berbew | 28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe
Size

96KB
MD5

ca982ba5a8d76e24f675e56bc564ee82
SHA1

2d724f6bd9b880704d982cc8ef2fc9379c5cbf75
SHA256

28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c
SHA512

c7dda3f6b205bce9843ea8d17de08f7bc989df38109e557553fa924599ecda8ab2a5a72a0489a34d9411f189f19ab04a6916bf1c39b19fd48a0fdf953ee3b61b
SSDEEP

1536:mGTcmbFf67Ch8R7kkyxc+ggggQ2LV7RZObZUUWaegPYA:x1ECh8R72cyVClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 40 IoCs

pid	Process
3184	Bnhjohkb.exe
780	Bebblb32.exe
3988	Bfdodjhm.exe
2484	Bmngqdpj.exe
5028	Bchomn32.exe
4328	Bjagjhnc.exe
4064	Balpgb32.exe
4056	Bcjlcn32.exe
3944	Bjddphlq.exe
744	Beihma32.exe
2944	Bfkedibe.exe
3000	Bnbmefbg.exe
1464	Chjaol32.exe
3272	Cjinkg32.exe
656	Cndikf32.exe
320	Cenahpha.exe
2996	Cjkjpgfi.exe
4504	Caebma32.exe
5068	Chokikeb.exe
2516	Cnicfe32.exe
4380	Cdfkolkf.exe
2444	Chagok32.exe
3924	Cnkplejl.exe
1996	Chcddk32.exe
3136	Cnnlaehj.exe
4960	Calhnpgn.exe
1108	Dfiafg32.exe
4928	Dmcibama.exe
1892	Dmefhako.exe
4452	Delnin32.exe
1060	Dkifae32.exe
852	Dmgbnq32.exe
2936	Daconoae.exe
456	Ddakjkqi.exe
4628	Dfpgffpm.exe
948	Dogogcpo.exe
436	Daekdooc.exe
3632	Dddhpjof.exe
3756	Dknpmdfc.exe
1724	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4972	1724	WerFault.exe	125

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 3184	1188	28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe	83
PID 1188 wrote to memory of 3184	1188	28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe	83
PID 1188 wrote to memory of 3184	1188	28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe	83
PID 3184 wrote to memory of 780	3184	Bnhjohkb.exe	84
PID 3184 wrote to memory of 780	3184	Bnhjohkb.exe	84
PID 3184 wrote to memory of 780	3184	Bnhjohkb.exe	84
PID 780 wrote to memory of 3988	780	Bebblb32.exe	85
PID 780 wrote to memory of 3988	780	Bebblb32.exe	85
PID 780 wrote to memory of 3988	780	Bebblb32.exe	85
PID 3988 wrote to memory of 2484	3988	Bfdodjhm.exe	86
PID 3988 wrote to memory of 2484	3988	Bfdodjhm.exe	86
PID 3988 wrote to memory of 2484	3988	Bfdodjhm.exe	86
PID 2484 wrote to memory of 5028	2484	Bmngqdpj.exe	87
PID 2484 wrote to memory of 5028	2484	Bmngqdpj.exe	87
PID 2484 wrote to memory of 5028	2484	Bmngqdpj.exe	87
PID 5028 wrote to memory of 4328	5028	Bchomn32.exe	88
PID 5028 wrote to memory of 4328	5028	Bchomn32.exe	88
PID 5028 wrote to memory of 4328	5028	Bchomn32.exe	88
PID 4328 wrote to memory of 4064	4328	Bjagjhnc.exe	89
PID 4328 wrote to memory of 4064	4328	Bjagjhnc.exe	89
PID 4328 wrote to memory of 4064	4328	Bjagjhnc.exe	89
PID 4064 wrote to memory of 4056	4064	Balpgb32.exe	90
PID 4064 wrote to memory of 4056	4064	Balpgb32.exe	90
PID 4064 wrote to memory of 4056	4064	Balpgb32.exe	90
PID 4056 wrote to memory of 3944	4056	Bcjlcn32.exe	91
PID 4056 wrote to memory of 3944	4056	Bcjlcn32.exe	91
PID 4056 wrote to memory of 3944	4056	Bcjlcn32.exe	91
PID 3944 wrote to memory of 744	3944	Bjddphlq.exe	92
PID 3944 wrote to memory of 744	3944	Bjddphlq.exe	92
PID 3944 wrote to memory of 744	3944	Bjddphlq.exe	92
PID 744 wrote to memory of 2944	744	Beihma32.exe	94
PID 744 wrote to memory of 2944	744	Beihma32.exe	94
PID 744 wrote to memory of 2944	744	Beihma32.exe	94
PID 2944 wrote to memory of 3000	2944	Bfkedibe.exe	95
PID 2944 wrote to memory of 3000	2944	Bfkedibe.exe	95
PID 2944 wrote to memory of 3000	2944	Bfkedibe.exe	95
PID 3000 wrote to memory of 1464	3000	Bnbmefbg.exe	96
PID 3000 wrote to memory of 1464	3000	Bnbmefbg.exe	96
PID 3000 wrote to memory of 1464	3000	Bnbmefbg.exe	96
PID 1464 wrote to memory of 3272	1464	Chjaol32.exe	98
PID 1464 wrote to memory of 3272	1464	Chjaol32.exe	98
PID 1464 wrote to memory of 3272	1464	Chjaol32.exe	98
PID 3272 wrote to memory of 656	3272	Cjinkg32.exe	99
PID 3272 wrote to memory of 656	3272	Cjinkg32.exe	99
PID 3272 wrote to memory of 656	3272	Cjinkg32.exe	99
PID 656 wrote to memory of 320	656	Cndikf32.exe	100
PID 656 wrote to memory of 320	656	Cndikf32.exe	100
PID 656 wrote to memory of 320	656	Cndikf32.exe	100
PID 320 wrote to memory of 2996	320	Cenahpha.exe	101
PID 320 wrote to memory of 2996	320	Cenahpha.exe	101
PID 320 wrote to memory of 2996	320	Cenahpha.exe	101
PID 2996 wrote to memory of 4504	2996	Cjkjpgfi.exe	102
PID 2996 wrote to memory of 4504	2996	Cjkjpgfi.exe	102
PID 2996 wrote to memory of 4504	2996	Cjkjpgfi.exe	102
PID 4504 wrote to memory of 5068	4504	Caebma32.exe	103
PID 4504 wrote to memory of 5068	4504	Caebma32.exe	103
PID 4504 wrote to memory of 5068	4504	Caebma32.exe	103
PID 5068 wrote to memory of 2516	5068	Chokikeb.exe	105
PID 5068 wrote to memory of 2516	5068	Chokikeb.exe	105
PID 5068 wrote to memory of 2516	5068	Chokikeb.exe	105
PID 2516 wrote to memory of 4380	2516	Cnicfe32.exe	106
PID 2516 wrote to memory of 4380	2516	Cnicfe32.exe	106
PID 2516 wrote to memory of 4380	2516	Cnicfe32.exe	106
PID 4380 wrote to memory of 2444	4380	Cdfkolkf.exe	107

C:\Users\Admin\AppData\Local\Temp\28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe
"C:\Users\Admin\AppData\Local\Temp\28f62058f5dd84c4e04cbabaad570cf869c4bbaa26f7fc0734f6779948cda74c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\Bnhjohkb.exe
  C:\Windows\system32\Bnhjohkb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\SysWOW64\Bebblb32.exe
    C:\Windows\system32\Bebblb32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\SysWOW64\Bfdodjhm.exe
      C:\Windows\system32\Bfdodjhm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3988
    - - C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 212
        42⤵
        Program crash
        
        PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1724 -ip 1724
1⤵
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Balpgb32.exe

Filesize
96KB

MD5
7ca0ac67ee8635caae19a646cfa317e5

SHA1
6245677514a4e0a20d8c318eb26e10c2f20480c5

SHA256
692eaeda92758555903aeb446291682ae3eda28effe16d051dd2f9e3a2176656

SHA512
5c0d631f31ae5d2de77dcac5e72b93bc4dea1372956e9ae722dd6f66f1f27f189b4843a567210adac7980fc16f91566fd8b7bbf6d901247da6972f9c68deacaf

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
96KB

MD5
5cfe839a3f6d52c9c3e4f3e9e363b659

SHA1
c08437f58508d50fd9c0ea89937c934d59528df5

SHA256
ad5de9e1492d63ab27767de1ae0f941dc0cc18e7bb73cd879edcdadf3dce1248

SHA512
516b36b81b7258982d79e26ef018bb8ed8a7adaee5bb2ab5a20f0f76f669337e29ca2cb124a27d427b75ce035f785814891d5be66124f1713dba7c33ce81ed9b

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
96KB

MD5
27b32c0426b3bac6e431726a37e5f60f

SHA1
155de15e450dd703b57cd75c344a2e6506f6ec73

SHA256
a303fe0a2c053350492c767838b1845e4d221f50a9e54bd9f9532b668cf30bb7

SHA512
1315612055d802a9f97cc866050bda38db573396ebede0a7641193f61aae8cbeed5ef86b3e381e1d079d9265571d07835e10bd5d46dce34210134227651d96ac

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
96KB

MD5
91961045d82cd323766a2bcdb3d914cf

SHA1
ddfcd3f2d9964356e0be036a97aadeb58792d39e

SHA256
2bc2f1a2546977391e9acda2bc0703db7b1e930d373f93557eaff7f705354612

SHA512
6db24851a92893312c03f522e3ad737a219ec4fb682343a685a155760cc1d5999de8bf2dc6076c1227c786e1f2a2b6be6542f1a21dcd62083d8fa3db5b0451b6

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
96KB

MD5
1a35423f27dae7941fc5d4b4cfd23e87

SHA1
0a3e5e6f1c38b9292c02105179dc5788f00ba578

SHA256
4db2ee0089908a06ad7de2eb1b932d86135f318b05c80fe8585ab91c4856369d

SHA512
403f8e968ccb64363754b3993d4217de5471e28b2f113b45cafb2f6d041a5c164a8cc42c1ded41315abbd7d8ffff27177c1ebdccd0c1e86e6b1d2d22f8f23185

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
96KB

MD5
0f10f922496933e6bd8069ed46884dfb

SHA1
8911acb6e9a51fca707b0b41a2cccd3031e1709f

SHA256
c93b5b393a8fba8223ebd766d6e44c3bda765d5a6069fe4fc14bb9e711ecc16c

SHA512
eb6c001ffef6d0aed8fec4ed16ed9b2829ffdab8c6a5d1e39ac04f82fc6394479eccf11af290e8426fb531861f82bf7eed86ccdf90966106e052f9ff1ce333bc

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
96KB

MD5
83508198e927314e6683fe5120f7196b

SHA1
78768ba7c5ab3c018e93337c8dade924b736a360

SHA256
cd7c90439676e5e560074b885be86f215aab1765977fdb4983ac075f79eb8d14

SHA512
83b4b3350d03bc564cc6881ab4fc07efaf4f84b9d5be2fec99487b4186a2628218d67181db795462a4cc34b5d6e2e325019c336d638877f620f733510745e56d

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
96KB

MD5
18d43915eacba8b32202a31b63515176

SHA1
9bab913ad74f8a2eefb82d2dfa9e1948fa74d52d

SHA256
652346fb9705dbc9ca3549fab9d4721ed24ead9c7c52d8f6e49c2d56082d3f33

SHA512
d1f7bf5d2c242e203e56f144984eb7612081b1f200eb3e29edaaec87a58df8a2c27e4346ba07483b1407805c21167af6108ed59cbb0b11181c91fb704ab50087

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
96KB

MD5
372287e180969f1c0eb90f4435347c9c

SHA1
dc7b89a31d8d1311ac375f557ba64eb7116194e5

SHA256
f005e1a09d176993135e3d7aa79de44b6641218c89cf8011bd257d846bf88860

SHA512
0f2fdf9fe8ccc934392d2aba573f47e692091f9a97d0d2d2ccc9f228d9833b23df73a4ded4ae6d501933a666eaf92ba3b3c8d8dda8f7e5ca396460048e016b90

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
96KB

MD5
36c689cfec142dba08f8dc659fbd8a90

SHA1
7136274eb09170e5a6fda054e342fbc8a482d39e

SHA256
cbadc3350964c73020b2678057c9e36e5970a38393e9ac37af51552095602f68

SHA512
dc857209e755d89a7339045b20838f75db89be167817599b97431bc8f93148b04c6455d6f47940df4afa71327bce429407ca062eb052a97d5315f468116961ce

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
96KB

MD5
20d5a261b7d2b1f3ec5b9ec1cd64b232

SHA1
b3ca8293c282892241f3770fcf8bb51b66f25431

SHA256
42f0c08fd56f46f2147c3e013aa83d045db2488a757dc8256d8ad17224cec73a

SHA512
a8da45423dd66cde6e4f4fa69bb801f0617402fa8ebec497ad0e3c983e28a44f621a2ae966d03236378b7f5a2946e2a40e257a36d75bb3f401e169eab9d6d353

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
96KB

MD5
0f607468a99628b5582efb18ee12163a

SHA1
2b58e47c9ef144a503569d9e7ffb33bdda4a0cbb

SHA256
9387cf9f8155b6ca8d7b706e051cf85a2892c2cb9f540da097746ade4d9c59cb

SHA512
995dbee048c5a585999ad534cbfa13575a81df2e5fdbdd1da097db1b428b14e8b8130f5f93100535190353414e24020ad28efd7423a17b74647fc810db49eccf

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
96KB

MD5
42f9a7961342822ccf1102231eee9869

SHA1
0497e34a5b8058cf7d1f8164114fa755d8432800

SHA256
c09c6af1d05472278df7f52af3fe6e34d929b7da1bcc8f26b16ae0c744c3c8be

SHA512
0d6b183be90cc6fe2e62dfcecc1b76797aa19fedd9e0d9172317fa05b45883dc9c43b8b0d97d3ec719ea86a1f316818e2f121fa97be5362090aff77a5ce3185e

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
96KB

MD5
1689d40bd34da4de7a62eaa3cc12908f

SHA1
6fa1ddcc21c102bb544d376ca96650d2deaa2a13

SHA256
fdf0a644df26fc626a82d2496b057fd60cfa2cd97882cf054acf7726dae68af7

SHA512
cb05690fa2a1fc0301e82bb49395920e8e3b26c1ad08d5c12120d553daa2bfe5518169f7fbb037648ed4b0f1da9c0d86449bc1b37209330d24a10dc273452225

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
96KB

MD5
0fe1317c35627f61c2f305cd8f3039c1

SHA1
f042e0283b1d727b60f667a0a1158332936574d2

SHA256
b85a5e229a5c881465fd20f1b7c362b1b5e22858d855eb8dda07e1855c26e0c3

SHA512
f8fe005a63e91a2a81368c92ab0b57a00ed85bfdd22f954b2d4eb3977c299e31bd59125fc0ccbd246911b0991b724284d81d9428c88a2a589cc54e692a470880

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
96KB

MD5
fffd1569c7712523558c0fb0f0e77788

SHA1
3f9cf5ecb76de1b6b993c7f4c297357eb9881bc0

SHA256
58a405a54aaab9789c5d364bad01693b78f90ad044ec60b19912358eba9bec8f

SHA512
dfb219be5b81cf1cdeb356d2d410a1992ca4ad99c200dadb5359be47a8dd12c3e181bdf4c9caecc8be0b6313cee11198e37d9ef503c8f5fc33bf63a91af8e664

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
f6c8722645fd0628afaac10c1c41f811

SHA1
bc315d32ada9dee6558b3420c23be26da498c62d

SHA256
61d1d3693fa6fcb8edf11ad0951116d309eda2b98bcc7be6544d4012e7f7b146

SHA512
58f232567aa4c981cca5d63a663e93f350db08241131640c78d639d38dd5818095599782307833ad0e805ff977c8568bddb8efe8518ff86ec8615b8c14d10129

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
394b1b5613497f0bf0ebb613f1adefe0

SHA1
07161f8a24f64b836edac837656d903a2a7c35c0

SHA256
6ccb8ec105ec8c8526530a58f778198f033db6749be1de27ed59a6d449c419e3

SHA512
67d2da79d79d11e684d73fe35c8c667dcb0a9bcbc67054fa7944365de532fa9e7123f1923920f08f16f7e98c4baaf7bae10ef72f612ac123d1db804fe1bc0324

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
96KB

MD5
52172743b6d07fdcc49ed33df1b3c1f4

SHA1
24980c56ba1524640377f41682cc4c7272eb6e22

SHA256
8f79235221d0e3b7c12ac27e29fda075e87d070e1b6127f5593eddce9943942d

SHA512
c1ff6a1a8c6b45e5ea446eec6eb1142e88bd3cb072df957d5a7a6b05b4cc715ab49c3b879e069c48b1667b073cba574d8acef16b045f9c0b173346630d22e380

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
cc7df17aead0402f569da5414a493c98

SHA1
e36f5e2942dc099c592a42f3c276fe77fe9dc432

SHA256
1662d69b03bf25e255ee97b0f6ffd26a9fdb654b5cf3d2c280976233711ce47c

SHA512
9d4333cf66e35cd9ee8af2ae47e581e0c5f33712e41398445a3752681952389e234f6197a0517266a9cc1653bd26b0208c3cf88fd1faf8cea70bd76a53062851

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
92ebf4bf36104c8ebe8c9e90e98e81db

SHA1
acca635fd7e5ca852bce32712f93da63bc6a631f

SHA256
09e397fe51b320d104f42fa232673089b5cbf65b2e582ce281434e47b71e2720

SHA512
f3d85408d49d9fb724dada1b8357d26bce8d9e5858b4b88feb381dba82223ff872914adba984acf1a44c9e1d62124874997be35cb5a268a2c0354cc65cb2982a

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
96KB

MD5
08aa61fcfba9a2fb49e62d7a7253c96b

SHA1
ae64fcc97b31d9b54d050bdc2276448b022f4137

SHA256
bc1e8eb8ce064148c56c595f2b2b2b1f73159aae5ac00338aadacf7322bcdbf7

SHA512
80f64bf594b7ca09cd13a8ca8a3b0598ea2b8e2ed915b1dc689fa243194c6a19937ff74fa411aacef3810b6ea73a9b6b851b59e83fd16d84d046ab812c2289af

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
96KB

MD5
dc42f9eb204baa460579894f338940a0

SHA1
ff89d140ef01940f7c8b0268e1513f1c23330d9e

SHA256
4cd1e28df11b89c94ee68dcaf7a47e12d7e371e550d05bb3b92f867b81623fee

SHA512
cc20fbb2fc83dcf5e5a458e39ae94ec4ac106689accd7e14df84add13a2372b9ee5a839164cfa6247fcbc4a889b97512a97d53cf3ef4471792693a4d82da4100

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
96KB

MD5
e68b6bea8a755c0f26a06126a2b96499

SHA1
af391d70714931c34235da5108eee3b27a01b91d

SHA256
eb6283dd01d1e10df4c3cc451c2a16e4b0acb4464cf3ec9c6fc50323c89946f9

SHA512
0c87376b5755465a54f424213174180cb4cdd9bce907b7855116844ff8877ecc40c176ad39b74951abad92025b9688e2a140154318ffe2bb8079a333f17bf04a

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
5f63e353ab61ab94e54f80873caf62fc

SHA1
77e357b979ecf6ec56549547ff01bd9c2ba5d757

SHA256
cfd8e4115ae40ec519a774aefe103b8c5f37542f0876ea1870352f57bd61000b

SHA512
de9b640e7e931bfee5d8a1038f453d5bdbd90e09f1446160c9b746371ff81dca72eecd247441467b881ee5525460183df41bb3a711fe3cb31e018a838c8c0ad4

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
4a57a2c56e1e492669effab675d41535

SHA1
8f0a9d3189e9e3dc070117ca0e679b56e91e3434

SHA256
ef3728fa0f3e90360b128b8320c9c895d48aca9071ff838148d9883f008f4663

SHA512
8fc3cc3c90b2bebaeafb01958031b6e6ab329d034c5283d8ca35656ddc6947dad14480dbd3f41eca0e35d314139ff4578d30aadfa31dc8c6ce6c80d93a18c22d

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
6268446f8bbe0cd33edc3e10919e53c5

SHA1
74b0762e1f2672f8f542596f10258daece5c86bf

SHA256
8ab8d67d056b522afdbbcc903e6f1a7391dae093df8045ba38f5443b61e97751

SHA512
f9d57d4f37960d3d14ddc83ccca6e28724cf8fd4c1fb5c84b41e67cb58671b939bb56ec7fc3a2e078a952dd26815e750c30d969c5597f84dd1485c4b7cda5b17

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
96KB

MD5
2844f1bad771c8238a4b106965b1adf1

SHA1
b75fa69cf75bb979f7d627f98814d1cfa10e9587

SHA256
8826ac78bf37c25409f6e5b9e0552119220d472ce3fa44bc693932da339409e2

SHA512
d20a64a4cb8613313b5280caf354aa10b6a59e276380957ed087249cf8b1959b92952e3b43a95d93ab32073ed05d699b582c4616a0895591bea57c867397f30f

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
96KB

MD5
f075db10474432a8b946ecb586172570

SHA1
f37ba0dfef7ddd48507ff4129137711f05458729

SHA256
2bce1330840f7100bbc42705ea739838fd124c6c2fad7df49555e0b92f1accc3

SHA512
3c37bb1235d4022d433f56accede08aefe2814b169abd41d1fb7efd9898637908704273860c2a9e7597c1b633098ed8d15b90e10b3f96436af3cb547b3351b45

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
d7ceb64fb10ae2fc43d391653e895e06

SHA1
4da5cd73769208fd53cc89b25c36852495e6144e

SHA256
5b8f57fffee367ab63e24cead3188ef4675a9181a4eaba8322b0e71afba4ced2

SHA512
4489707d6f30730b72a06a0e3596a7bcac433f4b46dc027a7afda2bd12228b9974cfd17a9bd3bdf28cea344dd0ccf55a4ac5743f33ce3f962ac1acd1d6a20dda

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
1d9b93cdda6cf49500d9c084e8a63391

SHA1
3302f7d659eadd0ef19e043b7c3e93ed7ddf26e5

SHA256
9753a5fa6112d03f92421e61cb9e8bd75a8e0116d06da7077ad16bbd6b60ea77

SHA512
bf5851fba207a4a1e95de3e4deac1992b46d267c9f6dacc613d037a1dc4fcc0d902bf1de5a5e3fc04cde490fd0a999088f9274816c89b72318de0875b858da80

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
54be03c96453032fb8daa8d6939214d3

SHA1
dcaa2cfe0ea8e7af6f074e13d47d866e3e1d2937

SHA256
3cd07b12f69c20791f6ce245d49a00bdce5b16011a7dc690a37d992aa7c7a113

SHA512
e02185e2c6f436bb2bfc57ef658a10bf5c04283c0730560fbc7399b207e4438853ff7f822139ee72c3e805aa8b36b345950898e3f7a3c30e6c9c10e5f6a5bd14

Download Submit
memory/320-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/320-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1464-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads