berbew | 7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425a

Analysis

max time kernel
74s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe
Size

74KB
MD5

8cfdd08f3979d5d690f387121a1aeb40
SHA1

4a1326a4ccd4c69b668acfd98af86efdfadfde0b
SHA256

7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425a
SHA512

9ac82ff76a0193368584fc24d960e17216634365054c6e59cbd557ac67f7d0b75b937ab7c8514ffb09f3fdc50cf647bcdbc4c007dfbaf6ae47a9a83dcadab23f
SSDEEP

1536:LDekL5ErGjlA7K87ilZ3TpP/6f+aDIMhgoiVkIow:LDePGSK9zMKoiBow

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 30 IoCs

pid	Process
2332	Bjmeiq32.exe
2512	Bmlael32.exe
2664	Bqgmfkhg.exe
2856	Bfdenafn.exe
2880	Bqijljfd.exe
2584	Boljgg32.exe
2572	Bffbdadk.exe
3040	Bieopm32.exe
600	Boogmgkl.exe
2328	Bbmcibjp.exe
2764	Bigkel32.exe
1144	Bkegah32.exe
536	Cfkloq32.exe
2452	Cenljmgq.exe
2208	Cocphf32.exe
1448	Cbblda32.exe
688	Cileqlmg.exe
1748	Ckjamgmk.exe
912	Cnimiblo.exe
2984	Cagienkb.exe
1012	Cgaaah32.exe
2260	Ckmnbg32.exe
2116	Cbffoabe.exe
1596	Cchbgi32.exe
1604	Clojhf32.exe
2248	Cnmfdb32.exe
2668	Calcpm32.exe
2684	Cgfkmgnj.exe
2916	Danpemej.exe
2564	Dpapaj32.exe

Loads dropped DLL 63 IoCs

pid	Process
1944	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe
1944	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe
2332	Bjmeiq32.exe
2332	Bjmeiq32.exe
2512	Bmlael32.exe
2512	Bmlael32.exe
2664	Bqgmfkhg.exe
2664	Bqgmfkhg.exe
2856	Bfdenafn.exe
2856	Bfdenafn.exe
2880	Bqijljfd.exe
2880	Bqijljfd.exe
2584	Boljgg32.exe
2584	Boljgg32.exe
2572	Bffbdadk.exe
2572	Bffbdadk.exe
3040	Bieopm32.exe
3040	Bieopm32.exe
600	Boogmgkl.exe
600	Boogmgkl.exe
2328	Bbmcibjp.exe
2328	Bbmcibjp.exe
2764	Bigkel32.exe
2764	Bigkel32.exe
1144	Bkegah32.exe
1144	Bkegah32.exe
536	Cfkloq32.exe
536	Cfkloq32.exe
2452	Cenljmgq.exe
2452	Cenljmgq.exe
2208	Cocphf32.exe
2208	Cocphf32.exe
1448	Cbblda32.exe
1448	Cbblda32.exe
688	Cileqlmg.exe
688	Cileqlmg.exe
1748	Ckjamgmk.exe
1748	Ckjamgmk.exe
912	Cnimiblo.exe
912	Cnimiblo.exe
2984	Cagienkb.exe
2984	Cagienkb.exe
1012	Cgaaah32.exe
1012	Cgaaah32.exe
2260	Ckmnbg32.exe
2260	Ckmnbg32.exe
2116	Cbffoabe.exe
2116	Cbffoabe.exe
1596	Cchbgi32.exe
1596	Cchbgi32.exe
1604	Clojhf32.exe
1604	Clojhf32.exe
2248	Cnmfdb32.exe
2248	Cnmfdb32.exe
2668	Calcpm32.exe
2668	Calcpm32.exe
2684	Cgfkmgnj.exe
2684	Cgfkmgnj.exe
2916	Danpemej.exe
2916	Danpemej.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bqgmfkhg.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Boljgg32.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bjmeiq32.exe
File opened for modification	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Ihkhkcdl.dll	Bmlael32.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bqgmfkhg.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2624	2564	WerFault.exe	60

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2332	1944	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe	31
PID 1944 wrote to memory of 2332	1944	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe	31
PID 1944 wrote to memory of 2332	1944	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe	31
PID 1944 wrote to memory of 2332	1944	7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe	31
PID 2332 wrote to memory of 2512	2332	Bjmeiq32.exe	32
PID 2332 wrote to memory of 2512	2332	Bjmeiq32.exe	32
PID 2332 wrote to memory of 2512	2332	Bjmeiq32.exe	32
PID 2332 wrote to memory of 2512	2332	Bjmeiq32.exe	32
PID 2512 wrote to memory of 2664	2512	Bmlael32.exe	33
PID 2512 wrote to memory of 2664	2512	Bmlael32.exe	33
PID 2512 wrote to memory of 2664	2512	Bmlael32.exe	33
PID 2512 wrote to memory of 2664	2512	Bmlael32.exe	33
PID 2664 wrote to memory of 2856	2664	Bqgmfkhg.exe	34
PID 2664 wrote to memory of 2856	2664	Bqgmfkhg.exe	34
PID 2664 wrote to memory of 2856	2664	Bqgmfkhg.exe	34
PID 2664 wrote to memory of 2856	2664	Bqgmfkhg.exe	34
PID 2856 wrote to memory of 2880	2856	Bfdenafn.exe	35
PID 2856 wrote to memory of 2880	2856	Bfdenafn.exe	35
PID 2856 wrote to memory of 2880	2856	Bfdenafn.exe	35
PID 2856 wrote to memory of 2880	2856	Bfdenafn.exe	35
PID 2880 wrote to memory of 2584	2880	Bqijljfd.exe	36
PID 2880 wrote to memory of 2584	2880	Bqijljfd.exe	36
PID 2880 wrote to memory of 2584	2880	Bqijljfd.exe	36
PID 2880 wrote to memory of 2584	2880	Bqijljfd.exe	36
PID 2584 wrote to memory of 2572	2584	Boljgg32.exe	37
PID 2584 wrote to memory of 2572	2584	Boljgg32.exe	37
PID 2584 wrote to memory of 2572	2584	Boljgg32.exe	37
PID 2584 wrote to memory of 2572	2584	Boljgg32.exe	37
PID 2572 wrote to memory of 3040	2572	Bffbdadk.exe	38
PID 2572 wrote to memory of 3040	2572	Bffbdadk.exe	38
PID 2572 wrote to memory of 3040	2572	Bffbdadk.exe	38
PID 2572 wrote to memory of 3040	2572	Bffbdadk.exe	38
PID 3040 wrote to memory of 600	3040	Bieopm32.exe	39
PID 3040 wrote to memory of 600	3040	Bieopm32.exe	39
PID 3040 wrote to memory of 600	3040	Bieopm32.exe	39
PID 3040 wrote to memory of 600	3040	Bieopm32.exe	39
PID 600 wrote to memory of 2328	600	Boogmgkl.exe	40
PID 600 wrote to memory of 2328	600	Boogmgkl.exe	40
PID 600 wrote to memory of 2328	600	Boogmgkl.exe	40
PID 600 wrote to memory of 2328	600	Boogmgkl.exe	40
PID 2328 wrote to memory of 2764	2328	Bbmcibjp.exe	41
PID 2328 wrote to memory of 2764	2328	Bbmcibjp.exe	41
PID 2328 wrote to memory of 2764	2328	Bbmcibjp.exe	41
PID 2328 wrote to memory of 2764	2328	Bbmcibjp.exe	41
PID 2764 wrote to memory of 1144	2764	Bigkel32.exe	42
PID 2764 wrote to memory of 1144	2764	Bigkel32.exe	42
PID 2764 wrote to memory of 1144	2764	Bigkel32.exe	42
PID 2764 wrote to memory of 1144	2764	Bigkel32.exe	42
PID 1144 wrote to memory of 536	1144	Bkegah32.exe	43
PID 1144 wrote to memory of 536	1144	Bkegah32.exe	43
PID 1144 wrote to memory of 536	1144	Bkegah32.exe	43
PID 1144 wrote to memory of 536	1144	Bkegah32.exe	43
PID 536 wrote to memory of 2452	536	Cfkloq32.exe	44
PID 536 wrote to memory of 2452	536	Cfkloq32.exe	44
PID 536 wrote to memory of 2452	536	Cfkloq32.exe	44
PID 536 wrote to memory of 2452	536	Cfkloq32.exe	44
PID 2452 wrote to memory of 2208	2452	Cenljmgq.exe	45
PID 2452 wrote to memory of 2208	2452	Cenljmgq.exe	45
PID 2452 wrote to memory of 2208	2452	Cenljmgq.exe	45
PID 2452 wrote to memory of 2208	2452	Cenljmgq.exe	45
PID 2208 wrote to memory of 1448	2208	Cocphf32.exe	46
PID 2208 wrote to memory of 1448	2208	Cocphf32.exe	46
PID 2208 wrote to memory of 1448	2208	Cocphf32.exe	46
PID 2208 wrote to memory of 1448	2208	Cocphf32.exe	46

C:\Users\Admin\AppData\Local\Temp\7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe
"C:\Users\Admin\AppData\Local\Temp\7a409de7d24b9798338061404ce55937075cdb2755cff325d13cafb62935425aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\Bjmeiq32.exe
  C:\Windows\system32\Bjmeiq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\Bmlael32.exe
    C:\Windows\system32\Bmlael32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\Bqgmfkhg.exe
      C:\Windows\system32\Bqgmfkhg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 144
        32⤵
        Loads dropped DLL
        Program crash
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
74KB

MD5
dc2099492a1f4640dee0a6e53126899e

SHA1
5751bd6ec9dbc52e4c9a12711917144a960bfb0c

SHA256
c07554494142bc861e0c344e0288d778d09605ca2a875ef8089580b35628dad4

SHA512
55fdc1bdc37693768b28b5de35c827de1e767e11a86e3da6038d87a4828526d03b564235c795c119e1acc13d5b81b5e6c160194fe5eef11e889f897cc3980381

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
74KB

MD5
d57ca356590343cd836be8a0cf4094e5

SHA1
dd88ec7a8976b723f4bb366c5223fa9723395e59

SHA256
d92a8473c383a85a0569c8b1ed1e48cb514358a13f484fc2316ea6a9bd4b7cd4

SHA512
3a25a981d3f825233a7e6a529b441876eeea448083e73c40732bed4862a822a19afef0c81f560f10c29b7ea3f714df85f35243b8e75167327ab16279bb36a62d

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
74KB

MD5
6c2bbb4ce5470d827d3875c24efa7087

SHA1
8c747613aaa10dda6911a69621bac6ddc641cbd8

SHA256
56dde2c533d68be1def4f372079163be9d3455be3df9496c35b272db81738d7a

SHA512
1efbb08baeace6ae20f51d99a7ae6ac3aaba3c2437171a3c6aba51857f43420d5ae96221af446604381232e460a9be7928d73eee3809ef3722251ccee2e928b3

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
74KB

MD5
ba67e4c52ac3a04951fe321422f79501

SHA1
3f2de431cbcbef562229f7cb60921932984c820f

SHA256
9a0fda461e09a46f478980206b562f0e164cfe2a0ef0a09402ab87e6b96541b3

SHA512
c6086b1012f7eae70913f8785f5b9311c6e752f073dd3abb0ed6a488c19694f2f21bf42df565faa95971dd7c94841b19d36c41ff313763e662c126f76484fd5b

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
74KB

MD5
1b526627564a29d31328bff71b0a20e0

SHA1
8b2423a5894639ba0ca02b9d8c8234eb4523ec00

SHA256
30da765f3b8889a6749b91e7d412f5db385f237472eb8ca1b6c306e95bf7b9b6

SHA512
b4e91ea08794d603a19b96ce6f7146ee92f619214c717a14a934ca4dd0d63f04b4173740026bd82123f357526d2fbf187d549464061dd84758a9143b455c0047

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
74KB

MD5
993ae084f983bd1e9a239ef0c252af35

SHA1
13bd472b45dedc49136947ea5faecba19bc90cba

SHA256
fa505ffbdfb709895e80cfaf5d5e1d6f8f9cabaf60412bf0892a8f4ab75fc057

SHA512
d90e88e2140c0e26c359ba7f99ff9421b65883f7be0796c4717f616a7febe2251de73d0800fb3fdcd5df4b637a0681f3c809e798c02504e676c07f1634cd646d

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
74KB

MD5
915f7581bd5a13f6111416315e971384

SHA1
d1790e89d807f049ff1088d90ab775dabc6f8ec7

SHA256
3ccb29dd8d9fa1bd546a88ea75eb93fc0faa28322d82fcc97ede11049215bab7

SHA512
1e74f95cbb3e8f24baa2b5b66f10293182d3412ee666b41488558708484d8fa50938bf8807a7b91859761e51cb7235d4d79adaa8ea825456d1257f272f8f1aaa

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
74KB

MD5
0dd62046ef23c6736bba5c9051346676

SHA1
e338bb7dcb630e0c4b48b77758049578f6c48fbf

SHA256
fe39868343944c33bd011428959f20fbd735b2f8650dd7246ae0236c77d2efd8

SHA512
a33a4b2f64f9dab078fa2cc3e6c6e1a7b8c6d0bb22c251426baa5a3fb4a50697e79c2167adb147ddbe6b7fe57cbacc390ea7f0899b163e4d37c6f4173572bb18

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
74KB

MD5
00dfb961c8038882d09427e6bc5b2f9a

SHA1
90d952dfcade8cd86d942f8bf69e6621cbf9c7c6

SHA256
0bd72e4f672ff139975377bee00e0322bb1f6cbdf9a7b3cdbeb80b8807f079a4

SHA512
9cdcd2a4e9ddb9f25f3080052e4682bb6cc5c8c20ca97ee326130ab0423dbe7f756c65c545f95d4a11684880293d1c61a18ec229e7a715a6d344ef3c51d5adbb

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
74KB

MD5
6fe0e88d9710dde89dd0e877814ec5c3

SHA1
57f455c79b6ded244816b8ed25d7055f3d388eda

SHA256
233389492eefa243937f7b094aced8428ae71aeee3495dc8a8ad75aba78dabe4

SHA512
80790c354a158f82ef379f4346df0f0881752c2d04b9465dd79bdddeb1423012785e4b873351310512fd9e1d06e182457f1132d87c7dcefddd816cd500982a95

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
74KB

MD5
cb9f6a3b5702fe6e3cdd0144bd00692f

SHA1
c5c541c2dbd4ce1d8a5f17fe1acbd7de5856b2ba

SHA256
2aacc9bdae160dcd25709a17a7b39e77e1424d107844dc2e27aec5364d3e42b1

SHA512
66cabe08c935f1a4862d002bbff40ad8a8aebe41327c853927714dd4f84d37b08a3e296a095aed735b336d5f8355f21203931f13eba4d7c77b75d16c21d0e4ce

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
74KB

MD5
cd1f5359575bfe4f05897e226b738683

SHA1
b5a50b615ab83958b5b44b33a13eb9bc9f39fa4a

SHA256
904ea9c2a8d7791ce78e0ecd9786d60398338850b40fc60897868fa76cabd146

SHA512
42fc1ebaf4f4c9bba0375ed9c39117ed988d6a0c4486734e0f64b08bf4e89922b5ff6d443f19efb7e170985baed832f38818752a921e3fbdb15b0053d9e7d314

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
74KB

MD5
7a69dbd6080b096979f018f1401f764c

SHA1
0d67d5ed991af85b53d6af51044a6bccb31c88b2

SHA256
03dfe87dc10b80b6c9bfbb62c8194d78e36ec173749db306b7dd07a167cf5db5

SHA512
e990bd71dfd15f8ee394a06a885b92697d48cf678eac2f24963e5935de33a481c042a032a4b24fa2cfaf8c35f5b21b4b534bec0227aa7feafe8775e4ef72d306

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
74KB

MD5
2b97c638d9572f17f677adf6f6fcfb4b

SHA1
c04791879d99302aa20dd30cdeb1b9a28a947fa1

SHA256
b2265e1d4744468014b5f9ad0446503fc95dea372238779a7476648435d8ecc0

SHA512
eeaa1d420f2a222425bd98ffa5617c93e79debcd9fe0c8af4e6f7692dc0cf0468c55c101d23da62b3ada8e83b8b96d98e09c9ec02aedc82eefdeded37fa266cb

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
74KB

MD5
6665f773a96965571006819fa9f2c040

SHA1
7e20fc1918e05765e111d2f1f7ed82797ea5fe06

SHA256
a9beb8325debfe7ccb50b60d97ab9944535f1f5d0d894076a1aa67d3a15f5672

SHA512
ca1fcd0ea2350e4a4d55bf83bfa3a3972210c33dc547c5a71f8bae07ce4105bcdd98e59ce1b33010536c39d12e778630b10fb529966f3881615afcb0b670b51b

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
74KB

MD5
0f6eab744bf114ba78aa9086531756ce

SHA1
f680614c7b0d3ac97acd30c402758c17d6e1fa37

SHA256
8094b38fd646c44783515bfb7bbfcd62a912a37a0711301ddd4a5ef1a9b613fc

SHA512
4d9d0d8fb2a54b2e0e1d73cceb05f64bac5dfcc71ba07ad2b616d4c19495f240993c8f03847beccd39bea95e3b4eeb79fbc639232cf65ce9cd014010388bc7da

Download Submit
C:\Windows\SysWOW64\Dgnenf32.dll

Filesize
7KB

MD5
dcfccd560739ac7f5f2936657822346c

SHA1
e77a75332c7d899652c4aa7fe6588b27c1364bb7

SHA256
0830605b9d58c7999d9ef2a853464a9c1ba78309c2f6e29eb00296b5dd1079d6

SHA512
956199730c087f117e0d463166bae8224855ea7dcc17a0071195807427b705dd0b284c7a03654188156145952e7a809f892e2699585ef3589cb97267399230c4

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
74KB

MD5
f2b603596bee2dd5a471b0eb10ac6781

SHA1
ec73d1a87759a091ee1403bef8b3f8aaeb9b6aab

SHA256
ea36875147103ea9f39e5cb4f475e932de0252c3410fb09e65fceb691190bacb

SHA512
3d917e7d0372c4af7159363c8000918d40b68558f275b674c11579f46712e85c8292c50190add1f55a19c6c9fa5aa13a060346322727c847ef61bb5ed6818e06

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
74KB

MD5
b4f56b6ad87edd203041001b84d41295

SHA1
fe365b1ae28ec54f8f57de5ff9a19bcac71a81f5

SHA256
212cca55d7e9ed4e03007e0c20b87427daa93bf82d8fd167f8de6412901c05ff

SHA512
1c36c67fc4b597eee45b72b13c1689acc1ffa15b84c32909383d4b72b7466898e80576b718dfa567372dc7c28cdf885b202ab14483eb6561bc62b30f45a47008

Download Submit
\Windows\SysWOW64\Bfdenafn.exe

Filesize
74KB

MD5
a7af8ef25dbd3b0f0cfad4eff5192784

SHA1
e0a2dcb97bbfed2596c90f35b027b13aae2cde86

SHA256
bc1bebd85e2cce3cc9ce798986744bdf3d096662af2313f04993c82d4d73c7a1

SHA512
4a5c2d83c18b536de8fd0d2a82208ac75abbd44eab531e4021bb8effc2c5b29906d3a9d0839add7e3b5c242168b6dfdc483e48fde5f96636f3fbcd326e38cf49

Download Submit
\Windows\SysWOW64\Bffbdadk.exe

Filesize
74KB

MD5
bc37b84d9a6a9496161f2d65ce004099

SHA1
dee75a755500c9cb1e02a4af9e702fb34c9f734e

SHA256
3fbf94471457260f6da6145ec2e317a237061d4dc8d1280a2ba23bd2306bf496

SHA512
79ae711dbea3e45b4a4148c09df437bce5ebe8aaf430431267d217193696080cca0867a1978b038ad593d3716e7a995fb09dd1d17fefdeebee3954ffd32b0209

Download Submit
\Windows\SysWOW64\Bieopm32.exe

Filesize
74KB

MD5
3966468737d8793727a1ab768a8291ec

SHA1
542d7838f11915198da537a15617d46cd6c26871

SHA256
f7330ed7e01659f3bcb4f7cf2e02f57317c0e5e640074279a4dd2f93b4ef7e06

SHA512
368ca5d5e5b25210a390c7a0c3d03cad9bafae041e356b3e89fbb2fdee5aa7ee9da1a921bb1b5fe360cde100b2a98748df0af98cc90a0814325a093b98e47d70

Download Submit
\Windows\SysWOW64\Bigkel32.exe

Filesize
74KB

MD5
5c3b824492ae160eafdf3ad63e4f9882

SHA1
faa4fd52e83a4e2056f5dfa3cdd355e2c179ab4d

SHA256
aeaf8a12d38b1db9d3d053b73d1e0e9a5a790f51dd16ed69d3d45b107dff8c4f

SHA512
a2165c46e8dd1b41e4813934983e423660d909a0d08d624c53931cfca0ee384985be5b1f621123bd7ca30e698878d8b514aac4ac9bceb342837cb85a0f2fa1b2

Download Submit
\Windows\SysWOW64\Bkegah32.exe

Filesize
74KB

MD5
dc0bb6f1f13afe02d3fb00550ed88d41

SHA1
65d4719653038417982c235d307e54bacaccb0b2

SHA256
8146d28830d983387a6b3835d41e43764453ccd52e34bdd02d88df6f30ed6bc5

SHA512
794be18f221d5f0aad95e3be72bd76e8978a6cb9821cd8efbdf258c41710ac498005cedf149e40b0cf7596aa0cee35b85750793c22228aa6a8f573266147f75e

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
74KB

MD5
523743753818cbb1888721eb74238053

SHA1
58e02bd4a043e065e31591109277a419fc9bb08b

SHA256
5838ed32fd36b7f4490b140e5b02bba655be2e01fb6761015a8e997141ffcc6f

SHA512
fb669f956c4df7194be204c02b6f1184c6e27a45840e302bc95e78c33c2e2402e6648561eb4a56e1284bae5cbdee84ebda783d246e987de38d28711ae5bc05d7

Download Submit
\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
74KB

MD5
3ae1ef13cdb6c9e3391a31d8946e84cc

SHA1
bc788ce8df86090f43a1a78f8c0ecde234ac15a7

SHA256
74bddd3927f93c17d9a4729aaad774cb6f00a50d3df6793d657940cab799aa46

SHA512
9520aef2356208eda0f94551ad7657ea4fcdb4e4bb9d057be39450e818430fa528fd0b03a67f3f457d26dd1bf6d4678745c1d6850a458c3b0b486b2d12099229

Download Submit
\Windows\SysWOW64\Bqijljfd.exe

Filesize
74KB

MD5
f8dc46932c48e7636c231c010af0c31b

SHA1
6cef9cb119c8a7865a8e1ecd15882ac70114ae1f

SHA256
8ee0b5e73d4677e632a95270fee72398b180ca5b2dfc9e69af8dcc3822e9da85

SHA512
59c2c7fc20b0cce610f23750f8c711007ba4fefc019f778da5f6a818f9f4604552be1ef5d81ade9eb15fb048570825f49c73ee7f5ef56aed275f538d3b42c7ee

Download Submit
\Windows\SysWOW64\Cbblda32.exe

Filesize
74KB

MD5
1a03be959d22cef0d22923e05d86c3eb

SHA1
7aefa1891d17173cd6a373f2a23b3373e5166621

SHA256
3127f317a9f894c867af2ea83044c21eb1d10c82430415fe76a7a96d3de54013

SHA512
e84cda6840e663e16d97f9a2d3442b8f508d436ddae9e1cf92e27797e91f46aa41c4a3a1110d9fec96b64e2f329e30127121fcb6c7e13db210b05b2a69a1c424

Download Submit
\Windows\SysWOW64\Cenljmgq.exe

Filesize
74KB

MD5
f797b277e2717084db01e89ad9fbf040

SHA1
0d844cdddade66b0d804153a2e398e64b2ae589b

SHA256
cfff347d40c7137ad677f8a54012ea36e43f9e5ebc5be579aab7ce06fa712c12

SHA512
973b3cf81b7974dda1073dec323392eddc352777dc26ffecacd4037e022820712c81f16f2513317b01c34b411162d236274b395e6cf7349efe8f5289c3e56409

Download Submit
\Windows\SysWOW64\Cfkloq32.exe

Filesize
74KB

MD5
a18497a8e2ff519f8724b0cdec468478

SHA1
5fe62c6741d3395392afc361970ebf4c7bc5aba3

SHA256
ac82157511aae4dd8ede5b76e9bfc29d2abe72a9a0a77982b8c7ebe7eef67a41

SHA512
e015b5ed47a10e293ba89e79f990b0953442828f7340b43d50ba255d923c93be3c29ac96d4dbecbcf7731033279b5d0904dce2ea1c4e34e9c88d2e57c27de98c

Download Submit
\Windows\SysWOW64\Cocphf32.exe

Filesize
74KB

MD5
7ceb9d667a797f97bbfbd88b3f40ab99

SHA1
438d844350a717a138165f7340775b03028d06fc

SHA256
4281be560845feff45a5a6a8a59328308c60751585a984514d94e0d7375f127c

SHA512
b86155a754a5eef2713d0d7ffed43e07bf30c37658401993dca7fd41d64e9420fc99fdd63d3a4f6ea5073510334b2b3475792930835d7350fb61a591b310bed5

Download Submit
memory/536-383-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/536-177-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/536-189-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/600-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/600-132-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/688-381-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/688-229-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/912-253-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/912-377-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1012-275-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1012-379-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1144-161-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1144-174-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/1144-385-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1144-169-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/1448-218-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1448-224-0x00000000002B0000-0x00000000002E7000-memory.dmp

Filesize
220KB

Download
memory/1448-380-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1596-308-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1596-372-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1596-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1596-304-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1604-317-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/1604-373-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1604-318-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/1748-244-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/1748-238-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1748-386-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1944-13-0x0000000000310000-0x0000000000347000-memory.dmp

Filesize
220KB

Download
memory/1944-12-0x0000000000310000-0x0000000000347000-memory.dmp

Filesize
220KB

Download
memory/1944-351-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1944-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2116-374-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2116-287-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2116-297-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/2116-296-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/2208-384-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2208-216-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2208-204-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2248-371-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2248-319-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2248-329-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/2248-328-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/2260-375-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2260-282-0x0000000000320000-0x0000000000357000-memory.dmp

Filesize
220KB

Download
memory/2260-276-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2260-286-0x0000000000320000-0x0000000000357000-memory.dmp

Filesize
220KB

Download
memory/2328-387-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2328-147-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2328-141-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2328-133-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2332-362-0x00000000004A0000-0x00000000004D7000-memory.dmp

Filesize
220KB

Download
memory/2332-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2332-353-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2452-198-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2452-190-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2452-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2512-27-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2512-366-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2512-367-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2512-35-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2564-378-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2564-363-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2572-392-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2584-391-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2584-87-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/2664-368-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2668-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2668-340-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/2668-339-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/2668-333-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2684-347-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/2684-369-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2684-352-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/2684-341-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2764-389-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2764-148-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2856-60-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2856-53-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2856-393-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2880-73-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2880-75-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2916-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2984-266-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2984-257-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2984-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3040-114-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/3040-106-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3040-390-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads