berbew | b7de30d03543faecae7587fd61538ee183ea71c46a43283a805244f5f04ef8ca

Resubmissions

08-12-2024 00:13

241208-ah84ksxkdm 10

08-12-2024 00:11

241208-agqkvaxjfq 10

Analysis

max time kernel
6s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7de30d03543faecae7587fd61538ee183ea71c46a43283a805244f5f04ef8caN.exe
Size

64KB
MD5

628b763b264e558198148e83b1f85b50
SHA1

84a7f6e725f543fee7ab81f8e841c322c1e32165
SHA256

b7de30d03543faecae7587fd61538ee183ea71c46a43283a805244f5f04ef8ca
SHA512

e9a641e40b75bbdb64d006b24b1e80c2d615a1c19b1db622e8935127bc619f8b8587f911b7da8f48c13cf038e291e8782e9595ae3c1c63d467842dcb173813a0
SSDEEP

768:21Awbb8izJcCoJifCwQzVOMgrIv5bjpjq5EXCMECmjHnSMZB/1H52Xdnhgl72KNZ:21+ioJUAMgPM5ENEHHnSGegNtn

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b7de30d03543faecae7587fd61538ee183ea71c46a43283a805244f5f04ef8caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 42 IoCs

pid	Process
2260	Agoabn32.exe
3420	Bjmnoi32.exe
4048	Bmkjkd32.exe
4120	Bganhm32.exe
2472	Bfdodjhm.exe
4496	Beeoaapl.exe
1924	Bgcknmop.exe
2140	Bmpcfdmg.exe
3348	Beglgani.exe
2448	Bgehcmmm.exe
2416	Bjddphlq.exe
1676	Banllbdn.exe
2588	Bhhdil32.exe
3396	Bjfaeh32.exe
1788	Bmemac32.exe
1260	Bcoenmao.exe
1980	Cfmajipb.exe
640	Cmgjgcgo.exe
1504	Chmndlge.exe
2188	Cnffqf32.exe
216	Cmiflbel.exe
436	Cdcoim32.exe
4956	Cjmgfgdf.exe
3548	Cmlcbbcj.exe
4616	Ceckcp32.exe
4836	Chagok32.exe
1900	Cnkplejl.exe
1032	Cdhhdlid.exe
3724	Cffdpghg.exe
4136	Cmqmma32.exe
3328	Dfiafg32.exe
3572	Dopigd32.exe
3664	Dejacond.exe
4320	Dmefhako.exe
224	Delnin32.exe
2220	Dfnjafap.exe
1496	Daconoae.exe
3984	Dfpgffpm.exe
2124	Dogogcpo.exe
3312	Dmjocp32.exe
1488	Dhocqigp.exe
1368	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	b7de30d03543faecae7587fd61538ee183ea71c46a43283a805244f5f04ef8caN.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	b7de30d03543faecae7587fd61538ee183ea71c46a43283a805244f5f04ef8caN.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
556	1368	WerFault.exe	124

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7de30d03543faecae7587fd61538ee183ea71c46a43283a805244f5f04ef8caN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b7de30d03543faecae7587fd61538ee183ea71c46a43283a805244f5f04ef8caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	b7de30d03543faecae7587fd61538ee183ea71c46a43283a805244f5f04ef8caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 2260	4480	b7de30d03543faecae7587fd61538ee183ea71c46a43283a805244f5f04ef8caN.exe	83
PID 4480 wrote to memory of 2260	4480	b7de30d03543faecae7587fd61538ee183ea71c46a43283a805244f5f04ef8caN.exe	83
PID 4480 wrote to memory of 2260	4480	b7de30d03543faecae7587fd61538ee183ea71c46a43283a805244f5f04ef8caN.exe	83
PID 2260 wrote to memory of 3420	2260	Agoabn32.exe	84
PID 2260 wrote to memory of 3420	2260	Agoabn32.exe	84
PID 2260 wrote to memory of 3420	2260	Agoabn32.exe	84
PID 3420 wrote to memory of 4048	3420	Bjmnoi32.exe	85
PID 3420 wrote to memory of 4048	3420	Bjmnoi32.exe	85
PID 3420 wrote to memory of 4048	3420	Bjmnoi32.exe	85
PID 4048 wrote to memory of 4120	4048	Bmkjkd32.exe	86
PID 4048 wrote to memory of 4120	4048	Bmkjkd32.exe	86
PID 4048 wrote to memory of 4120	4048	Bmkjkd32.exe	86
PID 4120 wrote to memory of 2472	4120	Bganhm32.exe	87
PID 4120 wrote to memory of 2472	4120	Bganhm32.exe	87
PID 4120 wrote to memory of 2472	4120	Bganhm32.exe	87
PID 2472 wrote to memory of 4496	2472	Bfdodjhm.exe	88
PID 2472 wrote to memory of 4496	2472	Bfdodjhm.exe	88
PID 2472 wrote to memory of 4496	2472	Bfdodjhm.exe	88
PID 4496 wrote to memory of 1924	4496	Beeoaapl.exe	89
PID 4496 wrote to memory of 1924	4496	Beeoaapl.exe	89
PID 4496 wrote to memory of 1924	4496	Beeoaapl.exe	89
PID 1924 wrote to memory of 2140	1924	Bgcknmop.exe	90
PID 1924 wrote to memory of 2140	1924	Bgcknmop.exe	90
PID 1924 wrote to memory of 2140	1924	Bgcknmop.exe	90
PID 2140 wrote to memory of 3348	2140	Bmpcfdmg.exe	91
PID 2140 wrote to memory of 3348	2140	Bmpcfdmg.exe	91
PID 2140 wrote to memory of 3348	2140	Bmpcfdmg.exe	91
PID 3348 wrote to memory of 2448	3348	Beglgani.exe	92
PID 3348 wrote to memory of 2448	3348	Beglgani.exe	92
PID 3348 wrote to memory of 2448	3348	Beglgani.exe	92
PID 2448 wrote to memory of 2416	2448	Bgehcmmm.exe	93
PID 2448 wrote to memory of 2416	2448	Bgehcmmm.exe	93
PID 2448 wrote to memory of 2416	2448	Bgehcmmm.exe	93
PID 2416 wrote to memory of 1676	2416	Bjddphlq.exe	94
PID 2416 wrote to memory of 1676	2416	Bjddphlq.exe	94
PID 2416 wrote to memory of 1676	2416	Bjddphlq.exe	94
PID 1676 wrote to memory of 2588	1676	Banllbdn.exe	95
PID 1676 wrote to memory of 2588	1676	Banllbdn.exe	95
PID 1676 wrote to memory of 2588	1676	Banllbdn.exe	95
PID 2588 wrote to memory of 3396	2588	Bhhdil32.exe	96
PID 2588 wrote to memory of 3396	2588	Bhhdil32.exe	96
PID 2588 wrote to memory of 3396	2588	Bhhdil32.exe	96
PID 3396 wrote to memory of 1788	3396	Bjfaeh32.exe	97
PID 3396 wrote to memory of 1788	3396	Bjfaeh32.exe	97
PID 3396 wrote to memory of 1788	3396	Bjfaeh32.exe	97
PID 1788 wrote to memory of 1260	1788	Bmemac32.exe	98
PID 1788 wrote to memory of 1260	1788	Bmemac32.exe	98
PID 1788 wrote to memory of 1260	1788	Bmemac32.exe	98
PID 1260 wrote to memory of 1980	1260	Bcoenmao.exe	99
PID 1260 wrote to memory of 1980	1260	Bcoenmao.exe	99
PID 1260 wrote to memory of 1980	1260	Bcoenmao.exe	99
PID 1980 wrote to memory of 640	1980	Cfmajipb.exe	100
PID 1980 wrote to memory of 640	1980	Cfmajipb.exe	100
PID 1980 wrote to memory of 640	1980	Cfmajipb.exe	100
PID 640 wrote to memory of 1504	640	Cmgjgcgo.exe	101
PID 640 wrote to memory of 1504	640	Cmgjgcgo.exe	101
PID 640 wrote to memory of 1504	640	Cmgjgcgo.exe	101
PID 1504 wrote to memory of 2188	1504	Chmndlge.exe	102
PID 1504 wrote to memory of 2188	1504	Chmndlge.exe	102
PID 1504 wrote to memory of 2188	1504	Chmndlge.exe	102
PID 2188 wrote to memory of 216	2188	Cnffqf32.exe	103
PID 2188 wrote to memory of 216	2188	Cnffqf32.exe	103
PID 2188 wrote to memory of 216	2188	Cnffqf32.exe	103
PID 216 wrote to memory of 436	216	Cmiflbel.exe	104

C:\Users\Admin\AppData\Local\Temp\b7de30d03543faecae7587fd61538ee183ea71c46a43283a805244f5f04ef8caN.exe
"C:\Users\Admin\AppData\Local\Temp\b7de30d03543faecae7587fd61538ee183ea71c46a43283a805244f5f04ef8caN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\Agoabn32.exe
  C:\Windows\system32\Agoabn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\Bjmnoi32.exe
    C:\Windows\system32\Bjmnoi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\SysWOW64\Bmkjkd32.exe
      C:\Windows\system32\Bmkjkd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
      - C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 392
        44⤵
        Program crash
        
        PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1368 -ip 1368
1⤵
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agoabn32.exe

Filesize
64KB

MD5
587a02d88feb4ccea9dcfe762fccb86f

SHA1
52f76aa6e8de3d3fe1b72d36e92d2c63be72b200

SHA256
92dbb8a1090cf58472ca082738e9d23bf9c68c4a08de0005ee53ac8019cf6434

SHA512
ee945757d51eb2e0f1cc468b76554ca4e868328a2ee5816d5545a022dbd48fc99b506ec2bb789ddbf1dd7f984816a95205fa453dbbc4ac4a115a73867b22cb23

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
64KB

MD5
cbe951e422031710ff470ea83609d0c5

SHA1
f656c315ce5b7209da9a1424019d5f24e01de29b

SHA256
70c96df40dc009b7cf6970f2f4f88dc1b7d0e711b7c098c546d833079c16df5d

SHA512
caa8e37c38577c095e824f565437995dfb2a570c9512fd5073666fbbb7f413014cb97e714f1741f935c8dbab968e2caf1da779c23001e06ea982a4932d2bfc1d

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
64KB

MD5
3dcb002043c19adb96ebb860a4681669

SHA1
41b77ffbbebf420ddeece4c647e67f6589a9dc87

SHA256
37ccc70a195fec3bd1e6c4e2a3559dffc0917c655e555adab01978fa5008d6cb

SHA512
b5546930bf57a8a3776b6410cfc53640e3e19a9a3dbbca0ea12684da14f13b1e0c5cbb3f2d28905aa8bbb3c882dd486f33dce65a6cab50b26d6e8d80beb6547b

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
64KB

MD5
5020b7690330c76758cac7f9459db3f3

SHA1
cd9d3f194789b8b0e9dc37fdf2149c091f1cc65f

SHA256
1a66d2769d5bcc6321616b645702436e19a8817b946995d645f9fb7ddc87aa45

SHA512
551f4992a0894bbc9587d1536cb9b22ac7f5cff4aa9d5419b81c4538e306596fdb933820f307cc197981478baaab810ef0d3e2db339e9a0db9a8825030fdba64

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
64KB

MD5
0fe44c54b3287f88141dd4940efe6d26

SHA1
8d1f0ba92ea02659ff7f86f40dda9434aa9a6a4b

SHA256
bc26782e583e3adb00519f634fea0ffa272b2f6942ab46db6923813f5df35e71

SHA512
1cbd72acfa8807ee5b60642003d28d9742badd26a113d8a4cb13f6e8795da1d74a93736b31e46027d109de0b3ff781bffd563ae44de4900a357514a34d417bfa

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
64KB

MD5
579dcd6cd44c8d35171762789639eb2b

SHA1
5220b44ba150236f3586158d826054e883376e9c

SHA256
f4d8380d5c8b38b53cdb67029b8fb04345445a951823f7155c1861cc99d23119

SHA512
7af50c50e3a078931ae497bf795c47a6a2cbf5b7a879225cdf1385dcd00949ce9c9dec9b54ae65d58d767ea1676059615480e1a4c4c5822b18d586ad67f77cb1

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
64KB

MD5
ebb49a0de8bbd6a42d62229b8b99d5cc

SHA1
641082e79e14d3779d9d879167f67e19e6d5498a

SHA256
8b727fc0da1a80d571bdcbe2e394775bb7b83ff925148437305541c290682320

SHA512
20c7943d4f3c987ecf044ab3d135fe03c9805a52551782d181ec58876ac8a78859fadffb97e47faf602c00890ece00fcf188445c74586f25cba0eb68ab16a206

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
64KB

MD5
92f84023e2e49c3e7ca27fed1225045b

SHA1
71f2461d78b84bcb8330afd91e2be304620f1250

SHA256
84f74de9a2863dd4c890faaa6f40db95acb14338cc8af7999fa208b6abb3f0d2

SHA512
7b95be3a312d5e10bc3c11884df2a84a6c1506bdd263826f9359c9070c116b6f491588523a2f769fc15eeb34a16bd7fa4129357dfb9632cd56e30a87d90cbbd9

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
64KB

MD5
269d992fd99c8689d92c1a3640767622

SHA1
40e64dab5e33f437b9dc41e5628f5cd451b75494

SHA256
b7f4b21a50b629cf24fb23c865a8dfeca4314734df88848d574babcadbb91ca9

SHA512
77ebaa6656b0f586847e0eb024a5826152e65f853db8a14c8c675cb967c89443490fa9560c2abff04db16cba4bfbc812fc13753e7f7050795399a3b0bcb15c5a

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
64KB

MD5
ef965462b98d957ed84ba43422b5eef8

SHA1
817d246696432e448745e2240a81f2596d8f49ab

SHA256
a4b59a3aff14e3d1bf7bd9212bfd85d6322292c3b3a842dd216b752847896455

SHA512
e1014a24273c31f12e03b6e3d977772c009d9c0cd3cd73b459be0fe5f727abe75ea925daf789f1a1156f2914b65b505670a9b701b7643fef97bd324c58142698

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
64KB

MD5
853df6a195b5beb6b4868b1f3c6fa411

SHA1
840f0760f1f544b23c6af933e6936771ab8ffaf0

SHA256
8482e797c35008ae097e400e832b1175ff9e46a68208844e6923271622d8b5cd

SHA512
35a4fef0fcc73814ad8899e5bdbace34ef507983eb78d40afa586fd29630c2d28c7a1baf54aef68d158c7f64882d5443f88eed1187c27ee12a0e8ef3844b833c

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
64KB

MD5
585979cc28ac07391b00e6c905b91087

SHA1
d6ff3824c1d4ad1d11691cbbb03f8334a475d52d

SHA256
48131affc23127a0180b5600f5506afeb700fa8f5f9bca3cb85ad866d54c89de

SHA512
db430cd3a3b59e67d98f879e73057268011db68b726e778887d5489870868b658de801c737e3dde31d76032f8dd28a82e2a53faf72af49f5754c509e0e8de72e

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
64KB

MD5
f137d9bbb6a688bbf241aa835e69448c

SHA1
f457002fa02297776cb8312b1a070f511de01d0c

SHA256
4feb98758cabc5f93b25e7b7bb6010d49bfe5a73f67fea2727c6c3097917a0ed

SHA512
6a8dd9536370b3314149acdf3c548cde86705adf9aa9cd71caf80a0d8b18efba859d74fd43533ced2e6e2f958218c0a9218ec03b0248b65d0163d6760d6802cb

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
64KB

MD5
98658ab85bccd8b8c0c0684c858f5859

SHA1
90cf3a7718930961291aecb7feb576278329886b

SHA256
07a0aaaf2e6d1641355dbfdeb5964611d963239a59bb50907e361c3899a878f3

SHA512
039415fceeabc8f227bf22c2fe96983a6c4b2c174dab9ac059cfe6d16057461b9f9aaf880bfe194b9b3ecb15caa7cbb068e776ac6948d789cca81f2c8ed61cde

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
64KB

MD5
42b847c803caf25992031c3700883a30

SHA1
9c7ed3e86dfb983be98d229e01cb71689737f863

SHA256
e4c57d343fc81e665cd02e48d5afcc350850f17848a9d2333e2c4761e7aabc6e

SHA512
6c2652d7f63c7eefb9edb0890ff5b6bcae8ee3c76f74ef5177eb763a89886af4c1aafc409fb386c943c8b838c61cc155daa3ba7914a19b9021538dfd29ceb858

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
64KB

MD5
3475a53ff5b3043c3fa5172019ad4fc4

SHA1
76bc26e08bbda934bc8248fd75eb5b9650471262

SHA256
7ed8de4005ff990b18c66d7e15bbbc5194e46e36c890bc61ac68f8379b915f51

SHA512
3dbb42fdd5bfbf6d69272cd6610282c2ecc47b82e9c1a5a56a9d0ffab9d7c12eaf5768fecba1b737b7d1a0c0790a6dc23adfe02f017b5fab35db642d6b286a4b

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
64KB

MD5
87971b72e7903188172771a64bd46777

SHA1
f1f7267fd5b132e324873d0e93d51f390143253f

SHA256
fd1826a3977e127a77de28edfbc41cf841eea6461d9f0e1058c9f60db2ba8952

SHA512
df370e8b475cef6cdcb9cb9fefec68e030ecab798ddb077c960a4c16f5c14d97eaf7279e31a4198608ea24b0788a4e42700f971bc5379ceabf83a30e76102ab0

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
501fdf128809614145abcfc2bc7237cb

SHA1
45d2e2563f3ad9e24174646985f9115f1c057f8b

SHA256
0c767b4eedc677dbfec28f1a6f7e2cde5aa69658d8e46dbe3d4c31b7b0cc7a52

SHA512
871a9891a7f3fde07b3df8d083b57352da68a79eba02c377d404af45545fa7e2036d0a841f4b84cca8e0d8b5579f194f95b65b909f0eb6ea646c451d2cbf7f61

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
64KB

MD5
964aedc0fd1bcb0350997457c72c013a

SHA1
d75fd9c42f7a9c3c8cced83d9a3ba74eb8f5f7f8

SHA256
0c7ec5687892c71e40bfc5c6d6ee4cab8213cc44e576f6558eecd125857c593f

SHA512
d949811c4e4832c534f065111e25dda098fefef95e18656195e440e907eaa26904574ecff62b920ea3b7a9ee0c943003db5dcb2a6aa7ab66ceed035b93fe3623

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
64KB

MD5
eb6d74a241f7663968b9b4e72f37b824

SHA1
c1c25a1978bb36fb5715bb4f3f27ad2948377274

SHA256
0e370640900b9308f320da795de8e00eb747188219ee348451da9bbf93efa4f2

SHA512
91d316d35dc368315691aebcae6e03de26b38baee49d159e567bec08e7d8a4fbefe3a5100bd18b2d7eea80ad75fa2a309472cee436369b4516914bd0017ffae8

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
64KB

MD5
191fd053af76da9f720bbf6f8460211e

SHA1
66eb6208cb79722b602b7f6cb0451b76f49b6008

SHA256
f28c9dd9505a79ed442fb5d714f943657d78db4c85a7ca0f28d3c89754696533

SHA512
02876db8ab9fbbe033ceb142cfacb92e93d2028e65570ee80d7eb52b3ea6bb91124c6dc839479e0a5309f9650859d4df317511645bf75d3a50bd14c9fb3a23f3

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
64KB

MD5
5c8542dd90ab4de9f36dacab475d2138

SHA1
30ffdb772f25aae9cd4c7e8bc4a80b81677d61c6

SHA256
162bd33a789a63ff7a11069ce2275312ec1284e581ecd64c49a26a4829c0f48a

SHA512
a62ad2593af4c88058dff592e7d7d033776ed4b5d9f9204ef3a72ec96fd64b2718ea356297caceaa3699a88d81e443434900dc657c12cb89570a5310543c3134

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
64KB

MD5
29f2d6f2c5640c9e8aa2043c4f1d2409

SHA1
dba39ab25c0c23de56a74e2e2d8717f87cf36c33

SHA256
e1ca886d1f7b75cdb36319ca1836e532eb9f77a07512e0b3d949849e7af38164

SHA512
9f2865c15c1735aa8e96f980e92130851c0c286408d0ae70e582a3e11450b831e7ab5f15730573fe284dcf2cc9af560e4fcb3f31b053286d2c69adb6e55ba6f6

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
64KB

MD5
ae7afccfe46bbef5afbbb3b5c521975d

SHA1
40ee7e8a7aa3d9dd39795679f229f2fb3fe431b4

SHA256
25fa7b230f2e78f30a22f655c84405990632bd788f6d110fe74ed2e47c9680ae

SHA512
12f3a18448438dae83a412cb15cb07306fcad5d31fbceb124378255d3409232e169ff227c81a6862365a02ee86c9016bb7b72acf1de9da07360a241ffa901bb0

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
64KB

MD5
8d8324a03b6ed90bb703d14e7d8241b0

SHA1
5e9832e530e56271799d3d42146f9eb3ad6468aa

SHA256
e941aaaa1635269ad18fff52dc384f799afdf0bd873a0c59cb824b9b545fe91c

SHA512
0cf202eca8769d704f2a1cfd80cff50f0960e9631a7f68606bcba4095f483a950f9b09ceeed25b51faee669c2093b8038e9442cab54d522f2dc35d33b4512a50

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
64KB

MD5
66643fde4073f3b597c1028cf6aa9dc8

SHA1
c0f014a68deea005ca597351176ab83c29176f4d

SHA256
b306697c915f7b83c8f63cadb594aa5710d2bec2f3e2eac3babf75c13123d0e3

SHA512
914ece957a947c7e9cab2ece9da2da548a8a32becbaa1bf565214b1761af6c7138351fcc10f28614014c5cbf7df23f8efabaf7027921d577d94e60f5d0af7361

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
64KB

MD5
d782074e1f35ad1daf10c8b137605bd3

SHA1
a23c4864d56ae09d1eb8ad65b2ade47cd4cb7e11

SHA256
ae169778d357e30c48ee6f3dfc6c84e275a58c9a66de98c64c0bfda3e55e9e64

SHA512
853d0396f1adc8e693640a3fe997a27153e044256a3dddb88021e15cd0a15da872733b236ed9ac55b9bfff494cc7a6ceef38bb741d3cb5761662c10d0e9d48cd

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
64KB

MD5
98a871dd3ac95a92b1b057a383b3dd65

SHA1
033b80d0b788f3f796c0d3d936567dd674e60a8b

SHA256
1e782ee5e21ff53266b4098894a44e06a953b574d2fa24499a6616bb0de2f1b0

SHA512
5e6f7588f08e12680cc971a22cdfee6d1262a6973aa5f53d49c98c4cb373622e8c5757181d63f8d3f851878b34b0e45eebaab62c2f6bb334a914ec5c5e64970a

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
64KB

MD5
88eacdb02b627c590fe0939df9d71308

SHA1
6b1649b1707b5713f043d1766495e261c333b028

SHA256
b66c6886088e03406e11be0002add913037410a1ef46b61a71ec7a9caa07801c

SHA512
2ccbade35f95d8d27ae23df37bb4c7ae05dfadcbec03e4fa2ad91756230a3627f4cb630b6f39dc4fea724022e3a357d4c6e81932c9f8333ea7b26a18917da715

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
64KB

MD5
4eaeb71049cf580d60708857248ea0dc

SHA1
904a580da6aff75b101251c77c0ea1769cfa9c8b

SHA256
5b595ed772bc0df320d90930fec3c197b351e23d09e3d8b6003d110508017f1c

SHA512
a12d13c91f9666fd9a03a2e7ab731a7284b9250229f113f49b713ac4b0897144f8aaef4ebcbe684d862a10635b03d8613b4e22f7112b69151875b369c091b9bf

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
64KB

MD5
655b6009f19d9b7ef403032c8000d4c6

SHA1
f55bb4acdb7882932c15255d883e8d81a144b334

SHA256
c35a2243aa1dccf38f2da48c93805e87ee4a8276954c7216b3c1b7e8d984853f

SHA512
74b00fd33b2974a6a9f168d3acca0bf8f68ddef3762d831e15f4a62b5ecfbe613240b80bc3dbaa0a592490a6a066280336cf9ccaa713171d5f0d20a3741a83bb

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
64KB

MD5
03310e6ef0cc356c789ade7b5af2ba01

SHA1
0848e64d120855ddb26eecd57e06a0bdc253f7fb

SHA256
3f7495e3e358f66887b70b0b2f9adce205e77c41974dfab23f40d307af25d284

SHA512
32a441698674c46faff44fae8ff2081f954dfa2b6b677266909d4b1ecfa66204a26416013fe1afc60888b03838533714b46c7c3437f00bd371b70e944c6e13ab

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
64KB

MD5
04793996571dfc42646b6d5c83884147

SHA1
87ee61bdd32ff8007e90ce3488a1291e76dd5997

SHA256
57cee75be8235fb6afe0473cfa3c643d36ce75379e8a2a426ff02bdb300d4af8

SHA512
5c509b126a6cf3fb630be589a6d220b5c6d0e0eeb42c3abd96b2e7e76a62ce030f9dc4008103a84c3a25278fdb6e59e8edbe2e70a0200631f0c2fd2fcbf034fe

Download Submit
memory/216-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/216-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1368-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1368-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3420-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3420-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4048-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4048-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4496-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads