berbew | 6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
Size

64KB
MD5

5b2ba8c17752fe9da82af8bdffc05330
SHA1

5c0c5e0afa3d9c4a6c4570f989798b94869ad952
SHA256

6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01
SHA512

c2a796f3683ba4d06214de510b73464484535b7fd4e2c28bcf161563a1f4d330023f8d47830508e2467fe9777d0d802625002028c29a41e3571152287f128f03
SSDEEP

1536:9SBkrQLajN98u+p9iPiYsTFKPI32LUrDWBi:YhLajD8uBiwU2Bi

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afdiondb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aficjnpm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 33 IoCs

pid	Process
1636	Afdiondb.exe
2976	Aomnhd32.exe
2760	Ahebaiac.exe
2640	Aoojnc32.exe
2568	Aficjnpm.exe
2644	Ahgofi32.exe
3024	Abpcooea.exe
1448	Bgllgedi.exe
1736	Bnfddp32.exe
760	Bdqlajbb.exe
1624	Bniajoic.exe
2820	Bceibfgj.exe
2388	Bjpaop32.exe
2836	Bqijljfd.exe
2032	Bffbdadk.exe
992	Bieopm32.exe
680	Bfioia32.exe
932	Bmbgfkje.exe
1728	Ccmpce32.exe
1904	Cbppnbhm.exe
596	Ckhdggom.exe
1596	Cnfqccna.exe
896	Cileqlmg.exe
372	Ckjamgmk.exe
2616	Cebeem32.exe
2764	Cinafkkd.exe
2620	Ckmnbg32.exe
2324	Caifjn32.exe
1712	Clojhf32.exe
1872	Cnmfdb32.exe
568	Ccjoli32.exe
1944	Djdgic32.exe
2272	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
1980	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
1980	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
1636	Afdiondb.exe
1636	Afdiondb.exe
2976	Aomnhd32.exe
2976	Aomnhd32.exe
2760	Ahebaiac.exe
2760	Ahebaiac.exe
2640	Aoojnc32.exe
2640	Aoojnc32.exe
2568	Aficjnpm.exe
2568	Aficjnpm.exe
2644	Ahgofi32.exe
2644	Ahgofi32.exe
3024	Abpcooea.exe
3024	Abpcooea.exe
1448	Bgllgedi.exe
1448	Bgllgedi.exe
1736	Bnfddp32.exe
1736	Bnfddp32.exe
760	Bdqlajbb.exe
760	Bdqlajbb.exe
1624	Bniajoic.exe
1624	Bniajoic.exe
2820	Bceibfgj.exe
2820	Bceibfgj.exe
2388	Bjpaop32.exe
2388	Bjpaop32.exe
2836	Bqijljfd.exe
2836	Bqijljfd.exe
2032	Bffbdadk.exe
2032	Bffbdadk.exe
992	Bieopm32.exe
992	Bieopm32.exe
680	Bfioia32.exe
680	Bfioia32.exe
932	Bmbgfkje.exe
932	Bmbgfkje.exe
1728	Ccmpce32.exe
1728	Ccmpce32.exe
1904	Cbppnbhm.exe
1904	Cbppnbhm.exe
596	Ckhdggom.exe
596	Ckhdggom.exe
1596	Cnfqccna.exe
1596	Cnfqccna.exe
896	Cileqlmg.exe
896	Cileqlmg.exe
372	Ckjamgmk.exe
372	Ckjamgmk.exe
2616	Cebeem32.exe
2616	Cebeem32.exe
2764	Cinafkkd.exe
2764	Cinafkkd.exe
2620	Ckmnbg32.exe
2620	Ckmnbg32.exe
2324	Caifjn32.exe
2324	Caifjn32.exe
1712	Clojhf32.exe
1712	Clojhf32.exe
1872	Cnmfdb32.exe
1872	Cnmfdb32.exe
568	Ccjoli32.exe
568	Ccjoli32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Ibbklamb.dll	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	Bniajoic.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Aomnhd32.exe	Afdiondb.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Aoojnc32.exe	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Bgllgedi.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Afdiondb.exe	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Ahgofi32.exe
File opened for modification	C:\Windows\SysWOW64\Abpcooea.exe	Ahgofi32.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Bgllgedi.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Ahebaiac.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Gfnafi32.dll	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Bgllgedi.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Ahebaiac.exe	Aomnhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Eoobfoke.dll	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Bniajoic.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Ahgofi32.exe	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Kmapmi32.dll	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Pdkiofep.dll	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bqijljfd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1704	2272	WerFault.exe	63

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll"	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afdiondb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendoajo.dll"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnfddp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1636	1980	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe	31
PID 1980 wrote to memory of 1636	1980	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe	31
PID 1980 wrote to memory of 1636	1980	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe	31
PID 1980 wrote to memory of 1636	1980	6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe	31
PID 1636 wrote to memory of 2976	1636	Afdiondb.exe	32
PID 1636 wrote to memory of 2976	1636	Afdiondb.exe	32
PID 1636 wrote to memory of 2976	1636	Afdiondb.exe	32
PID 1636 wrote to memory of 2976	1636	Afdiondb.exe	32
PID 2976 wrote to memory of 2760	2976	Aomnhd32.exe	33
PID 2976 wrote to memory of 2760	2976	Aomnhd32.exe	33
PID 2976 wrote to memory of 2760	2976	Aomnhd32.exe	33
PID 2976 wrote to memory of 2760	2976	Aomnhd32.exe	33
PID 2760 wrote to memory of 2640	2760	Ahebaiac.exe	34
PID 2760 wrote to memory of 2640	2760	Ahebaiac.exe	34
PID 2760 wrote to memory of 2640	2760	Ahebaiac.exe	34
PID 2760 wrote to memory of 2640	2760	Ahebaiac.exe	34
PID 2640 wrote to memory of 2568	2640	Aoojnc32.exe	35
PID 2640 wrote to memory of 2568	2640	Aoojnc32.exe	35
PID 2640 wrote to memory of 2568	2640	Aoojnc32.exe	35
PID 2640 wrote to memory of 2568	2640	Aoojnc32.exe	35
PID 2568 wrote to memory of 2644	2568	Aficjnpm.exe	36
PID 2568 wrote to memory of 2644	2568	Aficjnpm.exe	36
PID 2568 wrote to memory of 2644	2568	Aficjnpm.exe	36
PID 2568 wrote to memory of 2644	2568	Aficjnpm.exe	36
PID 2644 wrote to memory of 3024	2644	Ahgofi32.exe	37
PID 2644 wrote to memory of 3024	2644	Ahgofi32.exe	37
PID 2644 wrote to memory of 3024	2644	Ahgofi32.exe	37
PID 2644 wrote to memory of 3024	2644	Ahgofi32.exe	37
PID 3024 wrote to memory of 1448	3024	Abpcooea.exe	38
PID 3024 wrote to memory of 1448	3024	Abpcooea.exe	38
PID 3024 wrote to memory of 1448	3024	Abpcooea.exe	38
PID 3024 wrote to memory of 1448	3024	Abpcooea.exe	38
PID 1448 wrote to memory of 1736	1448	Bgllgedi.exe	39
PID 1448 wrote to memory of 1736	1448	Bgllgedi.exe	39
PID 1448 wrote to memory of 1736	1448	Bgllgedi.exe	39
PID 1448 wrote to memory of 1736	1448	Bgllgedi.exe	39
PID 1736 wrote to memory of 760	1736	Bnfddp32.exe	40
PID 1736 wrote to memory of 760	1736	Bnfddp32.exe	40
PID 1736 wrote to memory of 760	1736	Bnfddp32.exe	40
PID 1736 wrote to memory of 760	1736	Bnfddp32.exe	40
PID 760 wrote to memory of 1624	760	Bdqlajbb.exe	41
PID 760 wrote to memory of 1624	760	Bdqlajbb.exe	41
PID 760 wrote to memory of 1624	760	Bdqlajbb.exe	41
PID 760 wrote to memory of 1624	760	Bdqlajbb.exe	41
PID 1624 wrote to memory of 2820	1624	Bniajoic.exe	42
PID 1624 wrote to memory of 2820	1624	Bniajoic.exe	42
PID 1624 wrote to memory of 2820	1624	Bniajoic.exe	42
PID 1624 wrote to memory of 2820	1624	Bniajoic.exe	42
PID 2820 wrote to memory of 2388	2820	Bceibfgj.exe	43
PID 2820 wrote to memory of 2388	2820	Bceibfgj.exe	43
PID 2820 wrote to memory of 2388	2820	Bceibfgj.exe	43
PID 2820 wrote to memory of 2388	2820	Bceibfgj.exe	43
PID 2388 wrote to memory of 2836	2388	Bjpaop32.exe	44
PID 2388 wrote to memory of 2836	2388	Bjpaop32.exe	44
PID 2388 wrote to memory of 2836	2388	Bjpaop32.exe	44
PID 2388 wrote to memory of 2836	2388	Bjpaop32.exe	44
PID 2836 wrote to memory of 2032	2836	Bqijljfd.exe	45
PID 2836 wrote to memory of 2032	2836	Bqijljfd.exe	45
PID 2836 wrote to memory of 2032	2836	Bqijljfd.exe	45
PID 2836 wrote to memory of 2032	2836	Bqijljfd.exe	45
PID 2032 wrote to memory of 992	2032	Bffbdadk.exe	46
PID 2032 wrote to memory of 992	2032	Bffbdadk.exe	46
PID 2032 wrote to memory of 992	2032	Bffbdadk.exe	46
PID 2032 wrote to memory of 992	2032	Bffbdadk.exe	46

C:\Users\Admin\AppData\Local\Temp\6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe
"C:\Users\Admin\AppData\Local\Temp\6ad4df00087f6eb063dd72cec4d3289d371b39fc63106df080a85a337a2aeb01N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\Afdiondb.exe
  C:\Windows\system32\Afdiondb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\Aomnhd32.exe
    C:\Windows\system32\Aomnhd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\Ahebaiac.exe
      C:\Windows\system32\Ahebaiac.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:596
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 144
        35⤵
        Program crash
        
        PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
64KB

MD5
a9d5f388fd0cc525cfadabb36f004a88

SHA1
a0ff940fb96998d90aac0bad92ff1b76b3b8fc55

SHA256
14b9b599b70db6bde0245efb03efc0fd6e730db12f9e9f2b13af69fb0ee82151

SHA512
7db59de030f03a570724ac54b9896f064cf99c7787a15a6d4a6ecdb3211605f3d6f0ccf2d1b48b6b6176fa0804f1bd02b5ba76a5970f3c5f69c65a918bb8a9ab

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
64KB

MD5
0cb995b2233631296767e0d6468a7bde

SHA1
c9733fc66c99143cc36ff3390877543310216763

SHA256
15d486ce16e7c2a280aefef681800ea197654f9a410ee2e883cea1adb5f872bf

SHA512
e646f01abfc3a4dae48abb6f1fb56040935a885140637113cb8e1c4eaaadff679fdef0434461b4a627f484caa841e77a3304048c90404d9dd1f75ef89f2bcff5

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
64KB

MD5
43ad35a5652655e1978e80f63a5ff361

SHA1
9567e80cfdc5cc0f28cf8d0e1c85ea449e8112c2

SHA256
84e8e90240eea52bc9accc876f94a52b4de2a7653146896e567c6f55fc695ea2

SHA512
ee9a2616076427c373cb8b6e2aad46b783674feff2f96e2c30b8629e4013c4de47f965ea548e11401263d16dc47ee0a9712e3260ce1cf3fdf8ec02fa26eedc4c

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
64KB

MD5
e22924ff95babecd72b430c3152598d0

SHA1
ef9f140ff7473a937950099fe29039e24b83be0f

SHA256
0da34ec79a8b1c3c98d3e8b1a883fef3b6c8f85d0feb46f3c84cc2d188c62bc9

SHA512
90a158c4dd5b637fa2a5739094c0c3d020d4205a54349ba9770cb87eb97a66b8fb3811d1875f9d78379ea8f15ca71a8175a4318d8499fa762bec608df5482ff0

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
64KB

MD5
7f4e56bb014aefa9701a239a59bd8917

SHA1
2783c8a3882bf39d5f18d49230355d1906d689fa

SHA256
be7d65fb46cbfba67e0d3ae976ee8fd32a2cf261fbfd132a9fea5463b18e26eb

SHA512
1203f7c510c97ca7099138636e69864315c4a88386821b6eecafc182d30052863cdb6781fd20e575a2ab28c2f4d29eb33ff7928eacc30eaa46e9c813b566b6b2

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
64KB

MD5
96a1e55de39f2bb52162f71de3a4d9ff

SHA1
e8ee10e859216a9b69cd77f6cb712d59023175de

SHA256
8deb54954e1a6b14a6c83909725c3c0ca9af30b26646b1d455125fd4626b6828

SHA512
6079cc94a288be12e91f4a4a23d3d802b0d4dd7f853b64fda2ec1830be02142ac9de055a73c1c490b0f2c7ed23c48fb31434d8717889f24c8a995b10ea9a56c4

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
64KB

MD5
4d510d8a81cdabb1652a0963567e1251

SHA1
2b03913b6a8bbc8278b71e2ded4c6abebaa4bf02

SHA256
9ef721757957fa8fd8b141e2fa894400cbab9519713d2db07e3f730c3096586b

SHA512
ca09052d2f148b1cb1bf806623249450794036ec85134f29019c518204c2d420e73797f337cfdf74699961c14943223d0edc732d5bf2b6ca1fae8df3d2e72624

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
64KB

MD5
7cc29b427e5cb89a45adbcc597b8ad48

SHA1
ad786907b343548706bfea362b6e19d0a15d4285

SHA256
f1b604702acd920ac9c9e7b8e91f74e079ae04d4e2a73a65e456a6fb8f36a4e2

SHA512
c76f751b8ba0e29137e68cf8595599939b8138434da9a83a596de8449c748d1cac453006a4ea2bb91548199b5d0535b26616bf2c71854dcafcfae9ee3e1980e9

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
64KB

MD5
f2d2f398df9e74ed4f78496aec2ddda4

SHA1
6341963d594c9d2e9bd1c89170fad6e1f9801ed7

SHA256
0f818885382a951119480bf56f9a69494e2c276864fcfc64bcb2a1c9b8b2fc0e

SHA512
8d45ff51461a2e5add76f2e835005876df7caa9f435ba36894a6813bf2260df20e982fc2eb33fdb475a78a810ffc967aecbb4b930955e94de7f091c7771e01b5

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
64KB

MD5
4bc01fee26c8efbb3d2fe447d935823e

SHA1
4132a8bcb11e048a1d9aee47b0364f48e0457835

SHA256
3c48c0a834ab737f6beae88416c30990b2c35e63cd46359147675c36fcb6987b

SHA512
14c74e035451ff7d79caec00e5d272fdcb7978e47e47a56a6053e5a56bac7f38b58416cac508efecab3c92d474d562fdbe53ff34bce5d146460dbd2307c22084

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
64KB

MD5
a477bf99d91134b482223986ec174011

SHA1
a6fab7ebcc5cd4239f4acb4c36f6cd8c8cc225bb

SHA256
b19097dff895437b42b33d3ac277b8ac4fc871a294b97b3ce4a8ed9a062f1ba9

SHA512
9fd9f40e081552a6eeab2a68f96f65c8b8373f4c6a3770c51ec3c29f0e4bde86fd2865e45036addfa15624c43267e4292c49c5e8910e9af3d9a74f9717a302b3

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
64KB

MD5
03a0d3d9d9434d3993574a64a26f726b

SHA1
6d0b83a094f6b06bd4f0760ed30c17c004e133c5

SHA256
3504fbb87720a39bccb39633e1564b25dd3b0d1be9170e7d6aba8e1861d53ec7

SHA512
1538fe76e9290897a548cc5e7aad70df6cf3fd3a6bea74adff9c9fa9567667172ba3ec6e54339c39522f3995acbd1803af84d32d6c349c93de01ec52c95c8e2e

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
64KB

MD5
ee35aa8e0dec065a5dc2d3d82c1cf6ab

SHA1
6d0e41629b16e68b8068c6bb8460c5cf7d3ffbb7

SHA256
e270c5ef8deb247a7e9a2535726fdd5f23f0497d86fb6583e384b0f08f8de744

SHA512
e67894d085a1043f742b146cff9378d2165fc9622f87fc0681a254406fd67f7721871db1ae2d21ebe5a2e916ade9b2d2089c6e6ed4e8e34a90977d704bed2935

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
64KB

MD5
831edb062359f56e17b05cde56862361

SHA1
d11c2b499684cf390c961fabd7b8f79b759b951c

SHA256
ce69f4e616a8e0f9fef08923035ee47d0653b1b8cfffa95e975ce00404357daf

SHA512
10038dfd054bfad77d286126c3aaed01388dca410ef187ed711616a1669969e48b73559949c23c00fc4589dac3c44d2138e27ed8e3fb861af134eaddbc6b1290

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
64KB

MD5
2d479c8c4ea7e1127e15b30c45b4987e

SHA1
858d0209f0988c5a6180e790134222ca9272b063

SHA256
df88c8aef097c9ac5f8f282261521d41a9be5fe98e8a5de1f9cac6807e92a209

SHA512
38f98dac872fd2a706af8adc9909dedb529946fa3748b52500794cc257c12105a09e1b665f0e0bab2ba4acf370c46a57a303df71cd7f5fa97f76104103aa2b8f

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
64KB

MD5
1c1a2b60ae45c2f5143baf05bdceef70

SHA1
c54487e4231841ba424788e0fce9577e9ccfbac4

SHA256
c771842443bb976298b755f8d1a783a55849169f595b4860a7998d7a3f826c26

SHA512
d8b364ed27b52ae70842b2dc82bfb09b2ac78008f648d4b1fd9f5ff7ff8f2e0bb3e2583b825e936022d36fb9007d9cd66fc5e3e71e1c4871703c7430c2211a22

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
64KB

MD5
c14c7794954edf28d55a9de1900094e8

SHA1
62bf5dde9cb00c7b7a8eed534560bde03987e281

SHA256
dec2890d85b403516bfced6c01ae23cf882b73077db6064833fc5c7d0b9cdbbe

SHA512
4a79ed8ee5f1865ac953989f63dd96bfe96571ff1cb9b72c9959bfd6e0e29bd620ea88d8ec79a506e13ddb20d213f8c339c3e83c3985e9be527cf640c3992eb7

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
64KB

MD5
677f6b6c3d4d9b39cca7210f3cf45ffe

SHA1
717696672691a4477ea2afb219b78881f0fb49f3

SHA256
775e6e9a503541f8c72b731a428ed94effa4b9c1d3580e22db2792a75b9030c4

SHA512
f5cd1152405c890f2b4de0eaad99c9861f1fde32a027e0861add7aede0afb534db487e785f430616ecc516b585bab91373557796f5023d500eb36a5ad959dd08

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
64KB

MD5
005fd492a367157b919ae059fded7e56

SHA1
4ba10823d94af3b22879b434dbd97ec540ec6cfe

SHA256
953eae2e9b5c928a092abc63173b6a60a2449f9024eff23da00ad8bfcef5c809

SHA512
22e7b29856b1662091c979e6aa1deb421aa3e5b8dbe37510e50ca7ff71bca486f76a9d0e33a70640799d73fc210c413ce877efcc436f14179e55b776b2ff46e9

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
64KB

MD5
4d1fb040138ebc6ad0b4eb23fc476ff3

SHA1
c5a924cd7b30b576aec3c5b8d7e16c7e00a1a537

SHA256
cb2b5c09f47cb46c5b498b5afbb8628e34a993b1b07b292d043b25c0c6b8da94

SHA512
218cff790496e50b52edea2a9710698c16f630cda818143f02018c49615015979de25cfda8bf4c2690e1e3937b61872ac0a9878c8f94e694073be1aba4c0eedf

Download Submit
\Windows\SysWOW64\Abpcooea.exe

Filesize
64KB

MD5
5d56d2f8c73814c42830a1b323abccd2

SHA1
a16512dc4a4dc3f6a04399d8c89ddc5578f43993

SHA256
d80870b2900df84ea513d3e18ebd51e479204d402537539bfd6ebe18edb92b77

SHA512
45f8061e7edb0753168215aab3c8b47c27c963e836cd1bb0af787a383b2c30420cc043e799e5da05536d90c74d9bdc2ba183ba6f21d38ad8e4a4bcbd06d0bd7b

Download Submit
\Windows\SysWOW64\Afdiondb.exe

Filesize
64KB

MD5
3c80e091083e2c68115072f88f90b677

SHA1
288b0abc490ad2e14e81aba64db72248ec6144e4

SHA256
bd161cb2caa86c8833c73036ccc2e7f4043bee01ef47d9900c5aa78d441565b2

SHA512
64b11ce099108104299316397f3b1a1e91046a7a4fca165089d3b14690fe2e974f30c8548eac7e5dd4de8f091b71433cd01741f871c00bb7c1f7244e1d801f3f

Download Submit
\Windows\SysWOW64\Aficjnpm.exe

Filesize
64KB

MD5
1cd830a0e8f4ab63efaa61d2472c5039

SHA1
ab05f0c5077100df34cb10963c3ce1374d463040

SHA256
7dbf6d896181fbc2cd774f93fabcee0ce64e0f634cb0b248751573bcbb5522b8

SHA512
25c635f1a34569410e1a511359d378d44152db356de274e7104ce379d3ae610d03c89c860224408618c6d96ccf85d8b1480cb71217f7e8b978ee59c0c5ca79fe

Download Submit
\Windows\SysWOW64\Ahebaiac.exe

Filesize
64KB

MD5
97868f07eebac69b8160dcdfade3e24f

SHA1
d52a09de41d8be72dac35b4f5d0af5d052f12d6c

SHA256
df375a62531f2e760f7c06235e7eb435c69137034b75cc180cc0ade6b3d79a79

SHA512
d0a125c3e29ac07fd62e97c1d63fe8fe98f642b41b305285d7b2f005dd84143055250200448385e298970e85ac6b95048a2cedadddc915c0b2b4ca567b9bf3a3

Download Submit
\Windows\SysWOW64\Ahgofi32.exe

Filesize
64KB

MD5
597bec7c04fdbec6808fccd082bd2b90

SHA1
a1fedf4cf452bde886aa6533105bcc8517d0daee

SHA256
4bc64c8af938f5fd093f9a1d9e8ad6fcfdaef698c51079f1e209d456d7510bd5

SHA512
64a8b8a9c5f3a69516e2f6f2c7267ffd38ac2d1fef810c98059100a2406df24d97bb35284f7531c035682dedd750038262a43ca9505aceb5f9fc8c5170f5f790

Download Submit
\Windows\SysWOW64\Aomnhd32.exe

Filesize
64KB

MD5
5f8144949c548070a3bafaf78be811b8

SHA1
b4c80b340aa9dc9646d7d0dcb7e991521b2a9c5c

SHA256
0052cbf054884b27ca43251677150688a67b6a641947584547a68cefe98ed36a

SHA512
0b2514eab99a83d6d385dafbd3d576036f7071f3ffc023fbab7d0ea5508761bcb2a12aa2661f2181a6c56b08442f7326494e9ab734b8c1c7c43b8dc6c007dedc

Download Submit
\Windows\SysWOW64\Aoojnc32.exe

Filesize
64KB

MD5
3d6d8b23830e97ddcffc4f376cca604a

SHA1
43cd27f64b25c84c210d13de33de47e3d664cfd6

SHA256
d8c4bf86849353639cd5f7587bd4fc8ff95f2e2e1696fee6babfa502a07dcbb7

SHA512
e42126cb37dd080297d6804cb1017a88dcd1f22a8046d458a69e5ecf4e7fd8bee91bf51e04daabb4fd9b1d70b897604b10880d8b43c85c8a01a05681275ad16b

Download Submit
\Windows\SysWOW64\Bceibfgj.exe

Filesize
64KB

MD5
43c6d8f48227884cff8fbb2c5ff1400c

SHA1
b74f7091897165036724a0f02869172ebeb4f893

SHA256
de0f2a01cd887c435a4ecc8f577937ad3b6285e928b1ac362aec955b5e5e85e7

SHA512
4c3bdf6dd854ea33a0bdf8354592263962e19c568513494ff7b6c6fcf876f89296efebfd8029ab7b33da79008821d6d193b4429bb4be7a83a5b88da9f5880dd0

Download Submit
\Windows\SysWOW64\Bffbdadk.exe

Filesize
64KB

MD5
6832def48f90336f7faf6a806c782f4c

SHA1
352fef9dd39aaab2a6bfc6030a8c127797250691

SHA256
4d8427c0761b9d0f0f7069be11e85450e6fd100d16f610b8111b2d85df0df749

SHA512
b1f0a93cbbfcdb6256bf1f8b32287f6a73964ca532d962ee874bff11e7e00369223d01452d9504b5ef64c66d008348c8e80221132daf0cd84a378c0d30caf552

Download Submit
\Windows\SysWOW64\Bieopm32.exe

Filesize
64KB

MD5
c717c6df6d8fec8abecc712a85d0b6b8

SHA1
48cb59c05eae2b38a42fd345c0017da1ab2aa2fd

SHA256
1f4efbdedd839fe957e56fe498c0dc02621d9ae04fda95d2c7a2ca5bc194f704

SHA512
d9d1cc97612fffa9911a58ca101dda2788866d78cd1c04ba0c512042667e11e4711d1d94f96f1e5230117ab2ee6565432664d0737fad245a25d71d967a91233f

Download Submit
\Windows\SysWOW64\Bjpaop32.exe

Filesize
64KB

MD5
c44d95bae7139fcdbf46ff3f8a2b7ad7

SHA1
47f75bed7b5f5dedbd80252bafd28f1e5977de29

SHA256
486d83181f93de59d907e7f3c6912411a06f2a8f25ee4205fbade17830b8c55a

SHA512
b10c68ab96aa48394498f3260d9a73d70a21f9ceb872f1d76e4a0b36d2a9e7c2842ac8e9a1e2541603077b699580eb8a4b6adab1426d4fb9af579e3cf9346c61

Download Submit
\Windows\SysWOW64\Bnfddp32.exe

Filesize
64KB

MD5
5d7fcdb266ac3c07ea988632c0f4e5e7

SHA1
6fdfa3ea42bcbe7c419dcb9ff238a117d5dabc70

SHA256
cf2dd0cb769b07ca0899d94fb283c3ba58c961dfbde8ec2718837792f6008ee6

SHA512
59fcbf7bb2622ea88afffa0089b631cee5c9b51579aec92c308e9718a956e5971ce05df333ba21bd1ff9fc4dfbf83108dff2a72d45dd03d4144b91d7d413ec65

Download Submit
\Windows\SysWOW64\Bniajoic.exe

Filesize
64KB

MD5
42fdb49dd11761387aeb24f33d684994

SHA1
19374d9e5878aec78c910c231bf65d9eb395a37c

SHA256
564b8e7038259b1585a9ebd5aee6da9a695c8f37f1eacd2ddb8ad0f24dc345eb

SHA512
91d788c299d578e69e33b20368b2f1f04a8510a64709344a215b1719b7b878d5e8622b5f859c53571cb2df8d27d533fdd55acbf372d452e38df2b7b4ed010eb4

Download Submit
memory/372-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-372-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/372-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-336-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/596-306-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/596-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/596-349-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/680-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/680-258-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/760-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-156-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/760-161-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/896-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-328-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/932-307-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/932-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-271-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/932-312-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/992-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-246-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/992-282-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/992-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-126-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1448-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-314-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1624-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-27-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1636-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-283-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1728-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-144-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1736-191-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1736-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-400-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1904-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-291-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1944-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-9-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1980-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-10-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1980-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-235-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2032-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-383-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2388-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-251-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2388-250-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2568-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-84-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2616-384-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2616-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-371-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2620-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-410-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2620-411-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2620-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-63-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2640-69-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2640-123-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2640-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-100-0x0000000001F50000-0x0000000001F83000-memory.dmp

Filesize
204KB

Download
memory/2644-94-0x0000000001F50000-0x0000000001F83000-memory.dmp

Filesize
204KB

Download
memory/2644-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-145-0x0000000001F50000-0x0000000001F83000-memory.dmp

Filesize
204KB

Download
memory/2644-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-359-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2764-399-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2764-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-360-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2820-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-186-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2820-237-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2820-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-220-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2836-215-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2836-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-35-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2976-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-114-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3024-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-163-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads