berbew | eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/12/2024, 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
Size

74KB
MD5

a96ad6ca075c993b3cbe221ae5dceb76
SHA1

155157972379f351aef6c902e9369ef54e252cf7
SHA256

eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e
SHA512

a179d5da69c02eba3672d247c20b5e7417c74665004ea10d9a6b732bb3422db862b2a6e232b392012a0f34afacc4f0d20918ff8277371be91297b6873457701f
SSDEEP

1536:hde5SPUSXhRAxNpgJor/7qS+pHVSmp0kWKlKJmBGfoRSUl/:+ZOhyUoPqS6Smp15Gf1Ul

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckmnbg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
2488	Bceibfgj.exe
2248	Bfdenafn.exe
2668	Boljgg32.exe
2864	Bffbdadk.exe
2720	Bmpkqklh.exe
3068	Boogmgkl.exe
2580	Bfioia32.exe
2224	Bigkel32.exe
1644	Coacbfii.exe
320	Cbppnbhm.exe
2780	Ciihklpj.exe
1144	Ckhdggom.exe
536	Cnfqccna.exe
3028	Cfmhdpnc.exe
1952	Cgoelh32.exe
444	Cpfmmf32.exe
964	Cagienkb.exe
1408	Cinafkkd.exe
968	Ckmnbg32.exe
1732	Cnkjnb32.exe
1612	Caifjn32.exe
1212	Cchbgi32.exe
2092	Cjakccop.exe
2232	Cmpgpond.exe
352	Ccjoli32.exe
2360	Cfhkhd32.exe
2284	Djdgic32.exe
2816	Dpapaj32.exe

Loads dropped DLL 59 IoCs

pid	Process
1224	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
1224	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
2488	Bceibfgj.exe
2488	Bceibfgj.exe
2248	Bfdenafn.exe
2248	Bfdenafn.exe
2668	Boljgg32.exe
2668	Boljgg32.exe
2864	Bffbdadk.exe
2864	Bffbdadk.exe
2720	Bmpkqklh.exe
2720	Bmpkqklh.exe
3068	Boogmgkl.exe
3068	Boogmgkl.exe
2580	Bfioia32.exe
2580	Bfioia32.exe
2224	Bigkel32.exe
2224	Bigkel32.exe
1644	Coacbfii.exe
1644	Coacbfii.exe
320	Cbppnbhm.exe
320	Cbppnbhm.exe
2780	Ciihklpj.exe
2780	Ciihklpj.exe
1144	Ckhdggom.exe
1144	Ckhdggom.exe
536	Cnfqccna.exe
536	Cnfqccna.exe
3028	Cfmhdpnc.exe
3028	Cfmhdpnc.exe
1952	Cgoelh32.exe
1952	Cgoelh32.exe
444	Cpfmmf32.exe
444	Cpfmmf32.exe
964	Cagienkb.exe
964	Cagienkb.exe
1408	Cinafkkd.exe
1408	Cinafkkd.exe
968	Ckmnbg32.exe
968	Ckmnbg32.exe
1732	Cnkjnb32.exe
1732	Cnkjnb32.exe
1612	Caifjn32.exe
1612	Caifjn32.exe
1212	Cchbgi32.exe
1212	Cchbgi32.exe
2092	Cjakccop.exe
2092	Cjakccop.exe
2232	Cmpgpond.exe
2232	Cmpgpond.exe
352	Ccjoli32.exe
352	Ccjoli32.exe
2360	Cfhkhd32.exe
2360	Cfhkhd32.exe
2284	Djdgic32.exe
2284	Djdgic32.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Coacbfii.exe	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Boljgg32.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Ogdjhp32.dll	Bigkel32.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2736	2816	WerFault.exe	58

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll"	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffbdadk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2488	1224	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe	31
PID 1224 wrote to memory of 2488	1224	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe	31
PID 1224 wrote to memory of 2488	1224	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe	31
PID 1224 wrote to memory of 2488	1224	eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe	31
PID 2488 wrote to memory of 2248	2488	Bceibfgj.exe	32
PID 2488 wrote to memory of 2248	2488	Bceibfgj.exe	32
PID 2488 wrote to memory of 2248	2488	Bceibfgj.exe	32
PID 2488 wrote to memory of 2248	2488	Bceibfgj.exe	32
PID 2248 wrote to memory of 2668	2248	Bfdenafn.exe	33
PID 2248 wrote to memory of 2668	2248	Bfdenafn.exe	33
PID 2248 wrote to memory of 2668	2248	Bfdenafn.exe	33
PID 2248 wrote to memory of 2668	2248	Bfdenafn.exe	33
PID 2668 wrote to memory of 2864	2668	Boljgg32.exe	34
PID 2668 wrote to memory of 2864	2668	Boljgg32.exe	34
PID 2668 wrote to memory of 2864	2668	Boljgg32.exe	34
PID 2668 wrote to memory of 2864	2668	Boljgg32.exe	34
PID 2864 wrote to memory of 2720	2864	Bffbdadk.exe	35
PID 2864 wrote to memory of 2720	2864	Bffbdadk.exe	35
PID 2864 wrote to memory of 2720	2864	Bffbdadk.exe	35
PID 2864 wrote to memory of 2720	2864	Bffbdadk.exe	35
PID 2720 wrote to memory of 3068	2720	Bmpkqklh.exe	36
PID 2720 wrote to memory of 3068	2720	Bmpkqklh.exe	36
PID 2720 wrote to memory of 3068	2720	Bmpkqklh.exe	36
PID 2720 wrote to memory of 3068	2720	Bmpkqklh.exe	36
PID 3068 wrote to memory of 2580	3068	Boogmgkl.exe	37
PID 3068 wrote to memory of 2580	3068	Boogmgkl.exe	37
PID 3068 wrote to memory of 2580	3068	Boogmgkl.exe	37
PID 3068 wrote to memory of 2580	3068	Boogmgkl.exe	37
PID 2580 wrote to memory of 2224	2580	Bfioia32.exe	38
PID 2580 wrote to memory of 2224	2580	Bfioia32.exe	38
PID 2580 wrote to memory of 2224	2580	Bfioia32.exe	38
PID 2580 wrote to memory of 2224	2580	Bfioia32.exe	38
PID 2224 wrote to memory of 1644	2224	Bigkel32.exe	39
PID 2224 wrote to memory of 1644	2224	Bigkel32.exe	39
PID 2224 wrote to memory of 1644	2224	Bigkel32.exe	39
PID 2224 wrote to memory of 1644	2224	Bigkel32.exe	39
PID 1644 wrote to memory of 320	1644	Coacbfii.exe	40
PID 1644 wrote to memory of 320	1644	Coacbfii.exe	40
PID 1644 wrote to memory of 320	1644	Coacbfii.exe	40
PID 1644 wrote to memory of 320	1644	Coacbfii.exe	40
PID 320 wrote to memory of 2780	320	Cbppnbhm.exe	41
PID 320 wrote to memory of 2780	320	Cbppnbhm.exe	41
PID 320 wrote to memory of 2780	320	Cbppnbhm.exe	41
PID 320 wrote to memory of 2780	320	Cbppnbhm.exe	41
PID 2780 wrote to memory of 1144	2780	Ciihklpj.exe	42
PID 2780 wrote to memory of 1144	2780	Ciihklpj.exe	42
PID 2780 wrote to memory of 1144	2780	Ciihklpj.exe	42
PID 2780 wrote to memory of 1144	2780	Ciihklpj.exe	42
PID 1144 wrote to memory of 536	1144	Ckhdggom.exe	43
PID 1144 wrote to memory of 536	1144	Ckhdggom.exe	43
PID 1144 wrote to memory of 536	1144	Ckhdggom.exe	43
PID 1144 wrote to memory of 536	1144	Ckhdggom.exe	43
PID 536 wrote to memory of 3028	536	Cnfqccna.exe	44
PID 536 wrote to memory of 3028	536	Cnfqccna.exe	44
PID 536 wrote to memory of 3028	536	Cnfqccna.exe	44
PID 536 wrote to memory of 3028	536	Cnfqccna.exe	44
PID 3028 wrote to memory of 1952	3028	Cfmhdpnc.exe	45
PID 3028 wrote to memory of 1952	3028	Cfmhdpnc.exe	45
PID 3028 wrote to memory of 1952	3028	Cfmhdpnc.exe	45
PID 3028 wrote to memory of 1952	3028	Cfmhdpnc.exe	45
PID 1952 wrote to memory of 444	1952	Cgoelh32.exe	46
PID 1952 wrote to memory of 444	1952	Cgoelh32.exe	46
PID 1952 wrote to memory of 444	1952	Cgoelh32.exe	46
PID 1952 wrote to memory of 444	1952	Cgoelh32.exe	46

C:\Users\Admin\AppData\Local\Temp\eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe
"C:\Users\Admin\AppData\Local\Temp\eaf1fec22050b2facc609b046cea0b115027af612a79a49406380446c2cdcc2e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\Bceibfgj.exe
  C:\Windows\system32\Bceibfgj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\Bfdenafn.exe
    C:\Windows\system32\Bfdenafn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\SysWOW64\Boljgg32.exe
      C:\Windows\system32\Boljgg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:352
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 144
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
74KB

MD5
51c4902a4c6ff81ddce06a3c2abc198b

SHA1
4fa7c74c4cff6826f9f07138d504f5c02241d144

SHA256
809acd1fa60dc9c7b5b1f5434adcd1ccd5c060367cfa2af9f370cfb5cc2f7744

SHA512
7240352aad1a21274469be2a00d97fcf2921b0fddfcf20a79769a45dafccc206706ef926a9d18d17409837d192737f09b6c6819336ba7c8021b9189f1ccd9550

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
74KB

MD5
4711265f21d01cd67ea5f2048a7c4c21

SHA1
e4054062075fc3108a439f80b3c7ac0ab6185675

SHA256
a0f308302c73325b471fb7ad6b3ec486be814add2b4130bc3e650d49c455747a

SHA512
475bf290cb97176e320f71ea3e8d6fdf18c7ad00ca62180468a15571b2db4c3ac5e9d644c56a8c2ee49f628532dffebac09fecfaeb08f3775719236fe3511f19

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
74KB

MD5
9cea2900fe19cf752ba1901fd365bb87

SHA1
3d2e21e68951c959d122eca27595daed81651731

SHA256
0bbdea770c11b1c425ed733fd2c0ea52a00e2b1111b37247e427c99155044b22

SHA512
e64a9e20624099a4269efa00911f2f34cdf87bb6eba00cb50ccb9bcffaae0d504c918c9ba76f9ade477da92da5d994859d7a885a8926f52ff97e12432c65f37c

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
74KB

MD5
8e5474492ad34cfa683d9c51a6971d66

SHA1
0bac0edea085aa0147a195afbdecb3ae139028be

SHA256
fc1c80ee59c5428f7769d4e666c7225da8fb23020b151566be37ffc959008fa0

SHA512
ac77d848e3dc4782ea0537cde5f6ea38d85b7bc1898e41ae41f51af70126172078a8baab84f7d930312afed02c327eacd9c8c6649dbfe99dbbf55c54ddee3731

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
74KB

MD5
7ad2dcf79d190dee8d0f0bedf2a64dce

SHA1
455cd5ecb8307bb3a35457dd690b853f2b39d383

SHA256
40fc069895bb1fab7db748e15e15d71e7d2f9cfb8ea828baa138b4b212ebb6f3

SHA512
30b5871f14ed974956bbae2d82a81b027eade7db789640a9fd06e4f3190b777fdc527d603f01242722170abcfd3fdbe8d9e06a1ec44c78c5ca079c853128525d

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
74KB

MD5
1db9db24e3443c4d5b047046b5fbfac8

SHA1
8c90f78add835e29df0b0bafc1cf87f812eaa3e5

SHA256
83b3ea0f8c22f3ba5bec532b392734718e9ebb5f49c2e80a7f38465ce7f19eba

SHA512
ba467123413812d8351f4e5c91e7f140cfc2b4cf4ae88ad0b93e33d477db5a66375fb697c8402792c1a5cb16a0e2b19ce21971f94635a850a82206413f176b94

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
74KB

MD5
3f2d8b5ae8ea708a134e67193883db18

SHA1
c364839c5580556958b38d6aa843a1e1c4cb6b7f

SHA256
903b6ae71ae643ba39a965111aa51a74d2a7ec02d3a96843fe67a52d6e28824e

SHA512
8eea4d88377e4ac506e8aae92bc421c50ce15a653364a16736c609acf5fbe5cb90a8af8683f8911931499706344f8aaf60290590166649b2a1a11fd0489a2595

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
74KB

MD5
d3ca88aa9512e65d05c7638f10324dba

SHA1
73a60d3b9451f48a24b7bb58a9b3eefe164acfa1

SHA256
947097193c805388b4c08ae6e1578aedf76b43ecd3ceed19a62f44eea5d4aebb

SHA512
4f5c41ebce9725ebd40fcfcbe9eb90b52e4fdb8f261ecade9a20cfacc36794aba898083e895aecda54450d1da08bd48a5d2d290fc7099c50c51340cb4c3bdace

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
74KB

MD5
2221c79334dac26c18d6c5129f1e49f3

SHA1
2dbfa53070a7384442272860f8bd0f00682924f1

SHA256
f5602740ebfa9ed48d6bbfb74694b888aef3343b74608977a5139c9ba2ab6d8a

SHA512
0bf39f08fa9fb32555d8a0d7884f0850200271722f1a48e1f79b6d55e7ed06e2cfc792112e3e0c8f8d4cf59c89ea3697ccbf88dcb680a5c027182bfd0c4a659e

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
74KB

MD5
3b48177f976821aef6aaa87bb988c29a

SHA1
8ca1a23c9d9ae8b07f2476f1d7602d742a96d788

SHA256
26a31bfd4a1f6552d168ec96098f99e57f66671a948ded97a2f538baaf3a52ae

SHA512
240946dd23e5436b20bc3cadd1cec58ba464cffecaf571385829eca7e6f4b0da7412afe5ce74de368c3b008c68382be40d719f4ca078d76cf81a51375806168c

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
74KB

MD5
40ad98108a139f38ea771cf039dacecb

SHA1
02c4ae68e0ccaa04a6c502c14be4a178723174bd

SHA256
b018cd21480c69bb024290dddcb77609fc82e57bae041d672c02ca21c0094e5e

SHA512
acff8b7f7d47bd4cdf3f30700905b684bef1d1ee83c88a5ec0da58a07476f92f9ec11cb79d103801e87a051de6e70f3a61371d8ca12401ad140c84246bcd180c

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
74KB

MD5
79756fdd83ba9fb65f11e46ef5d753b2

SHA1
fe4c933b547c44ae84b6c5590e2a555ad8a0cd90

SHA256
7fa73bfbad5d882bd4104e44f3a1ac7df8a31d19a17e26bae1d5235c3e744190

SHA512
851bd5835e921bc0ef0374f7538b8f37bd72a97ff12b6b74d9191d1819a9f13cf4789e38fae5958c870ae2cc54c84060c8e25f5be7a7137adb7595db29313fa2

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
74KB

MD5
ecb37e16ec7b17919ca7873dc1148f90

SHA1
9a321fd841f950f04c6e539c3a0cbc1c5ecb05ce

SHA256
ab6f08822f7e46d977f514f0d92c6d47b15a33c070486ba73da6f546797e4514

SHA512
3a41dfead3dd6b06d08bbd9236b7bbdd510d953d10cf6ff5c40cd5b7a72d98bc7a8a0d2f540383f3f247518aec561d1b6d5d61bc581396d379a82bdd26f3ae9a

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
74KB

MD5
061a8abf5e66fb49987fd33c8c0066ab

SHA1
86d5f4bcb0fd6e508d17b8ef28cfe3d3cfd25956

SHA256
ee21d53154cd07dbeabf59c5e50567078a5db20033c3747840e0a741b53c6b77

SHA512
a67e11e3e0aa3896e8e6b47730b93254bde1de21e023de6141c8c4ff30911d679bcc5621c07bb83ab6a20d79b364feb652af9cea78e5bf23abbb2157a7f87c36

Download Submit
C:\Windows\SysWOW64\Pijjilik.dll

Filesize
7KB

MD5
ca2ff2fc21c919b106badb30c38e990f

SHA1
d09a3dd3c59b69e6f9089c2c6c190463524f46f0

SHA256
7cd4a1f7df2a543575e88587ccb05b5b55229c249fbb4b9f76f42760c9f4a09f

SHA512
58804eaba34be904f8858d10acb54280895ce5e1d5e6cf80ae1fd4da0cc77a015d8423253162ac90ebb9acacd9873269f4263ae26eb37211aa204ba0a7234f40

Download Submit
\Windows\SysWOW64\Bceibfgj.exe

Filesize
74KB

MD5
99a40b29a5f43d0c0a24775f88b48fe1

SHA1
749a1c339779bedc50f015e4cd0a5aca43440ff3

SHA256
d3ac9ab38656f043fd1935747fe6421674ebe5c8ccbf2a9bc8c067cf0898c3bf

SHA512
d635418dc38824f0976d6f4c971dcd4bb0b918044ec2cbac23fef94ef7b34a5105b5cf98d3012447fcb67b9e23e9db3e61fb663f1bf57cc8f15baad7201c5329

Download Submit
\Windows\SysWOW64\Bffbdadk.exe

Filesize
74KB

MD5
a31ef9c615e738afe224eb2447f0446b

SHA1
ddea07fadeb7b097cba7d7036a2f782a03b6535c

SHA256
e5662147e75948660c1ca38f40601a5304c88a21e2cc363a32ab5aab57567173

SHA512
426113beaef8707b09be6e0bf861e9ec20cb5fe34a2c045e14222021d3b5e60c356bea03ebeadb6e2758ba7fbebc788ca6a0ddd57a12e3a8dfcfc21bc7b22c3f

Download Submit
\Windows\SysWOW64\Bfioia32.exe

Filesize
74KB

MD5
1643a36f1c4b482f1492f1c07a59cf0a

SHA1
4b50b30aee28b9fb61bcbf5fabeb8a3695ddfba0

SHA256
bf81259fc66c2d7c09ca24a7e76fb82859be187fb94730fcd3af500684fa7f57

SHA512
f70699508a978f4dce798c9c7bd10d534d1971fab90dfd282395c02159828c6b990b24244b2fd2b3106eec19556f518f29c27f89d36b88ac710200cd1f8bd625

Download Submit
\Windows\SysWOW64\Bigkel32.exe

Filesize
74KB

MD5
ba47af1fe8a6ba68995f1472f380c453

SHA1
8b7edadac9fb602cacce5c301a2cbba8e33bfc60

SHA256
62e719f829066a0586e6ccdd85cf1d2311dc951306053066ebc2a9ea92ccdbe1

SHA512
199ba94ab199a54b6102742f8957474ec98908c4cd51ece34609fe74efb2ab886042f1a10397bc456c5905c39a72af1f62d3d5dc42ec0194ea6b221fbfff4fc8

Download Submit
\Windows\SysWOW64\Bmpkqklh.exe

Filesize
74KB

MD5
7a1bbfc9fca5928d367c0244e8253c7c

SHA1
7eb3e14c8d676a2cb0066dbb34a38188eae1ba47

SHA256
746366bdef3aa7616553e1cc5ba07d85dbf939e9734629ce173446eebbeb4cfe

SHA512
cf2819cc0b563c0b4f3331a1a02d4f06cf42bc32c5b11c0eff092a17bc38197a640777f40e668235cdc10683c6daa333fcc2705c12c2b54a2b3bfc8cc28c98d6

Download Submit
\Windows\SysWOW64\Boljgg32.exe

Filesize
74KB

MD5
823403e800de65d983aee499baf63f12

SHA1
8d4f6cba62f5a1f38a528e7017721d754c2f2caf

SHA256
d6f51e138298d2db7c7c38304daa26b665a337ebe4d417b3c9f3f6dc3db50347

SHA512
5d92ba85ef8f4da542c5f41814518de1430766d65b7897105a729b6b84bddd07978d4077c1d3c8b0272ba76e8d5876559e79b432015a0b6fbf03aac3d2268306

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
74KB

MD5
78ca8890dc06092b4e316609398ff72a

SHA1
0b7c948d72431988f8c85c3f70077985b7076025

SHA256
53c48d2ce5eabb83ef61088a43f62aefbdd8c505fdd09ec8cb21d6a1340fc6b6

SHA512
ef55b89d07bfec4ed9da22b8251f7ee03637eebda2cad2e52cbde3e41f221fd3654163e272471e33cb83273dfff2454af5201e2752c03c64f43d54446da33c6d

Download Submit
\Windows\SysWOW64\Cbppnbhm.exe

Filesize
74KB

MD5
a5defed9bfd179fde579f2e3060d8a9d

SHA1
484fee56718a5d4d3e48dc58bfea083c4269493e

SHA256
3df228a97750661db4136f7466226225962ee57a925d02a54d19de7c54f8cf04

SHA512
82a755a74c4cdbc2bcc45e1c31c100acf7769887ebaf167bc3bfa1b1e6348256fe5bf35376e6a0db836f530247fdc0e8b49a2272acf10a893fb021f78ca7e5aa

Download Submit
\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
74KB

MD5
aa1a1fab949e56f6df047cc0cb64436e

SHA1
59ce57736671cbef00f8f4fb85860117ac3c08a1

SHA256
abaab70e2bc68fd2a5ac3c7dd0133989292c0134326155ead136267679ff623d

SHA512
bffe66edcba9d39630d59af39b933dfddd3aa39f01c5eb7a3f09748dafa441c4f5f1e2a63105733bfc177b511496aaf4b89d7ad8b4d8afce053bf0dc4c859fa6

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
74KB

MD5
f3d87a04fe5591b8fc37c8f907562637

SHA1
7d26ac5a3e32998b0fe4cdf84e32d215bf8c444c

SHA256
10e62e0c7b5fa9153fbbe7cbcbecf3ae832a03920a1d783407497e3a4557ee68

SHA512
3b45f3092179ad19aa564f255999130082b777c481d3e20e0414415666b7a990fb51e789b90ecf174bf7f6b91de63ddf3e71cb1a41bf5c2655a8eac654ecc0bf

Download Submit
\Windows\SysWOW64\Ciihklpj.exe

Filesize
74KB

MD5
7da6d2a1c89e94a8d92498b86ad00b2c

SHA1
78d0d8c5a5e2af09f131377c3acd61e12f42a9e4

SHA256
5b8ea7567b0a13939ce087e2c10657ef49b6759209e4e73d9ef21a156edc2ae7

SHA512
bb54a2408e60ac89549e78f54ce334725e305145fed2e49a55215395784098fff9ebbd0d6a541e95d0f658ea8f44f4ad2f25f8a71cd543629d54cb2f1b5e771a

Download Submit
\Windows\SysWOW64\Cnfqccna.exe

Filesize
74KB

MD5
efd33e006c8ca5ee75b5115f3df36247

SHA1
a400a3841b7408ba3f99517438a44eb3b8cb4b84

SHA256
4db2b2eb3314bcaaae56b69366e19867f54bf668f238ea54f68cd149bb9bc965

SHA512
20413ca1fb68c55fd0e13b3db9e5cfc42f90d2ba5b9c238ed4a7faa76843e5b6621e84141b19fa3d6749d9ebe22bc92ae63080c3409845054f896594df837a24

Download Submit
\Windows\SysWOW64\Coacbfii.exe

Filesize
74KB

MD5
a8bd6290058b41d0453b45219c924ca4

SHA1
d94702136f94ddf78f5403ebb903aea8cdc78257

SHA256
1abc0619f6d13bf87b49fe443ce1e91d34e3a73430151b2b71ef3dd3925038aa

SHA512
3ad6daca39a75a69a01a2851162613d17c9c8a56ec3654fed610cdc31fe400e27a68f6b5394e981ee7d549cee3e141f795182b90661c308ff20d895c343ea75a

Download Submit
\Windows\SysWOW64\Cpfmmf32.exe

Filesize
74KB

MD5
01aae7a33e641c1d553fb1bd7e026ca3

SHA1
00933da7800262ce5a99ba6bad6216f5ee4a226f

SHA256
c5c3437773e9f26f34e67325cc1fe3636b60936d217bb5121c03b1b96e285c75

SHA512
d48d307c7a98ed5132c306bccf860eac5e42c1f1d0d709f0a112beea2036ede1f966ec4109ed4ee862a868f30344bc6a5bf06ce50a1d48eadeb70db48d7f785f

Download Submit
memory/320-362-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/320-139-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/320-132-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/352-312-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/352-311-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/352-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/444-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/444-211-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/444-217-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/444-222-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/536-177-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/536-180-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/536-351-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/964-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/964-343-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/968-242-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/968-347-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1144-365-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1144-166-0x0000000000340000-0x0000000000377000-memory.dmp

Filesize
220KB

Download
memory/1144-158-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1212-271-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1212-363-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1212-281-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1212-280-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1224-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1224-12-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/1224-335-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1408-238-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1408-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1408-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1612-261-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1612-267-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1612-349-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1644-350-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1732-357-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1732-257-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1732-251-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1952-353-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2092-282-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2092-345-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2092-288-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2092-292-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2224-114-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2224-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2224-106-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2232-298-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2232-302-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2232-342-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2248-33-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/2248-26-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2248-359-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2284-324-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2284-334-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/2284-329-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/2284-341-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2360-323-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2360-318-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2360-339-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2360-313-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2488-18-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2580-94-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2580-355-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2668-52-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/2668-356-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2720-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2720-78-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2780-348-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2816-336-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2816-344-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2864-60-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2864-361-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3028-193-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/3028-354-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3068-360-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3068-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3068-87-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads