berbew | ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1c

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1cN.exe
Size

64KB
MD5

ac6c1da9045886499dc920a1339bb970
SHA1

70a3150f7ebd3b271c0f75b9da539d292778fa22
SHA256

ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1c
SHA512

4cfbfa816f88fc11156a45e55f856114fb52b444605a4b04ba617e6a09bee75d7f018a276fab76f5bc23a8ed5695dfe003c834cd1bf696c1c09f8ce4a7b8addc
SSDEEP

1536:e0R/kq9ZULbL4eTk7HENaiUWyCdrPFW2iwTbW:e0/kq7ULbUWkuaiUXCpFW2VTbW

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biiobo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapgdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapgdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckpamabg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biklho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdapehop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daeifj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkkhbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdaile32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1cN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dinael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banjnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdapehop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfaigclq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baepolni.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 41 IoCs

pid	Process
4372	Banjnm32.exe
4440	Bfkbfd32.exe
1192	Biiobo32.exe
4368	Bapgdm32.exe
5016	Bpcgpihi.exe
5036	Bfmolc32.exe
2076	Biklho32.exe
2832	Bdapehop.exe
2020	Bkkhbb32.exe
1392	Baepolni.exe
5008	Bfaigclq.exe
3140	Bpjmph32.exe
1568	Ckpamabg.exe
1752	Cpljehpo.exe
4784	Cbkfbcpb.exe
4824	Cmpjoloh.exe
3408	Cdjblf32.exe
1820	Ckdkhq32.exe
3652	Cmbgdl32.exe
3656	Cancekeo.exe
3404	Cdmoafdb.exe
3944	Ckggnp32.exe
4412	Ciihjmcj.exe
5028	Caqpkjcl.exe
4180	Cpcpfg32.exe
3996	Cdolgfbp.exe
1428	Cgmhcaac.exe
5024	Ckidcpjl.exe
3832	Cildom32.exe
4756	Cacmpj32.exe
3344	Cpfmlghd.exe
1856	Cdaile32.exe
2240	Dgpeha32.exe
4872	Dkkaiphj.exe
2708	Dinael32.exe
892	Daeifj32.exe
1684	Dphiaffa.exe
1972	Dcffnbee.exe
924	Dgbanq32.exe
4240	Dknnoofg.exe
3224	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bfmolc32.exe	Bpcgpihi.exe
File opened for modification	C:\Windows\SysWOW64\Cmpjoloh.exe	Cbkfbcpb.exe
File opened for modification	C:\Windows\SysWOW64\Ckggnp32.exe	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Cpcpfg32.exe	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Acajpc32.dll	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Boplohfa.dll	Biklho32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihjmcj.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Cildom32.exe	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Bfkbfd32.exe	Banjnm32.exe
File created	C:\Windows\SysWOW64\Baepolni.exe	Bkkhbb32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmlghd.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Dphiaffa.exe	Daeifj32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbanq32.exe	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Bfkbfd32.exe	Banjnm32.exe
File created	C:\Windows\SysWOW64\Bpcgpihi.exe	Bapgdm32.exe
File opened for modification	C:\Windows\SysWOW64\Cancekeo.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Lncmdghm.dll	Ckidcpjl.exe
File opened for modification	C:\Windows\SysWOW64\Bpcgpihi.exe	Bapgdm32.exe
File opened for modification	C:\Windows\SysWOW64\Cdmoafdb.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Lpcgahca.dll	Cdaile32.exe
File opened for modification	C:\Windows\SysWOW64\Dknnoofg.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Jmbpjm32.dll	Caqpkjcl.exe
File opened for modification	C:\Windows\SysWOW64\Cdaile32.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Lalceb32.dll	Bfmolc32.exe
File created	C:\Windows\SysWOW64\Bdapehop.exe	Biklho32.exe
File created	C:\Windows\SysWOW64\Cmbgdl32.exe	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Cpfmlghd.exe	Cacmpj32.exe
File opened for modification	C:\Windows\SysWOW64\Dphiaffa.exe	Daeifj32.exe
File opened for modification	C:\Windows\SysWOW64\Ckpamabg.exe	Bpjmph32.exe
File created	C:\Windows\SysWOW64\Cdjblf32.exe	Cmpjoloh.exe
File opened for modification	C:\Windows\SysWOW64\Ckidcpjl.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Lljoca32.dll	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Dgpeha32.exe
File opened for modification	C:\Windows\SysWOW64\Bdapehop.exe	Biklho32.exe
File created	C:\Windows\SysWOW64\Cdolgfbp.exe	Cpcpfg32.exe
File opened for modification	C:\Windows\SysWOW64\Cgmhcaac.exe	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Mfnlgh32.dll	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Bigpblgh.dll	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Cdmoafdb.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Dodebo32.dll	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Icpjna32.dll	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Cacmpj32.exe	Cildom32.exe
File created	C:\Windows\SysWOW64\Hmafal32.dll	Bkkhbb32.exe
File created	C:\Windows\SysWOW64\Qecffhdo.dll	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Biklho32.exe	Bfmolc32.exe
File opened for modification	C:\Windows\SysWOW64\Biklho32.exe	Bfmolc32.exe
File opened for modification	C:\Windows\SysWOW64\Bpjmph32.exe	Bfaigclq.exe
File opened for modification	C:\Windows\SysWOW64\Dgpeha32.exe	Cdaile32.exe
File opened for modification	C:\Windows\SysWOW64\Caqpkjcl.exe	Ciihjmcj.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Dgpeha32.exe
File opened for modification	C:\Windows\SysWOW64\Dcffnbee.exe	Dphiaffa.exe
File opened for modification	C:\Windows\SysWOW64\Cbkfbcpb.exe	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Dcjdilmf.dll	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Faagecfk.dll	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Dinael32.exe	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Dgbanq32.exe	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Banjnm32.exe	ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1cN.exe
File created	C:\Windows\SysWOW64\Ckpamabg.exe	Bpjmph32.exe
File opened for modification	C:\Windows\SysWOW64\Cdolgfbp.exe	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Bkodbfgo.dll	Daeifj32.exe
File opened for modification	C:\Windows\SysWOW64\Baepolni.exe	Bkkhbb32.exe
File opened for modification	C:\Windows\SysWOW64\Ckdkhq32.exe	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Cpcpfg32.exe	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Aldclhie.dll	Bdapehop.exe

Program crash 1 IoCs

pid	pid_target	Process
4896	3224	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkkhbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpljehpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpjoloh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdolgfbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfmolc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caqpkjcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapgdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdapehop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihjmcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmhcaac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckidcpjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacmpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmlghd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkaiphj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biiobo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkfbcpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cildom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknnoofg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpcgpihi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckggnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcpfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgpeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjmph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baepolni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbgdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkbfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfaigclq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckpamabg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmoafdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daeifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biklho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banjnm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll"	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdaile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biiobo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labnlj32.dll"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmpkall.dll"	ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfme32.dll"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdapehop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkkhbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljoca32.dll"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acajpc32.dll"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfmolc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmqkimh.dll"	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodeaima.dll"	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdbbme32.dll"	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cildom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elekoe32.dll"	Bapgdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldclhie.dll"	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baepolni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Podbibma.dll"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iponmakp.dll"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll"	Cildom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapgdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalceb32.dll"	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnlgh32.dll"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpagekkf.dll"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boplohfa.dll"	Biklho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Daeifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll"	Ckdkhq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 4372	4516	ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1cN.exe	89
PID 4516 wrote to memory of 4372	4516	ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1cN.exe	89
PID 4516 wrote to memory of 4372	4516	ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1cN.exe	89
PID 4372 wrote to memory of 4440	4372	Banjnm32.exe	90
PID 4372 wrote to memory of 4440	4372	Banjnm32.exe	90
PID 4372 wrote to memory of 4440	4372	Banjnm32.exe	90
PID 4440 wrote to memory of 1192	4440	Bfkbfd32.exe	91
PID 4440 wrote to memory of 1192	4440	Bfkbfd32.exe	91
PID 4440 wrote to memory of 1192	4440	Bfkbfd32.exe	91
PID 1192 wrote to memory of 4368	1192	Biiobo32.exe	92
PID 1192 wrote to memory of 4368	1192	Biiobo32.exe	92
PID 1192 wrote to memory of 4368	1192	Biiobo32.exe	92
PID 4368 wrote to memory of 5016	4368	Bapgdm32.exe	93
PID 4368 wrote to memory of 5016	4368	Bapgdm32.exe	93
PID 4368 wrote to memory of 5016	4368	Bapgdm32.exe	93
PID 5016 wrote to memory of 5036	5016	Bpcgpihi.exe	94
PID 5016 wrote to memory of 5036	5016	Bpcgpihi.exe	94
PID 5016 wrote to memory of 5036	5016	Bpcgpihi.exe	94
PID 5036 wrote to memory of 2076	5036	Bfmolc32.exe	95
PID 5036 wrote to memory of 2076	5036	Bfmolc32.exe	95
PID 5036 wrote to memory of 2076	5036	Bfmolc32.exe	95
PID 2076 wrote to memory of 2832	2076	Biklho32.exe	96
PID 2076 wrote to memory of 2832	2076	Biklho32.exe	96
PID 2076 wrote to memory of 2832	2076	Biklho32.exe	96
PID 2832 wrote to memory of 2020	2832	Bdapehop.exe	97
PID 2832 wrote to memory of 2020	2832	Bdapehop.exe	97
PID 2832 wrote to memory of 2020	2832	Bdapehop.exe	97
PID 2020 wrote to memory of 1392	2020	Bkkhbb32.exe	98
PID 2020 wrote to memory of 1392	2020	Bkkhbb32.exe	98
PID 2020 wrote to memory of 1392	2020	Bkkhbb32.exe	98
PID 1392 wrote to memory of 5008	1392	Baepolni.exe	99
PID 1392 wrote to memory of 5008	1392	Baepolni.exe	99
PID 1392 wrote to memory of 5008	1392	Baepolni.exe	99
PID 5008 wrote to memory of 3140	5008	Bfaigclq.exe	100
PID 5008 wrote to memory of 3140	5008	Bfaigclq.exe	100
PID 5008 wrote to memory of 3140	5008	Bfaigclq.exe	100
PID 3140 wrote to memory of 1568	3140	Bpjmph32.exe	101
PID 3140 wrote to memory of 1568	3140	Bpjmph32.exe	101
PID 3140 wrote to memory of 1568	3140	Bpjmph32.exe	101
PID 1568 wrote to memory of 1752	1568	Ckpamabg.exe	102
PID 1568 wrote to memory of 1752	1568	Ckpamabg.exe	102
PID 1568 wrote to memory of 1752	1568	Ckpamabg.exe	102
PID 1752 wrote to memory of 4784	1752	Cpljehpo.exe	103
PID 1752 wrote to memory of 4784	1752	Cpljehpo.exe	103
PID 1752 wrote to memory of 4784	1752	Cpljehpo.exe	103
PID 4784 wrote to memory of 4824	4784	Cbkfbcpb.exe	104
PID 4784 wrote to memory of 4824	4784	Cbkfbcpb.exe	104
PID 4784 wrote to memory of 4824	4784	Cbkfbcpb.exe	104
PID 4824 wrote to memory of 3408	4824	Cmpjoloh.exe	105
PID 4824 wrote to memory of 3408	4824	Cmpjoloh.exe	105
PID 4824 wrote to memory of 3408	4824	Cmpjoloh.exe	105
PID 3408 wrote to memory of 1820	3408	Cdjblf32.exe	106
PID 3408 wrote to memory of 1820	3408	Cdjblf32.exe	106
PID 3408 wrote to memory of 1820	3408	Cdjblf32.exe	106
PID 1820 wrote to memory of 3652	1820	Ckdkhq32.exe	107
PID 1820 wrote to memory of 3652	1820	Ckdkhq32.exe	107
PID 1820 wrote to memory of 3652	1820	Ckdkhq32.exe	107
PID 3652 wrote to memory of 3656	3652	Cmbgdl32.exe	108
PID 3652 wrote to memory of 3656	3652	Cmbgdl32.exe	108
PID 3652 wrote to memory of 3656	3652	Cmbgdl32.exe	108
PID 3656 wrote to memory of 3404	3656	Cancekeo.exe	109
PID 3656 wrote to memory of 3404	3656	Cancekeo.exe	109
PID 3656 wrote to memory of 3404	3656	Cancekeo.exe	109
PID 3404 wrote to memory of 3944	3404	Cdmoafdb.exe	110

C:\Users\Admin\AppData\Local\Temp\ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1cN.exe
"C:\Users\Admin\AppData\Local\Temp\ce2212466c40d573280f88ded2bb5aa5e1b5b8c115a62bdcfdd1f6465dc2ea1cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\SysWOW64\Banjnm32.exe
  C:\Windows\system32\Banjnm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\Bfkbfd32.exe
    C:\Windows\system32\Bfkbfd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\SysWOW64\Biiobo32.exe
      C:\Windows\system32\Biiobo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
      - C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 400
        43⤵
        Program crash
        
        PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3224 -ip 3224
1⤵
PID:2796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:8
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baepolni.exe

Filesize
64KB

MD5
2c70dbee1751f6b2a4ecf26f6361eee2

SHA1
862073bba2300dcae99a682dc3f5efe71d1b754c

SHA256
c883c232aca44a8d0e9c605e03829c0ec40a77162cd6976ee409af1d42ad8859

SHA512
e17eed0657292e5f2f7631019293f321b28bc7aebf1deba1f706615559c19b4bb7644c9fd6a3561a44e7ef99588b6b990c8bb985850be11ebc2ba3aff0867e7b

Download Submit
C:\Windows\SysWOW64\Banjnm32.exe

Filesize
64KB

MD5
cced5fef96a7adb1af79a1f824de9ee6

SHA1
d0cafda864b4dca1c1a77b2b9527f59e3e9d8bb0

SHA256
83a8eeda37ad4110b695f4ee46841e6c0daf6603cd2d663ea2b6c9c5b6a21530

SHA512
b670bc0c13c7a8ea5aa22e2986eb11763e3388c9d19c90f30b54e40240e14d8eb976097a8f98f3de4eaf382f8c758c81956467056fc365291598cd7b2b3cdd97

Download Submit
C:\Windows\SysWOW64\Bapgdm32.exe

Filesize
64KB

MD5
380b2244e575baa2e1e1c74efef76757

SHA1
9e596161aecedb725a2092099c6ac90de789600f

SHA256
5445aa9859b0bbd3ff16c50fb8ffd65f4fea916eaaf3c31a252eb88fc4e69b50

SHA512
ce42d28360b08ed50573cee636c5d3f67b53ced173421703b02df05a5e2b862b6eafe6e77cf093723b3adf6b5cce7de63d8b44d9397ba574ecbc805c967b9389

Download Submit
C:\Windows\SysWOW64\Bdapehop.exe

Filesize
64KB

MD5
6ea4bbece2db267f93f09c4d917c2dc5

SHA1
6105317b4c14b73096c01f7a7b795c86421871ab

SHA256
1a2b31070f66c7d878944d6ebd7716d1a4ee2023acf41110423bb61cc7b9e362

SHA512
0872a698e66c76ef2318fae55fefd80f7c8681d23cfd51fd1ab06902569b699d17e19bb54a5fc4f730cd43da5a65dd8f4144493902a48fceadbd73cffaa9d425

Download Submit
C:\Windows\SysWOW64\Bfaigclq.exe

Filesize
64KB

MD5
7d0ee45171d51305f13753afa4699b5f

SHA1
2817ed2d90a1b800539839ad6fd3bc86ec3eeba3

SHA256
52ffe0604209a3f8cd50e261e7ba203ebdf7571daf19f7f3bb498f832c0a3d6d

SHA512
1213d18894e5ac690f9672a183113feaa9d2d094ce18074170a8fd5334a47da3a449335bb934501f9e4d589933ede54d1580bd5eb314354487337f1818625571

Download Submit
C:\Windows\SysWOW64\Bfkbfd32.exe

Filesize
64KB

MD5
a9d8fbfc1073ee8ce5fb241b939e00a0

SHA1
0c950d9f97ace0fc1120a674d5eabe8c4fb5b76f

SHA256
7711f838eeb16b3c42361f4ecdfcac716035ebced84e629547f26125697963d9

SHA512
3ae276cff96b0028c608adf32fef22f0602fcb9d0c85e34e499d906405405c57c5ff78f76e3f099b983aef45eb72dcfdde655999425e435fcd095a5fb72730fd

Download Submit
C:\Windows\SysWOW64\Bfmolc32.exe

Filesize
64KB

MD5
1bc35e5362b99d75835a1dd4f944cec5

SHA1
ff58d28f64abebcf4b4dce9db76692c1911d2f1e

SHA256
0e1478c5d876b9b0f99d2c30e590fd4f1944b30048236663987f649c63b3251b

SHA512
2ed5ecb2a06f0532d00278e3144ae6135d7ce40e673fd9153dd1da4361b9cfe20510104622c3b9c09304b8ae211dc333c65e0e8ec5523993f71e38070e9e32ae

Download Submit
C:\Windows\SysWOW64\Biiobo32.exe

Filesize
64KB

MD5
27218e22e12c843f8c1c1a6f5645ece3

SHA1
dab814012edf4af42c03bf00af4f17d27dbb861a

SHA256
976fea1254e98854343d22da34c7e30b44a7c57e2e319c1c3a5e955f16b7dcd8

SHA512
fb738435e69e3044eaff6a1dbaab585bb2ba58612b5bc2fd5e1e082712d5c7746ebf3cdd52ffaea373e431bbcbc88cb31b4f2a3a6073b6d1f3425fb8206e4dd3

Download Submit
C:\Windows\SysWOW64\Biklho32.exe

Filesize
64KB

MD5
eef18d7bf58925ea322dbec15e36f26a

SHA1
02117b4f1bbdac62701b1fac9e78e9b86116d682

SHA256
c513fe7f4b30f532a869be757c27b0ce60c2b3acaf5a978c4450a839ec481bbb

SHA512
f20687f0b640f5a8ad401dc10998a39bef8835ae6e4b3b21bd0257a2250c9faa9708e3c19b815eb1bf0d487fb6ca596120896592d0b14cde074bdb5251d3938e

Download Submit
C:\Windows\SysWOW64\Bkkhbb32.exe

Filesize
64KB

MD5
08214967ca912e36d7a5ce0edb5da370

SHA1
1bbb6a6599734047aadb9a7a7ac8a94381fbff84

SHA256
ac0d8304afd45a32e3f74433e9a885af7486b08513b43ad2132ed84c194a46e6

SHA512
a4cdf273f1a8daf7ccea4db43b15fede4305b14236131cf868f694aab5e0d19a2556325b09f0fb13ce24cb03d98c64f28ebf8b95c8eabe342396b79b5f245e82

Download Submit
C:\Windows\SysWOW64\Bpcgpihi.exe

Filesize
64KB

MD5
c425576a84adc5cf75f63d6fc392381d

SHA1
d144025ce94f25d8def758d7b8e97c9c8a2a3034

SHA256
c4d5ead12c9cda97473999a23911a7093d665c93014a13167e2f4071b17a945a

SHA512
9aab49a35bcfb1f93cf8fba16f7ea13e1f83de6fd28ed7883bb84e1c471f4cf9132663232650a212258a088316aade0b88c76c5bca514cc14a8c5c32b97157f4

Download Submit
C:\Windows\SysWOW64\Bpjmph32.exe

Filesize
64KB

MD5
3cf468d20464698e7ab89c1743cfba55

SHA1
1d1ecd873fc9cbd31e0df3ac526fc6e692e0dca1

SHA256
14630cf02bf502e139d61b1f59f9e8e39b0da44a1681f2cc4ea4b2ef930f0fc3

SHA512
fcc228fa704f6a8cd8c472402bc54d53d9814d32812cb1fb7d9c5a7b70448852424f58fbeac4ad9c7f910ceaa2702c95eb5b81ce19feeb41e5c5bb1864adace7

Download Submit
C:\Windows\SysWOW64\Cacmpj32.exe

Filesize
64KB

MD5
f394519cbc52120bef02261958676c4d

SHA1
5424d8a835907f2456e5cfd23288e0f80da28aa6

SHA256
fbdfd6701291712f303919d401c974f36c5277d60da5d83941b6bb6595433d68

SHA512
1e9a7751ec7c367eff5f4f6889d68ce7ae9996f8db40c1be2c54d81969dccd8d78af9e3ca69c96fa2d7edac2e9b8f6da030cb2610441d38cd1cb970163eb26e5

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
64KB

MD5
dbff4fb9eda3420105bb4f9cbdf54406

SHA1
829b1183156d62e2bbd1387d65d373a13bf3b51b

SHA256
09cb1ea0058d34421f3fb12b81cccd53eb979f3bf85a6bc1aaeec2c5826e2bca

SHA512
fad0d8929ab4de17e4c0b8da3bd76e75e0a884738bd8a9bb14bda8a9427a85b45cd1753b204bdfa17f048880c46590e6afb0caafb5a16b0711e4fc67960e524c

Download Submit
C:\Windows\SysWOW64\Caqpkjcl.exe

Filesize
64KB

MD5
75f8b2a96dc45c9b5071994673e86d3b

SHA1
6574eca05d5e31388ef7fdce8064742a1c359da2

SHA256
ea855c855ab70a3f8e06f8e7650b1d8512fc684d5257d83f38a559307195c359

SHA512
4f10ce5f8ab7c5c0da2da7c28fbc87b6622eb5c18c731d1e7118a042d3e16996197e8304ee104855dc9bc6712399e0b0762460913ec59224fe82dbcc25e6c5c1

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
64KB

MD5
86e35bebf70cd923c3a6aed0b23b1722

SHA1
16a750f6510922393235114463e240ff4454d6fd

SHA256
34673002b1a15e05859eea2549e8620a07c4d5dc20d50bb6434b3a90b476ef82

SHA512
abdba2c5787241e8b0f8f5bf7ce493ed6f53c79e6dc468d31a105c59e089883ec9958590bab342d3c14bc48c758fdd0477b1ed55cc290e9c98728e4601190fd4

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
64KB

MD5
749d6d35a394b23aaf3200c4d950e56e

SHA1
7fa4499d5662b62e15182e17def7f2ea7ce54928

SHA256
7fd77c65c448d5af8916c37e1a166176f74764c928afa18746918835efd4f5ef

SHA512
2be9f4fec48b66c965d79fddfdc1086375fd33e80d538f822e0f79abfee6df8f2fd5a81d36fe386c5a0d3db05f19a6bfe89cf6ffaddd7851551ca807ca5555dc

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
64KB

MD5
58989a0cea11a405c6336c2bb0f44f77

SHA1
a743cd3c8a19496e3e092135c278345ae631fd8b

SHA256
6e1e470bdb4cba7035391528ec7eb9bc041d87520f12f643c72118f10cea035a

SHA512
55683f683aacb07dd497de68e68f1b1a4681afe6a19452ce4763f980529739c29fa259aa481d4d850716e01b67cd39dbdfadf442554239bfdd67584432b46a21

Download Submit
C:\Windows\SysWOW64\Cdmoafdb.exe

Filesize
64KB

MD5
0e10a74d0f96e96918b8b27aaba3181c

SHA1
8778c299e9a20f4752f2d691d88c39e8bcf5a360

SHA256
2cb4cc42b88cdab0ee8dd1cef2b79182cc925bf6876e5653f4febcd8e1dc5d92

SHA512
d99cecd75ad8ceb8a03da4a53fb054f23cc47e56ac0405f12026d252c7adf1cc7a4edee2ceb6c0a64a974c786a0dc3d1a7e45e6a8308ca9f904c6023a2bde618

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
64KB

MD5
3e7db080f8e4ff532ace31e17dbfe6e0

SHA1
d7aed9df407f6d4b4d4fa25be48697d84b0863ac

SHA256
5de80a5f8a32a0f10c930a888544aada9bc7a853cea899f8dda6b4cedf685624

SHA512
a60c63665b637f5dd404955f0bfa0af40353bcffeafa003058a59533744f51343c4c5ca214aac187c1acc0a8d92bea2f9fd5b96b9604c1cbf66ea8420c27b9a5

Download Submit
C:\Windows\SysWOW64\Cgmhcaac.exe

Filesize
64KB

MD5
4a87b2066a2d229beb85986d378a8615

SHA1
8972fd45837772c7293766c68956d8794d21bbeb

SHA256
e0e5ee71ceca41dadbc9f6f497e456eeb0d72fe96661855399996fbc1db27d5d

SHA512
3efc2b821e47baa4ffc30b9ddbb7b544165f13122c5d915c120dda1ccb300cab9cebf17353020253fbf4a902611f0047ab91d0bed3c50a66b6935437204471ef

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
64KB

MD5
4d68ac9b2c1e323cb6fd7993337faaa4

SHA1
f806183c6b33dfff91cbcfc493e94d43dcba4d3c

SHA256
4b9efa6b2250021fc1b527878c11d5a2ec13f21cb6e7d74544bbf4d3dccdc57b

SHA512
cb5725ca39d8c4ff2d41d9547c8150f55b7a20d8b494218207b5bd410965951dc15f585e1b560bdd49ff1c2b96fdb6e1532adc5a3797c00968f01de77941f58a

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
64KB

MD5
164b0fead15cbcb6e894592c5b4c1b79

SHA1
8f407afb34ff9f5206c9999c66818a17a720b82f

SHA256
48fc5800760620633a123d08c95add0a21bcf2d63e5d64300df2135953798ade

SHA512
2f5c4e444faaca67f460930aea9dcdbd1179918c6ff617bd43790b9347aad384badbe8d6d121b34b71cb2492790038139388c924f213c811367cb22712d56221

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
64KB

MD5
efbfa32a1bf3f99d71339f13128629be

SHA1
71412e51dcd43fb0cf9cf493fe68421487f0ba06

SHA256
5878595ae2c67aabd428c684ede83a92195ca87470cc1a3d2281e71307523563

SHA512
b5b05a6676aca3f04ac3fa8f291a8832383539a071bd6f2d35c65b0e2c166faf2122d24edeba03055709f42be448fdf1981a77405af76e7b1a06d873a6a32197

Download Submit
C:\Windows\SysWOW64\Ckggnp32.exe

Filesize
64KB

MD5
b9e3c89beceb3c2dd34c0a04ccd9a692

SHA1
1e8837552d751fd0a6e05c4aad41453c701ed6bc

SHA256
2477b60369d7979f31181866a9a5f8cf7d4e2afb64d1d793cd330cecc124cfaf

SHA512
788ad36763c8e07ac479b0876dfd53f418446e75012eae09442611cb3a8d09336bbb8402c32026748e212d7514fd6c3b8ac580851845de854c3ff69bba9aa74b

Download Submit
C:\Windows\SysWOW64\Ckidcpjl.exe

Filesize
64KB

MD5
8d83f3b07fa1651927a4ac26338328a4

SHA1
20e366e2e1b42f832c5e76fbe9a9ca48c630c622

SHA256
f4a3ddb0c1dca59772e6183ad1de77945f94c4dbe25c22dc0e4c6594ed5cbaf0

SHA512
6cc6cfeef67d67edf7f86520662ac1fefdd5b901e2d5de35fd9ce8de856e7b5bf038a4d2dbbf3b2ba41b2e8a7686a874f356b899c0962a5b87898935ee738742

Download Submit
C:\Windows\SysWOW64\Ckpamabg.exe

Filesize
64KB

MD5
ffc671751a91185f7457a793cd5178d0

SHA1
a0366edffb01cdd89b6247e19c39e7cef865e2d6

SHA256
bf86a2bf019969c321e5a39cce545e1aec6b6ae5fc9d74befef66356855a5bdd

SHA512
cd883df80867797a5db43fd19e21c66db0907a685b4bbc9115d4fa9fd7f6128d198d7170af362797c7e00a8cdfb81a994d49f904f252737bb1567d0933c1ef1d

Download Submit
C:\Windows\SysWOW64\Cmbgdl32.exe

Filesize
64KB

MD5
6b342b3a4f111b464507adc07c84182f

SHA1
c42fb86fb7df16fc828d0afb823dcc99cda2b187

SHA256
03eaa6644bee9ea5652a737fe31e2089c60e9c5bd32c599d208ea376c3141886

SHA512
b4dc9420b25401752cfe9e02dda5c67aeabe769744d93c1c25529b9b48e9a7a0cf3f7e63f57a7598450040d873743a082d223c94882890e2e4d54207913f1d15

Download Submit
C:\Windows\SysWOW64\Cmpjoloh.exe

Filesize
64KB

MD5
68fd09b6484bda473258479e565630a5

SHA1
d74d61ae686decc95a42c6fe8270e43d93bf43d6

SHA256
0e973a3041ee9e8afafcbc5749de0d28973f7d8b5455e0e59dc4d6d64ef3106a

SHA512
809f2de5ed9a1d1e63490cc29210823640ef6c8b0b4e2d97b8c9568d007a5435cdf4ffb7604c2d58302a46467f7c58f66b9c2b8aa7fe8932a23713732b3f2a4b

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
64KB

MD5
fdf8b84842449e0dad1c50a541eb34b8

SHA1
d03248b6518afebde4ede3aea08468958805d6a5

SHA256
03ae42267d68d0cf76161d74730a57ed27781340dfd81f1027f995a6744aed2e

SHA512
f011261b00d3be1ab716bc1bddbea5b1d4e458a6dfb84af350028c8511d858b4231eebdf07b3b87dd05496938e902f315e706f6d3009508671abf5642eb7a7f2

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
64KB

MD5
c659b05a7cbeb9831fcd1d7b805a9158

SHA1
9f63415d24e1ebd38c043d7cff06f5643305c7f2

SHA256
5027957add695732b12720920110036d905085dced5a808ea26b06e231ae22ba

SHA512
59526ec1981f2a826fecd2110edafe5a16a08a8296e819fe02f2b596b15026e485e39fc4ffb6bdfaca00bb57bf8d08c0c031e343def38ca2ed988c9680fb85a4

Download Submit
C:\Windows\SysWOW64\Cpljehpo.exe

Filesize
64KB

MD5
62bea6099d8124488e0d1902ee4b4dd3

SHA1
7ae3c88c7776af2f25bb4f629aad8ac440754dbc

SHA256
81fc8c7fee3047e93e7a34486e67ef9b234ec1e0198407ecebc3efefaa3736d8

SHA512
473de88d6c76cfabb0431986b443b881a2bb5b62a26c11465c1f8b565be2c2e3fff00de584331c5b5aad9428df5a45a6b30f62efdf2a93abb5d26649c0ad7ad5

Download Submit
memory/892-306-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/924-324-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1192-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1192-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1392-174-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1392-81-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1428-238-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1568-108-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1568-201-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1684-312-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1752-116-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1752-210-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1820-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1820-246-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1856-282-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1972-318-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2020-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2020-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2076-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2076-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2240-293-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2708-301-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2832-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2832-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3140-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3140-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3224-332-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3344-274-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3404-272-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3404-180-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3408-237-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3408-144-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3652-162-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3652-255-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3656-175-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3832-257-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3944-189-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3944-281-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3996-230-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4180-220-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4240-331-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4368-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4368-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4372-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4372-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4412-202-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4440-97-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4440-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4516-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4516-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4756-264-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4784-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4784-219-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4824-229-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4824-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4872-295-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5008-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5008-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5016-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5016-124-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5024-248-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5028-211-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5036-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5036-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads