berbew | 6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe
Size

74KB
MD5

026bc92e2a063590f75c2160e5f7ffa6
SHA1

20da2945aa0275712a6981a0da8a3b9cfa43480f
SHA256

6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9
SHA512

a6f1ba1c59cedec014bd38385a3198f024c3a1a1a06e5ac7a7edb6145e2997599dbcb91a4e913d077a5d5417a9fb4f7e491352b216eb291b07fa8d743a388b49
SSDEEP

1536:YwjydSCYAobpxDAkWxBpO4PkgxTyho81dHH:YwjydSrDpxyvpHsgxU1dHH

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqeqqk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 35 IoCs

pid	Process
2068	Abmgjo32.exe
2468	Ahgofi32.exe
2768	Abpcooea.exe
2372	Bhjlli32.exe
2356	Bjkhdacm.exe
2604	Bqeqqk32.exe
2676	Bgoime32.exe
1624	Bniajoic.exe
2284	Bdcifi32.exe
2316	Bgaebe32.exe
1948	Bnknoogp.exe
1724	Bqijljfd.exe
1424	Bgcbhd32.exe
2188	Bieopm32.exe
2200	Boogmgkl.exe
1912	Bbmcibjp.exe
1044	Bjdkjpkb.exe
924	Bmbgfkje.exe
2924	Ccmpce32.exe
876	Cbppnbhm.exe
720	Ciihklpj.exe
2540	Ckhdggom.exe
2004	Cbblda32.exe
3000	Cepipm32.exe
2344	Ckjamgmk.exe
1288	Cpfmmf32.exe
2808	Cagienkb.exe
2908	Cjonncab.exe
2756	Caifjn32.exe
2552	Cgcnghpl.exe
2572	Cjakccop.exe
2992	Calcpm32.exe
1784	Dnpciaef.exe
1544	Dmbcen32.exe
2060	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2280	6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe
2280	6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe
2068	Abmgjo32.exe
2068	Abmgjo32.exe
2468	Ahgofi32.exe
2468	Ahgofi32.exe
2768	Abpcooea.exe
2768	Abpcooea.exe
2372	Bhjlli32.exe
2372	Bhjlli32.exe
2356	Bjkhdacm.exe
2356	Bjkhdacm.exe
2604	Bqeqqk32.exe
2604	Bqeqqk32.exe
2676	Bgoime32.exe
2676	Bgoime32.exe
1624	Bniajoic.exe
1624	Bniajoic.exe
2284	Bdcifi32.exe
2284	Bdcifi32.exe
2316	Bgaebe32.exe
2316	Bgaebe32.exe
1948	Bnknoogp.exe
1948	Bnknoogp.exe
1724	Bqijljfd.exe
1724	Bqijljfd.exe
1424	Bgcbhd32.exe
1424	Bgcbhd32.exe
2188	Bieopm32.exe
2188	Bieopm32.exe
2200	Boogmgkl.exe
2200	Boogmgkl.exe
1912	Bbmcibjp.exe
1912	Bbmcibjp.exe
1044	Bjdkjpkb.exe
1044	Bjdkjpkb.exe
924	Bmbgfkje.exe
924	Bmbgfkje.exe
2924	Ccmpce32.exe
2924	Ccmpce32.exe
876	Cbppnbhm.exe
876	Cbppnbhm.exe
720	Ciihklpj.exe
720	Ciihklpj.exe
2540	Ckhdggom.exe
2540	Ckhdggom.exe
2004	Cbblda32.exe
2004	Cbblda32.exe
3000	Cepipm32.exe
3000	Cepipm32.exe
2344	Ckjamgmk.exe
2344	Ckjamgmk.exe
1288	Cpfmmf32.exe
1288	Cpfmmf32.exe
2808	Cagienkb.exe
2808	Cagienkb.exe
2908	Cjonncab.exe
2908	Cjonncab.exe
2756	Caifjn32.exe
2756	Caifjn32.exe
2552	Cgcnghpl.exe
2552	Cgcnghpl.exe
2572	Cjakccop.exe
2572	Cjakccop.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Bdcifi32.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Bjkhdacm.exe	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Ahgofi32.exe	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Bhjlli32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bniajoic.exe	Bgoime32.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bdcifi32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Opobfpee.dll	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Bgoime32.exe	Bqeqqk32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Hpqnnmcd.dll	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Bnknoogp.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Eoobfoke.dll	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Oaoplfhc.dll	Bniajoic.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bieopm32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bgoime32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Ahgofi32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Obahbj32.dll	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Bqeqqk32.exe	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Abmgjo32.exe	6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	Bjkhdacm.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cgcnghpl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1204	2060	WerFault.exe	65

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll"	6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll"	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjkhdacm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2068	2280	6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe	31
PID 2280 wrote to memory of 2068	2280	6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe	31
PID 2280 wrote to memory of 2068	2280	6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe	31
PID 2280 wrote to memory of 2068	2280	6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe	31
PID 2068 wrote to memory of 2468	2068	Abmgjo32.exe	32
PID 2068 wrote to memory of 2468	2068	Abmgjo32.exe	32
PID 2068 wrote to memory of 2468	2068	Abmgjo32.exe	32
PID 2068 wrote to memory of 2468	2068	Abmgjo32.exe	32
PID 2468 wrote to memory of 2768	2468	Ahgofi32.exe	33
PID 2468 wrote to memory of 2768	2468	Ahgofi32.exe	33
PID 2468 wrote to memory of 2768	2468	Ahgofi32.exe	33
PID 2468 wrote to memory of 2768	2468	Ahgofi32.exe	33
PID 2768 wrote to memory of 2372	2768	Abpcooea.exe	34
PID 2768 wrote to memory of 2372	2768	Abpcooea.exe	34
PID 2768 wrote to memory of 2372	2768	Abpcooea.exe	34
PID 2768 wrote to memory of 2372	2768	Abpcooea.exe	34
PID 2372 wrote to memory of 2356	2372	Bhjlli32.exe	35
PID 2372 wrote to memory of 2356	2372	Bhjlli32.exe	35
PID 2372 wrote to memory of 2356	2372	Bhjlli32.exe	35
PID 2372 wrote to memory of 2356	2372	Bhjlli32.exe	35
PID 2356 wrote to memory of 2604	2356	Bjkhdacm.exe	36
PID 2356 wrote to memory of 2604	2356	Bjkhdacm.exe	36
PID 2356 wrote to memory of 2604	2356	Bjkhdacm.exe	36
PID 2356 wrote to memory of 2604	2356	Bjkhdacm.exe	36
PID 2604 wrote to memory of 2676	2604	Bqeqqk32.exe	37
PID 2604 wrote to memory of 2676	2604	Bqeqqk32.exe	37
PID 2604 wrote to memory of 2676	2604	Bqeqqk32.exe	37
PID 2604 wrote to memory of 2676	2604	Bqeqqk32.exe	37
PID 2676 wrote to memory of 1624	2676	Bgoime32.exe	38
PID 2676 wrote to memory of 1624	2676	Bgoime32.exe	38
PID 2676 wrote to memory of 1624	2676	Bgoime32.exe	38
PID 2676 wrote to memory of 1624	2676	Bgoime32.exe	38
PID 1624 wrote to memory of 2284	1624	Bniajoic.exe	39
PID 1624 wrote to memory of 2284	1624	Bniajoic.exe	39
PID 1624 wrote to memory of 2284	1624	Bniajoic.exe	39
PID 1624 wrote to memory of 2284	1624	Bniajoic.exe	39
PID 2284 wrote to memory of 2316	2284	Bdcifi32.exe	40
PID 2284 wrote to memory of 2316	2284	Bdcifi32.exe	40
PID 2284 wrote to memory of 2316	2284	Bdcifi32.exe	40
PID 2284 wrote to memory of 2316	2284	Bdcifi32.exe	40
PID 2316 wrote to memory of 1948	2316	Bgaebe32.exe	41
PID 2316 wrote to memory of 1948	2316	Bgaebe32.exe	41
PID 2316 wrote to memory of 1948	2316	Bgaebe32.exe	41
PID 2316 wrote to memory of 1948	2316	Bgaebe32.exe	41
PID 1948 wrote to memory of 1724	1948	Bnknoogp.exe	42
PID 1948 wrote to memory of 1724	1948	Bnknoogp.exe	42
PID 1948 wrote to memory of 1724	1948	Bnknoogp.exe	42
PID 1948 wrote to memory of 1724	1948	Bnknoogp.exe	42
PID 1724 wrote to memory of 1424	1724	Bqijljfd.exe	43
PID 1724 wrote to memory of 1424	1724	Bqijljfd.exe	43
PID 1724 wrote to memory of 1424	1724	Bqijljfd.exe	43
PID 1724 wrote to memory of 1424	1724	Bqijljfd.exe	43
PID 1424 wrote to memory of 2188	1424	Bgcbhd32.exe	44
PID 1424 wrote to memory of 2188	1424	Bgcbhd32.exe	44
PID 1424 wrote to memory of 2188	1424	Bgcbhd32.exe	44
PID 1424 wrote to memory of 2188	1424	Bgcbhd32.exe	44
PID 2188 wrote to memory of 2200	2188	Bieopm32.exe	45
PID 2188 wrote to memory of 2200	2188	Bieopm32.exe	45
PID 2188 wrote to memory of 2200	2188	Bieopm32.exe	45
PID 2188 wrote to memory of 2200	2188	Bieopm32.exe	45
PID 2200 wrote to memory of 1912	2200	Boogmgkl.exe	46
PID 2200 wrote to memory of 1912	2200	Boogmgkl.exe	46
PID 2200 wrote to memory of 1912	2200	Boogmgkl.exe	46
PID 2200 wrote to memory of 1912	2200	Boogmgkl.exe	46

C:\Users\Admin\AppData\Local\Temp\6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe
"C:\Users\Admin\AppData\Local\Temp\6b025ae17c08622e2fa0c083fc2840848bac13898826f9fb2da16d29ab1fb8b9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\Abmgjo32.exe
  C:\Windows\system32\Abmgjo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\Ahgofi32.exe
    C:\Windows\system32\Ahgofi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\Abpcooea.exe
      C:\Windows\system32\Abpcooea.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
      - C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 144
        37⤵
        Program crash
        
        PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
74KB

MD5
d0e8985daaea84440e71d881be57b4fe

SHA1
8b8d80a79b328ab39c284165f32614dcc3f69359

SHA256
2fdd161454e26b31eb0f78fe41d3faade1959912c17666e707aa9b69ea114251

SHA512
fde10e9b2fa8cc71c8033b7bd3b50e214459c49b984d20b1a59271cd6c5c776861885e83e526c73960d578a3fe303b18a5f9d76e6c0decff9872331b7d0829aa

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
74KB

MD5
e8fdb7d8eb24177077d570a86287d930

SHA1
cfc43897a5a01b1fbd9ec526ad8aa3ce625e518a

SHA256
d3b0c156da93606a5d11d6a2a46025207bf75cb5dc48da50fb04ebe190c0d1b9

SHA512
828f491e61a70a9fc1b5cdf5f9e899aab26464cbe6a05c6e001ded2b89d26376010b82bab4a2325a91f2c14ef689016165bcd9366109f2de01992e2d6c1688ad

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
74KB

MD5
0b1fec4fa3d8e30ad76f3fc16c76efbb

SHA1
a4f038563bacf4c0fe37aec89f6bd06c2192c535

SHA256
0f7e74d5f2e60d991545eae3be479b04a37d8c25ebbdd46be2c8347a45872e16

SHA512
7c97ceca32dfb9612bf3f2d6c19c33ca5e9b69160dd9667e8dcfcb886cde71ad5ea56d3ec01ed6400e4c13fb5bf0004a4218f8dbc53079c2c18c2498d26b45ea

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
74KB

MD5
00aab6b7af74c9d41cf3f5d10c2af39a

SHA1
08f6df1ac5ec04f466001ca2273f207811f5f37a

SHA256
672139c8fefe2f5fa2f86223cb50c62fb5c906f22adb8427af58fc494db8bb3e

SHA512
248b7b2d182d3163806d3a78ec1f6750b8107f9b25a8a6e298a609756b77f7a4a0ad4973729ff6e16bc7c690196dcf684ab50415b142d4e158c2d21981c7df61

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
74KB

MD5
dd8b5622204a566ffd9cf91c8e3ba448

SHA1
aa9f0d192216f02095c01054d6bf1f242cd0a3e3

SHA256
4d53382d37d3cdbc000deaf4a0154b145c21085c6e8895d43d2d8a4dec053b4a

SHA512
bb631d23af46a442155296b1d31bf5daa5f2736adf793de44fdfe4d34828b47c897042e43d88fc1dfc4ed4d0c0f007daaa43569ad2c059d1e62116c4ea25bd2e

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
74KB

MD5
de9b1fab9dc35c7cbb47149c8e2fc166

SHA1
ea7afca4b037f234df39b6935ad818f9feaba5fc

SHA256
76d12d8bcffa69c54e22d628e1d110d6b0a922c4cde6c03536b0ab3cb3871cbf

SHA512
a5090430a08dc76032fe80017e1a7399dbdcc4ce88b1050fa23039afed381b536e6b92a9aceb5dff0046331a3a4d4e2df41a65f31f480a6f868955c7c8a8f1b3

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
74KB

MD5
6fc87256cf88fe52f092d9992fb86223

SHA1
10f236fef14500f8b396bbd9754844ef0e1e9bc3

SHA256
c62fc960db3cc48ec2e93d2db32973dc7fb36b4ff1fc3b377a295b14413cc6b1

SHA512
ba9b0e3e59fc3fff1dbe45535904370f0d37d9c9b1f4b977d42cc1498c276e79af3fdbe2699f59ed13aecaeb43a4a82abac5b573406083f03c13ba0ecfe43dd6

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
74KB

MD5
4f89b17cd834eb6e9383ebbd560595de

SHA1
ba15fd4a949c20145a21650861fb0f137d299a0a

SHA256
467a363a2f98dcaaf2196ed4cde1ad95e53f76944a9d6c53a11c68ed571784cc

SHA512
c429a51ea79434b77358b6038d86501dbe5d7b2685b1b15083008b0ba77052fc9886fc6d387b5ae78a23194ef5ea4540d58583cafabc41a396c7a222f912432c

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
74KB

MD5
71a25675720c23b9f9bf544ef73e167c

SHA1
a03df3836dd925df726e8e5aea1035aab49ebaf1

SHA256
586b7d794e032f4b9c81d18b3ab39147932954cbcf967eba4cae9af081abc819

SHA512
0fad87b433e00129b406ef68089d4f5a5971eeb19c55b201c997b7e2d8cd5a6b978af78f74d24f5ac0b56f7717b493fe806b20dc9a9a466b4dd9f8106e71ec60

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
74KB

MD5
be8e8a45a97698182a4b3d2a4a5daa22

SHA1
d0bd2bf6f1bbaaa32dbcecd2d26e3598f21ef55f

SHA256
0f83dbfe3f3334219fce720fa2726386ddc775fb5acb90a065b8e6650f0a19d5

SHA512
987ddbe7efc6cd8739f37d31cd085657a035234c3b3b3bab9848a73f162cd07dbf9c60909400c0f517ad18272fa3a5430068f43ca4c23cbea732ab0df1464e8a

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
74KB

MD5
4834b1cc2af792fff7837cdc5b67dca4

SHA1
da04b9ca8d4935bf1d1662aa75b1adec17315141

SHA256
6fe5e5490ad5afa082ddbbdadc84d6e231adefd3b8e0ac04c5136dd4a99a32a1

SHA512
c863e84b515371ee5d40fba2f3c2fc385fc9887cac3b2243821d958c63d2e6e36d97273f72d90088104af9085055311effc3e0dd058e8b3c3527820c7015ac6f

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
74KB

MD5
c61e83ec18f7746bf53c4bad6fe74404

SHA1
95cca2f82465c5e08d99bf61bcab8662db04d48f

SHA256
bca07316a7e2e9431aba49abfcec418d2af4bc4ec7fdf47006cf6b92802a5109

SHA512
93262f189abdcf5d1d1fa8321e36c7617d68c3d8abcb9eaf14df7317230c7c44969fd1ddea4c57b6d945eb3ea0aca92fea8d3c591098042923122b5ea54be85c

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
74KB

MD5
327ba1047e6d4e57999d8345bbea2ab2

SHA1
27fb3b8487099f72cf1367a1539a1bb9c464aab3

SHA256
5453d60f344d8b9c35e405e8e09405870092fb72d4fc9fd05fa13dc1e27dcf06

SHA512
b1b01d2243b365371d146e9332e39d454482c6d2d810e338c381c5927fd4501ecd227f53768cb0fb069de465cd8f528c8528ffe9ea1098d2c3094a5de00e8bf3

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
74KB

MD5
233d4fb564ddda1190e889c033263787

SHA1
7ae2eecf42e2da2293c2f9eccc04e1c203677281

SHA256
2b0613814e6fd47f68e74a51be4f1941cebf579d13cfe6331b69c32d5f0d160d

SHA512
8cb300eb59ce0aec4b3eda3ba36edc46b11a64e31298a2a0ba5368f217230e987656c0b167534e0dea3cd806c486ab47596d98961d3b7bc65c1bd53482218b38

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
74KB

MD5
84619442ff7fa7c0ca2c4dad6821ce5c

SHA1
54025e96547be4928822b9943d372834dddae9fe

SHA256
de4c5239e7d69664e904beae38e85caffba89add25ad23c31fe8b02ced2d9c5b

SHA512
186d0ff49c9fc6a6d0b3de81c2697a02d8e354c36a55f1881a3384e733444b4b03dfeabefa76bf790ea6723a2226219d2859f1c11b12a3609147477eff3e43aa

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
74KB

MD5
6dc2676b2aaa6a9b03d92e4d36d70436

SHA1
d026a2712fe718facd5cf731369e159511d3ead3

SHA256
21fe15f6c9c16157557218548206f482502d15ffa88312cbad775bb9a6e31616

SHA512
196973af67908d094cd17c0493da666fb7ec419a4d196d10777f6b9ebbf4dca2a6d91744ec0b20d7049f7df1a3ef7f5c81a84931c8e2f8402f2288cb698b3251

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
74KB

MD5
72eb93083fdd0ce987030be211039a96

SHA1
89b9232834925a2fd98ce6dea4038aa0784eb74a

SHA256
09444afb7d929b2288a83b55cc6cb974535842e5fd6031e1d218106adefe92d6

SHA512
faf996b6aa4e7fc5bd7e54755e20befb0edbb02c487e822cc46bb9e2642c773d62d8700f1f5fe6f3811ba04794c1da27a45d4cd688a8d7447b59722ed0c88036

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
74KB

MD5
5568c83282c155007ba76abd12c89625

SHA1
08bdabe541d5a3a5ebd0875ebad80b220e51299d

SHA256
c1c0d8e3d9091cdd388d7492a21d2f5a4221c4a610fb1ce2d339fea7f25ef900

SHA512
e9478d37afbb2217a862da7666934975651e433d2e1fbb6c9a5d92b2be7743717cd6c46468624d51b59c113ffdd0d64a6ae1529362ca1bf971ed7029e9e863c8

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
74KB

MD5
2077b39d5f75045fbccf0211345c31ee

SHA1
9a1d6fb72f3ac97225ca82282c6509d4d6924848

SHA256
ffe3bcbfeb8eb5729552a7e9a0ace6e9285a4621cbb102c907fe9e217967f7c4

SHA512
07073624ed5d8bdd17c74dab9090ada8884ce1af1bfb2e058a35163b36369c44183aadf606ebf2856f3864a9b6fe5f59aba3f38c1e83b91f31c218cb1fa0925c

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
74KB

MD5
78cdd56c7d117f58ae0333f4463faca4

SHA1
4904e8769d90109beef763128995728d71c23dd5

SHA256
6d1f01c8360ea87d604388eed0b9f4eb3dce601c2d3b0b25e55817b00675140e

SHA512
eac0beda59e814d10c4c20a6bb5b104a47ba082bbec011dcd008bb14fbd82d15599f32cb669ccf6a78a2becd0809348941595339ecf738004a2c971f9f72d466

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
74KB

MD5
7a068664aaf1b11f3e3d0b33bd1dc74e

SHA1
ccc9a9d8ea4bd3985a4b818810dcc3c2ff356ee9

SHA256
864e2efe3985c7fd514391d510339513c3ca64a70b730b17c746c048c9211265

SHA512
f781ee8040e56b142d3a537937fee701a93965242022dbf320d3c835f2f571d5b5d37799d6f717804f24ddee6550f1204e764a1158eb69064298217456222fb1

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
74KB

MD5
084fee2cc80a315b899977f31e270d9d

SHA1
dc9a64f0b0b7ba05e0a7fa45a6bb58be70077173

SHA256
ff92979697de25be37f213a84092af1badecd452c946db920de1ba15186789aa

SHA512
fa4487cc2b4337309b6802cc1aa11721b717043de74d2533a146fce41711aea31adc680363cd33afb05ddba356af15365da8fb0bd0aa6aba81c054bc55a927f4

Download Submit
C:\Windows\SysWOW64\Kfcgie32.dll

Filesize
7KB

MD5
13938e385d9f24957503142c5de69fad

SHA1
32057f26a0e9269d5103d4a002eb8ce557c75a09

SHA256
6bd56c4e55eb3409e21c5359d0f851ed667b95ca48969c11b87bda92308b020c

SHA512
863f5b123b26034c4cd7290836ec4cb195779e04e87a8aabd22c043cd02633e3c5e6d39e5cf990819c61e99976eeb68a95f33f2df52a2c225ef0ffdba7556345

Download Submit
\Windows\SysWOW64\Abpcooea.exe

Filesize
74KB

MD5
68459ee63b9bb8471346c78ce13731b3

SHA1
f4d2f42cf1f1043c4adad19f5531a0adae5344b8

SHA256
bf4b2c8b5e9e037ef899287b85a6b60f73eaea257fa67ba3393bee96d15d7b54

SHA512
831e53c8fb641c77c5119c82d7ad17a80bee264fadac078879bd4a7fa47fe85ac65a48ad596f7fffbe67a3abe734d3e60f1288be8c0b908ec8b4db1cd1744655

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
74KB

MD5
bc900d84bb7559b589cbf8c1f16472bf

SHA1
11efcceba43b9a9deaca005e677586feed8b64da

SHA256
8a358e933ca6be92cb26ee538843b896b3c9f6e32429915e2b2fbb3ada81d010

SHA512
75264d1085e04afb29a48a57a0b525ad612e5ad283de98f00495743d29c0aad58ecd28070199abdd9d8a8e29e20917f3fedf9098f7a3cea633c90915e412f70e

Download Submit
\Windows\SysWOW64\Bdcifi32.exe

Filesize
74KB

MD5
84a2716aad5b980fdded969a3fe75ae3

SHA1
0cbb8867636921fbdc0ed5095fe4078bb0339b24

SHA256
167e6524fa91d53abcf4bf52e0910fc078009dc76a6537d9dedb410c239e3e6e

SHA512
0f48307c9c6e4b4604c5ca92834c8a8563b4f5f732458e7ea06f39720686f0c4e4ad7d3c829412f9b5ecd723f6e286800454e513422ca259d41379cb4e61ce57

Download Submit
\Windows\SysWOW64\Bgaebe32.exe

Filesize
74KB

MD5
7ff3cf630f77398c4190bb0defddd0df

SHA1
a375b902d81b819dda75dd29bc678b3a1a9e3b3b

SHA256
0f40298dc73c8b932060ba8578cb7de5c77915502bf8daf905cd8321cb5ccded

SHA512
207040fd9da15e7ec3411bba5e68ccf00168f0a928b3009e4a8c406e4e461b4fa314adff8fb10781dcd70fe5f93298313f2844cfa911c3ab02972f3a0bc9d4a2

Download Submit
\Windows\SysWOW64\Bgcbhd32.exe

Filesize
74KB

MD5
44b0db689ff0b5588b23145e709ebc99

SHA1
4c644e76d719884f7be98444c52d27aef7e80547

SHA256
6e3f95abe7fb6d067d0f6f7314a51fe798154e998d85fb1cba9973f11ea80d25

SHA512
a393f9654f8af3874a87f6e91d6d547d747c14d54c6c46d13e4e790d42c9f2127c11d4a632faf9ec5624b79c684903a60e556f4a124411e5dcff17c93d5d6c5d

Download Submit
\Windows\SysWOW64\Bgoime32.exe

Filesize
74KB

MD5
81c3c7d8c96153c8d4dc9952df748aca

SHA1
e625595b1a3d067883ee9a44b7b871e5c435c5bf

SHA256
90fe41375166016392669430547b3341acbe0b4b8dc90294a2d190ca4d579d1b

SHA512
17236fbcc84b811bf43e06972474debf631cdfde1a61d2c9b9b6e68e4e6c5115d4554938388f6c460389fd721f225e35d1da55feb8b5f2cc34592a8361d9a17e

Download Submit
\Windows\SysWOW64\Bhjlli32.exe

Filesize
74KB

MD5
6cee51db636997fd8708ab97ac552921

SHA1
4e96e96e18fd1dbe703cc35c32f80441fb91fadb

SHA256
cb1303937b95588a136f4f834d3167ab90931f995b21780d81e69ac92017a9d2

SHA512
53d53c8639ed487c1c06b6069a8e8cd7265cb1b2fa6b202b0a62017fcd4df2ef0c5e7c5494eab569593db57c187da0adfd97ea7af3e3608ba490f0f81c8bcf5d

Download Submit
\Windows\SysWOW64\Bieopm32.exe

Filesize
74KB

MD5
467da2fc44cccf4989f3009f724b8034

SHA1
8fb2abbd5f3a5841c75ec3412153ae941a841629

SHA256
635b53bd2e587f169b91db5836ebe2cf61178b0d9297a3c27c6dc64650034fb5

SHA512
030b5c80d97f851b30ffe13a8b666217b1e304e4b13a59875461a56721ebd4bf6fad4eb9b501d3badd389c2b8a3992bd734eeda57792f1e30db390fdf5554cfc

Download Submit
\Windows\SysWOW64\Bjkhdacm.exe

Filesize
74KB

MD5
c706b4b5d1a88546fa4a1356faafeb04

SHA1
97a313a2d0f0ba0e15d87fa1ed6f638b398882d6

SHA256
7510866cc6603d0e31f9cd14d078cf9d0768d21f70d02e7f5bbc31a03a733360

SHA512
eedbc02bc68d8bf4c6c37949bf94fe694f8863afae0b7a927533b971701717f7ff026d86ecb42d1c780fe93270bc9db7de27a56396246791f89822a7bfde7313

Download Submit
\Windows\SysWOW64\Bniajoic.exe

Filesize
74KB

MD5
f4985e957a764a95c4228f91fa1275ff

SHA1
47ce32f562354aecddc89cca5ab1909e7aa1c7ec

SHA256
3f5239ae406247ef7ba6b34cc6b40cb02fcec0e89a3c4c2a37b493bb8c91de4f

SHA512
188544340030b47d4f20e6021df534f8e0b35972e5314efd5e42745c9b3d33ef440f93fe571f67ffc519c0aa074bc99a4bf06b1d2ca251b2d39b31b4488bc60d

Download Submit
\Windows\SysWOW64\Bnknoogp.exe

Filesize
74KB

MD5
8438fb7baf2575181b6b1b53a0a2de71

SHA1
39592044b04352f82105f0b0b18966a44ea0e8eb

SHA256
9431b963ca5a3bbe1eab8e249e8d5381acc526878084bde5b93a30eebb5844ec

SHA512
0875516c1b65d8518daa589207ca8464333b0e9346ec5323042ad2a22934902355f604636b372c8ef6db8187c6a398ea0a6f5167cf32ef0bd2d68757c061043e

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
74KB

MD5
fc0bfcdbc96425ca593c0ca0740dcf37

SHA1
e91cc883ec10ced521b089f1f1cc12b0f93b4e35

SHA256
d34571a51ef75690557c8d7331b91c51276e2754bd4ce4ba44c06a8c20a4294e

SHA512
c667c73286cfba8fc178e4e09fef18514b0617bb61c59cc9ce38798e9c4e77bbbff25d802fe92c97cb2a59b4d5a77212040675af499df3e8bdc6fd8f3f6aedd0

Download Submit
\Windows\SysWOW64\Bqijljfd.exe

Filesize
74KB

MD5
91287e82ee0899949d2f7fcd5926720f

SHA1
8f2a0acd1d6bf27b23d990561823215cbb73b94c

SHA256
23b24bab1d17e7980b0fdc47e415f17ea500c86d106b2c00c567266c9308a5bf

SHA512
6e551aeb3d0131b502c8c803effe1fdcddd7c2902d112b68b908b4fbbce8d4a3a9b9e7a876d0ea7f87abc4340fb5239ac7623c662035d4fbd0e870994a0a40eb

Download Submit
memory/720-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/720-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-255-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/876-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-316-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1288-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-321-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1424-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1424-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-113-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1724-166-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/1724-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-218-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1948-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-288-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2004-289-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2004-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-193-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2200-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-17-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2284-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-140-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2316-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-310-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2344-309-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2356-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-399-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2372-60-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2372-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-367-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2468-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-35-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2540-274-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2540-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-278-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2552-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-373-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2572-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-90-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2604-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-51-0x0000000001F80000-0x0000000001FB4000-memory.dmp

Filesize
208KB

Download
memory/2768-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-331-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2808-332-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2808-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-342-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2908-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-384-0x0000000001FC0000-0x0000000001FF4000-memory.dmp

Filesize
208KB

Download
memory/2992-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-296-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/3000-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads