOW64\Aqkgpedc.exe
    C:\Windows\system32\Aqkgpedc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\SysWOW64\Afhohlbj.exe
      C:\Windows\system32\Afhohlbj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 416
        41⤵
        Program crash
        
        PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3960 -ip 3960
1⤵
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
276KB

MD5
4888e4f7aeb2a5cadea1b2232e4e6dcf

SHA1
22356a05afa708fe27223077b7a98cff62c5d54c

SHA256
55c48cb078fa12567953fa4b71b025e9d60df127008ce412dc857bb5a17228e5

SHA512
3388735e4150427aa5ec23609d561b3bdf18791ea0ba426acb233ef5481fd94bb66bcf48e23edb5479f68fe8669981f9ce179c5778d3151a81d5144842a53b1e

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
276KB

MD5
35953c297d1848171824cc6c340edc4a

SHA1
60615f5acd7a0945ef43946ee2ba345e16c56efd

SHA256
52b5542639b05b335a2897ee23aed35049df4862f4f391c8432341f14133dfba

SHA512
485237947d1b70863d1de4861993ad37d3a9b6b8796066666ea89730c50c8fd29ef0d6c547f6d1bc56065c72574d8f21dd69216d9578e41bccc01f20bfd94b76

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
276KB

MD5
d95c6bd51765a3dca987faaac4f42fac

SHA1
84b76a23304e966509b6f9db2be9faec66e8e744

SHA256
adca7a95fa27c23a512c338da3eb7bc3ebb60000427f241b9cc2deafdcd15971

SHA512
314a695c68a77f04ba3e907bd6cfa84cdaddbdc13b8c1dcd34a58af42a7bdd578e12a8664b68bc0eba47c4a8b2b0962c888439d425b55dd6371a79083f8a0f4d

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
276KB

MD5
3a89598dfa538de18b5cbef169d9a812

SHA1
e721cc361a4d749fd92977a271a107f18912c764

SHA256
b3de20fb40938ace097c7c7fa7d82b2ce4da7f1498305d799d55d4b82a3d85a8

SHA512
ea6b29d804033e81162130ba7a34a4786f7a9f8f670e2f029e69b858092cf7e6763f72d5867c3685f1c5e49b79166c55f29f6e26873ef93eb27ba6bd73d777c4

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
276KB

MD5
8cf5b58d399d7314b98a6c9b66bc4e54

SHA1
ec2c71953f38ceeeebae2b8cc1eea002103435ad

SHA256
029dcbdee29cb48fecd4f3e100344881c3ee13fb5173f6697607cad7dc8c0205

SHA512
08af3282fd3a0b30924bfc49e25568a4b07764b2a172e99415cb76599acdd65ba187517aa8c05f2f39c181eb77d26f4ce39b4fa7ccf59aeba73f63f7e793492c

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
276KB

MD5
68c839c26ab909401a428af36b734079

SHA1
3eeed61cfbdcbc6c8d29839b6ef271bb41d1cba1

SHA256
f09ad5b77d8cc7d506045da872476781eb5241c488e02726bd9092da4a8a5ce2

SHA512
37bab1af050110cff56eae298655b0a26fd8eac454f09cd431f2c3569fef86d98a7a5c28674cf57739816fedd5c173260837335e9d96846f378700a8a6e2e19a

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
276KB

MD5
4d36ef21485ff38a8b1ab16185ef5847

SHA1
571ff845087bc68fdc9bd03f633e38e172a1696d

SHA256
27f56e2c81ebc67997e59df5462a5d16330edc1084550ac24486b73344658a28

SHA512
00c4a748129d72a0249e7c297319a65ee55ba0c57f6ae1306f3c8ab65202da53bfea24b636c779c2711f14fff06febd48ac241b112c3679e5c1ed2ea359c259d

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
276KB

MD5
a8bcf6721844b13c3ac801d1600ed9d0

SHA1
46159b4547b003c9c71b41c07517f851612baf9f

SHA256
8f786031834c350073fa869a2e38b5f84f286a5e9a27ce4c55f61b5c23be5b19

SHA512
8ffad1c92bb390a14b3b2abf3f8d6f52370f59a244f84b99ebcde2132fa8e171f858aed7850a659f19321079bd3c1e1e82d319b63794e8a568fe07c2e6d9f3e4

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
276KB

MD5
3af2203129fc79df721134ab70362e77

SHA1
26ae94b47471bb9a6d44b164dee3ec1100c29863

SHA256
566c9c0ea7a029e3262d23e6c86e96ebdf7cc5ffc761a5bf5c6acc31e2f61eb4

SHA512
f846c0cd7aa02e9d4c7770089b89f4ce6bee7c4f5d68042160f703d7968cdb93f0853afaa14b908c7dab636e198d25ca82568f9b5928c6aa3a4adf69c1375b0e

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
64KB

MD5
5239d95b8c25054fa20882bd573d3434

SHA1
92688e77567c417bc147a3b15889de10fc7f9704

SHA256
6f952decbac01c8010511c5f1bc8c11b65443a6ae943b7e546413014de0c5cc0

SHA512
7040e8dd0aab5fa6dba7b2e6761e8b6fa4668be58d94d201c21ac2a3a498c4b301705d9aa0e037df6c32551328efd6971645d7a58386a5680825ccc24e2a04db

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
276KB

MD5
dc6968fe141fb31cc8addcb05140d170

SHA1
c597a91bd0ad91b486caf964b476d7faae810f58

SHA256
3f3b3abc404a8632bb078e5f3e062a642a085557afc6079f598e1052870bcd85

SHA512
2d89cd324045ef6f142a399579aa61d41be084fa5768b4ccc209754c90abe94479568ffff06e522e6e59e49e508d82ed67c23d26883bcf7a9de994d246efc350

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
276KB

MD5
e22cc7d8e10644d8af773a4b69177cc0

SHA1
409f45f82290c042eb3e1d167b7d65b6508df14f

SHA256
06be07c825fc320dc9d170b6538a61116ae5b079127d26bbc5d5887509473688

SHA512
5032a3c94474218d205f56a2d6cffdfd41edbeb947f23d6077eb8d43eed704bbf313a376e063d5e9a2d3e205889ac50d6f323e29e05a6944de9ec2fda1dada16

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
276KB

MD5
226e317e6dad0211ef2f5837561eaed1

SHA1
f9c3bcbac1721cecbd8ca8c91578eb075ee3ae06

SHA256
1deb15cd43e2877164c208100c1ba0b1fc952c2eb647fbd3d68f99d35e0b6908

SHA512
2b5f95774d42ec8126eec74b146aa38a4b4f1bd796b6446ef317f68c724cf4a99dcfd6e17fe0784d6671841cbad68644206070cf65fec9118399523263d6d8bc

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
276KB

MD5
945bee454032b8a9264632d537b49d2d

SHA1
b6cfdcdd8c10fc617b51ccd535da857073f892c9

SHA256
57cfc737ebb9958bd5cb48d48abf2024d8d44a0f7b3f753bcd7d32a72394c854

SHA512
24dd56c97dceedb96977b5cd597c84f92cc60be88be5b678f038203381e3724b3f4142e36a046b91d878c00499db6cb5cc9311b8412033cdaf57bd02f411953c

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
276KB

MD5
0e6461dcb5f2317b76bd934245bb666c

SHA1
5b36dab86b661fa5bfbfaf02f231ec1a2f712d4f

SHA256
e3ad9afa21afaf53a39b3b5e141fc3570b517ef3b421150108d2bd91e0d67981

SHA512
b50a67a6aabe10a42146c1575e69f6d53ea9fa36dd64ad044d7cdd83835a49ffa13a2b6e60f4cb0852ac375aa6bee3c95c9baa8fbfb671ab5e205b2dfd4a4aeb

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
276KB

MD5
b316843c085f42bef4f8ef93f297a428

SHA1
3b739323e17eb73d850d1758e6509c14fa196632

SHA256
5aeac131bb7f699fc9e8ee26a6b58db9ac196257bf8759b323eb7a1bd60a8f0c

SHA512
69b57c473cc5d36dbabd2a664b69536bf23648ddcd1a401244215a9ce46a00c0e32ea201b83965d5537140812b007a2532191c6e14e15081e53d614dd856abfb

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
276KB

MD5
74069820254f3cd3357a7493f774d305

SHA1
37b98b34df5ed445848153990860a7e838125d22

SHA256
cdcd9b07f4a9018e000f956ec324ae4e99a8b6f66ff6474acdabff77ca063b37

SHA512
18fa742ebe23d8094d10ffacdff0f6fcc48c678f8169105a77edf29e44cac0a6ae40d5e7abec799029716cdcdadc8c3f5205b99f0a7a1fa31ee657955245a447

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
276KB

MD5
7ab65ff8a0473d84608bba82bb47bcf6

SHA1
355e28f07092aae54476067213d071cda80c0149

SHA256
15f7261332e0a58ae2f3b5c74cd8c83a7b5b20526294e78f4e0a60b56a5f2e97

SHA512
60e60e3f81f5e57714421de9d7ef93883d4cc1eb783114883ec25c5f5b7034bc66563db6566c4c1f35ab1cd38c7de70419a7703c0ef152e0e5c9924e6503800f

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
276KB

MD5
7c340a930cbe369a068f09d6b30e6bcb

SHA1
bbbf5f162227948bf9fe4230da10e053ca4b5444

SHA256
36ae4a91e5a979f88a2863f2d4fd0599c74ba27a0e1253ce0c6c1ffaaa1bc99a

SHA512
45cf0c6b13627c9648f9ceb2e630d650a136d0bd492f65da1cd7489825f8b493bfec873e0485ad3c1b76d2da4d7e43d2ca0accf7c79d9a31b90219db08dd3df8

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
276KB

MD5
7635ac39cdb3d085a79ec2632ae33725

SHA1
c5b93fd98f4d4d5ab6f454306041e588605a05da

SHA256
a653a0d46daa3cfd49c3f2107f7f64e515e245845311ea63f056ea2a7dd2fee0

SHA512
c5e51a3a68feeb3128335051caefc040a6102767e6bb46784b2d5a1cc10951490bc4fe5016127fe9386d2ad2764766b1998a2f249deaf49aa212bd9757da25ee

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
276KB

MD5
9f044cf32edb8bae4b465ef931fdac02

SHA1
90dccbf44c95f8060ab67b9ebcb9e8946a2ec1b7

SHA256
13008c24c97625040e1b7fac02a453e1ded37e10088bdeba318adbe8f555d465

SHA512
9bbf41444fdb78a06892d16699509b2572d236a3ed04eeb26527a950be5ad05c18ff9bb1674c62eb7327ac6f95c7e16ac66480dab98f3bb35f98a48079ed5eac

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
276KB

MD5
829323cc3b11546da7d0264c955af43b

SHA1
8775714e84ae96caa1602356fda0aafa34f3c810

SHA256
7279e598e88c59b8e52b93f27849f179d36932821a00e4d56b4dd51c8f85827d

SHA512
438a99a893d8419c6a121a1849cbb36a7100b015032db9d37a2a0e38e500dff6b3b4af49bf85706b35bc76460fb4d149fa177589967e0c7aa905e81127e9bd31

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
276KB

MD5
1f9f755c44a85039c5c618d66deb3de1

SHA1
790b8fb5e62aeda11a2b6f443c03807c5ab80764

SHA256
0a970e0bce0df2bdcda52fff925f78063d7da131044a3401a784432d0f79c8ab

SHA512
d3ab2dfae521fa653f1aa83f9392f388506aee1430639552ae209f6b9c5bfa64aa1fc68e2cc457c44e873509bc7cb2b5d4c65071d2c30b36e3d36463e0c3568a

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
276KB

MD5
c90c3546a94b11600f0a53543596ac85

SHA1
75c05a539f6a9e6bc8c64e1eb0ce85c2bd49721e

SHA256
8d984908f4973d7209afe2b49e5988ac6fdb5ef34c9680c7f041a51a1e76bb87

SHA512
5eee12af28380016b1115de1732ae28edf4ece164da5296242bb9f083fe55458a448cc4c96a302c3b3c49f91c4886295eeeeb8c623bd4942d610c010e05b332d

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
276KB

MD5
c33c631615a708508c6df0f6a858637f

SHA1
851b16e20d76117f6cd057592504af2e9d4cdb51

SHA256
259ec0879119a3ddf2944ac09d475da91025b6fc05d27bf673a19e0606b07e04

SHA512
86091c9a8b450974c9f10d4f6afc0677da8a35562414647ca0c53d6d1d20da97938b34870b3f258e42160dec3d2dc6df40c28f3cb35437ce23ba57cb6c8d6cec

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
276KB

MD5
e11729f62c49d6246c7378f5ca30ebdf

SHA1
b1c390abe74cb7e7e80760eb66910bf9c8ec6cf9

SHA256
88608068f49c50202602bcea519aa4d00d1a4345950c0ed1690a2b5e188cd78b

SHA512
522ba2ab8ffb30a825ff9ac759ab45f70c0aa8afe37c44b5c2294899d2d21d281bfd995427d62710d624488fd7081a4976dfa25e8d22edd4e893cd8e678604bc

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
276KB

MD5
9c2ac2037ffcc0637c5c36aa4c64b987

SHA1
9950fd34adbb1d4902bb82ce1507f2cf927230f1

SHA256
b636e1e6878d9ac093605f856c87ce8c615d2e07dd0aaa11870bedbd9b26ed33

SHA512
ea16b284966d0e059b85e3b1dcd533d8106ec0f13dde0b02ed26ed8207de2e5a6dde374ec41b7ad62a41ca3bed7a0515bae790dbf3c479b7b7bb3f95341c841e

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
276KB

MD5
2c6d062d49a077bc8c7c78254de135c4

SHA1
6e5ca73e993a85a8379ac02b8679db7d82858ff1

SHA256
644b8a76ca3c687c2c55baf51cb9c706e944a18a89ae5e274ab0c52a4f270e57

SHA512
ea9e1bd2c56809a57bada7bfe4b688f635636a564ba1ea130fca08325f57c49143d8865a716290385993de67d0828323baf82fcc7d557e8d2fe7592f5f130123

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
276KB

MD5
9f1c3da6ced2f3d97cd60d953b895241

SHA1
ef3679fdddec34172647029464acad0bcee42b88

SHA256
05fdee25d854a0f39489441f6846f997b00f60180e3414b56bfed04d3e9bfca7

SHA512
94b0b85c3364539429ba85cd47e69223057eef803db11a59b918684b656d4ec22f4b45090e4c54292d30e9c4aa06f6d48610fd0d5a21131fa598ae44c9fa2903

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
276KB

MD5
16e0f74be18632876db5e2f8562f0c5e

SHA1
0b5531ca1c1cd58cd61d55dc0157653b0b6916b8

SHA256
96a6703be53bfba842f683918b7a732afca3e0989fbd72952708971ae4a19a46

SHA512
06e0e3bf8c547d834fa0cec71337de31a6f60cafdfc1bc5275116c3955eca17b13a418feeb286948e82a563b89077741c69c2b3f3994a33079fb22044963e820

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
276KB

MD5
275188587542d47a39b854a840baaf02

SHA1
8c325502f780e7b0b1b5a0da3d18bcc925a0b547

SHA256
94bc7b12c5890929b13a5953bb4cff05023f9b359a9a620b0f8108fd5263e0be

SHA512
407e0bf0c035221829b27910a497052927cc469e75589001eed2aaa2910d85bdae149e7ac8386a0462588195016ee2080f8a68472a0920156229bb594f2ac784

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
276KB

MD5
7efd92f6cb6d6e0f875c401c4b2de449

SHA1
d88a33dc99fca442ad1f51114cdac75f874328f1

SHA256
722f407a308ac8cc35ec5297e3688184ce717704d8949b11a24e7daca51fe97f

SHA512
f4adca6cfc47c9b51b6fdea6a7376b25e18d5dfac75e8385403add1f5efe50a405a0436263e640c575015b03ef113ca18554427c716fd1eede865bcbfa313972

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
276KB

MD5
bf452423ffab8ded73252d5dc8e76bbb

SHA1
63766162708ce16df26cd4d036a6acaacb160250

SHA256
92c1e40d79dbc49761ac61dfbe9e77a81c354a2cd17fef80abc7868b9578f9dc

SHA512
fed6d7790e31e5134df5f9087b659ca00d25379bc7dae5011d69b878943765dac7da263fc58ad4a461481322149d9df6e79adc8855fcd10ca390b16887f95025

Download Submit
C:\Windows\SysWOW64\Ickfifmb.dll

Filesize
7KB

MD5
59112989b79917bca07cf351c29925e7

SHA1
939249591a6aeb786454604327d63e4e287c86b8

SHA256
75b717be6b9a9e9afef9393d03c6597ac14f52ce60b3c213d750e4f452edb81d

SHA512
499a4955f758d96ed6f7e691589056ba3be8f0308d277264e96c154d376b99eaede3d4f55f671ec70827854e5ce2e768c293b5d46895f412f245ddbfc1d8ee71

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
276KB

MD5
3dce0f87ab0dc540c66f16c6ffb37ed9

SHA1
ea89a185b40ea317af67f1d020a31c8e285cfc29

SHA256
40bf19754ab406ca76c169c688a4c09ed5e014c753a31adfbe9448b2bfa41cf7

SHA512
11c17a2262971edc3da7a2cbb0149043c66cabfe90b92f42b4ee09d8196739629792aa2f6813844f8c6e1de2c1772ef87d50722113502db7ca3bbf0588fd5baa

Download Submit
memory/64-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/64-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/232-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/232-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3720-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3720-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads