berbew | 4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/12/2024, 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe
Size

88KB
MD5

c852dbf42432ed7d573326f4a1603269
SHA1

4110768bb96d262d8a6dce2310661c4dc388fc08
SHA256

4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e
SHA512

8d48a372d026897721cf8d4b84ba8e68947607325969fde9e660f80494e0eac2f9a1709f290c17580be25372fb044ca5c547e026206bb86960a34c7145ed6db9
SSDEEP

1536:CqzsVuiGhcteQNhNZswFL8QOVXtE1ukVd71rFZO7+90vi:vCuhhmesNZvLi9EIIJ15ZO7Va

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 34 IoCs

pid	Process
1764	Bqeqqk32.exe
2804	Bccmmf32.exe
2688	Bkjdndjo.exe
2608	Bniajoic.exe
2572	Bdcifi32.exe
2120	Bfdenafn.exe
1628	Bmnnkl32.exe
2100	Bchfhfeh.exe
664	Bjbndpmd.exe
2948	Bieopm32.exe
2088	Boogmgkl.exe
2392	Bbmcibjp.exe
320	Bfioia32.exe
996	Bmbgfkje.exe
2240	Bkegah32.exe
2020	Ccmpce32.exe
828	Cenljmgq.exe
2536	Cmedlk32.exe
1644	Cocphf32.exe
2444	Cbblda32.exe
2488	Cfmhdpnc.exe
1668	Cgoelh32.exe
2540	Cpfmmf32.exe
1672	Cbdiia32.exe
2728	Ckmnbg32.exe
1624	Cnkjnb32.exe
2736	Cchbgi32.exe
2636	Clojhf32.exe
2768	Cmpgpond.exe
2820	Ccjoli32.exe
1716	Cgfkmgnj.exe
2892	Dnpciaef.exe
2968	Dmbcen32.exe
1936	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
1780	4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe
1780	4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe
1764	Bqeqqk32.exe
1764	Bqeqqk32.exe
2804	Bccmmf32.exe
2804	Bccmmf32.exe
2688	Bkjdndjo.exe
2688	Bkjdndjo.exe
2608	Bniajoic.exe
2608	Bniajoic.exe
2572	Bdcifi32.exe
2572	Bdcifi32.exe
2120	Bfdenafn.exe
2120	Bfdenafn.exe
1628	Bmnnkl32.exe
1628	Bmnnkl32.exe
2100	Bchfhfeh.exe
2100	Bchfhfeh.exe
664	Bjbndpmd.exe
664	Bjbndpmd.exe
2948	Bieopm32.exe
2948	Bieopm32.exe
2088	Boogmgkl.exe
2088	Boogmgkl.exe
2392	Bbmcibjp.exe
2392	Bbmcibjp.exe
320	Bfioia32.exe
320	Bfioia32.exe
996	Bmbgfkje.exe
996	Bmbgfkje.exe
2240	Bkegah32.exe
2240	Bkegah32.exe
2020	Ccmpce32.exe
2020	Ccmpce32.exe
828	Cenljmgq.exe
828	Cenljmgq.exe
2536	Cmedlk32.exe
2536	Cmedlk32.exe
1644	Cocphf32.exe
1644	Cocphf32.exe
2444	Cbblda32.exe
2444	Cbblda32.exe
2488	Cfmhdpnc.exe
2488	Cfmhdpnc.exe
1668	Cgoelh32.exe
1668	Cgoelh32.exe
2540	Cpfmmf32.exe
2540	Cpfmmf32.exe
1672	Cbdiia32.exe
1672	Cbdiia32.exe
2728	Ckmnbg32.exe
2728	Ckmnbg32.exe
1624	Cnkjnb32.exe
1624	Cnkjnb32.exe
2736	Cchbgi32.exe
2736	Cchbgi32.exe
2636	Clojhf32.exe
2636	Clojhf32.exe
2768	Cmpgpond.exe
2768	Cmpgpond.exe
2820	Ccjoli32.exe
2820	Ccjoli32.exe
1716	Cgfkmgnj.exe
1716	Cgfkmgnj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Bqeqqk32.exe	4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe
File created	C:\Windows\SysWOW64\Bdcifi32.exe	Bniajoic.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Bdcifi32.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Opobfpee.dll	4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Bqeqqk32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dmepkn32.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dmepkn32.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process
1388	1936	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll"	4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Cmpgpond.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1764	1780	4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe	31
PID 1780 wrote to memory of 1764	1780	4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe	31
PID 1780 wrote to memory of 1764	1780	4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe	31
PID 1780 wrote to memory of 1764	1780	4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe	31
PID 1764 wrote to memory of 2804	1764	Bqeqqk32.exe	32
PID 1764 wrote to memory of 2804	1764	Bqeqqk32.exe	32
PID 1764 wrote to memory of 2804	1764	Bqeqqk32.exe	32
PID 1764 wrote to memory of 2804	1764	Bqeqqk32.exe	32
PID 2804 wrote to memory of 2688	2804	Bccmmf32.exe	33
PID 2804 wrote to memory of 2688	2804	Bccmmf32.exe	33
PID 2804 wrote to memory of 2688	2804	Bccmmf32.exe	33
PID 2804 wrote to memory of 2688	2804	Bccmmf32.exe	33
PID 2688 wrote to memory of 2608	2688	Bkjdndjo.exe	34
PID 2688 wrote to memory of 2608	2688	Bkjdndjo.exe	34
PID 2688 wrote to memory of 2608	2688	Bkjdndjo.exe	34
PID 2688 wrote to memory of 2608	2688	Bkjdndjo.exe	34
PID 2608 wrote to memory of 2572	2608	Bniajoic.exe	35
PID 2608 wrote to memory of 2572	2608	Bniajoic.exe	35
PID 2608 wrote to memory of 2572	2608	Bniajoic.exe	35
PID 2608 wrote to memory of 2572	2608	Bniajoic.exe	35
PID 2572 wrote to memory of 2120	2572	Bdcifi32.exe	36
PID 2572 wrote to memory of 2120	2572	Bdcifi32.exe	36
PID 2572 wrote to memory of 2120	2572	Bdcifi32.exe	36
PID 2572 wrote to memory of 2120	2572	Bdcifi32.exe	36
PID 2120 wrote to memory of 1628	2120	Bfdenafn.exe	37
PID 2120 wrote to memory of 1628	2120	Bfdenafn.exe	37
PID 2120 wrote to memory of 1628	2120	Bfdenafn.exe	37
PID 2120 wrote to memory of 1628	2120	Bfdenafn.exe	37
PID 1628 wrote to memory of 2100	1628	Bmnnkl32.exe	38
PID 1628 wrote to memory of 2100	1628	Bmnnkl32.exe	38
PID 1628 wrote to memory of 2100	1628	Bmnnkl32.exe	38
PID 1628 wrote to memory of 2100	1628	Bmnnkl32.exe	38
PID 2100 wrote to memory of 664	2100	Bchfhfeh.exe	39
PID 2100 wrote to memory of 664	2100	Bchfhfeh.exe	39
PID 2100 wrote to memory of 664	2100	Bchfhfeh.exe	39
PID 2100 wrote to memory of 664	2100	Bchfhfeh.exe	39
PID 664 wrote to memory of 2948	664	Bjbndpmd.exe	40
PID 664 wrote to memory of 2948	664	Bjbndpmd.exe	40
PID 664 wrote to memory of 2948	664	Bjbndpmd.exe	40
PID 664 wrote to memory of 2948	664	Bjbndpmd.exe	40
PID 2948 wrote to memory of 2088	2948	Bieopm32.exe	41
PID 2948 wrote to memory of 2088	2948	Bieopm32.exe	41
PID 2948 wrote to memory of 2088	2948	Bieopm32.exe	41
PID 2948 wrote to memory of 2088	2948	Bieopm32.exe	41
PID 2088 wrote to memory of 2392	2088	Boogmgkl.exe	42
PID 2088 wrote to memory of 2392	2088	Boogmgkl.exe	42
PID 2088 wrote to memory of 2392	2088	Boogmgkl.exe	42
PID 2088 wrote to memory of 2392	2088	Boogmgkl.exe	42
PID 2392 wrote to memory of 320	2392	Bbmcibjp.exe	43
PID 2392 wrote to memory of 320	2392	Bbmcibjp.exe	43
PID 2392 wrote to memory of 320	2392	Bbmcibjp.exe	43
PID 2392 wrote to memory of 320	2392	Bbmcibjp.exe	43
PID 320 wrote to memory of 996	320	Bfioia32.exe	44
PID 320 wrote to memory of 996	320	Bfioia32.exe	44
PID 320 wrote to memory of 996	320	Bfioia32.exe	44
PID 320 wrote to memory of 996	320	Bfioia32.exe	44
PID 996 wrote to memory of 2240	996	Bmbgfkje.exe	45
PID 996 wrote to memory of 2240	996	Bmbgfkje.exe	45
PID 996 wrote to memory of 2240	996	Bmbgfkje.exe	45
PID 996 wrote to memory of 2240	996	Bmbgfkje.exe	45
PID 2240 wrote to memory of 2020	2240	Bkegah32.exe	46
PID 2240 wrote to memory of 2020	2240	Bkegah32.exe	46
PID 2240 wrote to memory of 2020	2240	Bkegah32.exe	46
PID 2240 wrote to memory of 2020	2240	Bkegah32.exe	46

C:\Users\Admin\AppData\Local\Temp\4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe
"C:\Users\Admin\AppData\Local\Temp\4565fea21c21d7104c0cae6fbe2e496c60428919face3bab9520a1384ea2d67e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\Bqeqqk32.exe
  C:\Windows\system32\Bqeqqk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\Bccmmf32.exe
    C:\Windows\system32\Bccmmf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\Bkjdndjo.exe
      C:\Windows\system32\Bkjdndjo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        35⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 144
        36⤵
        Program crash
        
        PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
88KB

MD5
b1bdd2af09bff338ef3a276c69109c6d

SHA1
443175d30ded62eb73c8b35dce0ee776ebbddd0a

SHA256
e302c1edf3e41ada2d6fe5cffd90c901339bd7d128ab2c5ffe577a2370a2df2e

SHA512
b05dd3104398579016fb8e20656508068071cbce39a45b5bb3fbf7118e7f8107a9ac52bfa507fb180e3d0b1bd9b16493bf72dae720cdfd4d74a72ea4ac88f1be

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
88KB

MD5
328937e857e0cab222d44004a83da974

SHA1
44079ca3ff4a0aa200f4e642d946a51b3c37d062

SHA256
0a4d4203a49593b03fdc0d4c4c8b281eda493d91bf6dc63e948c8c1c05036395

SHA512
b9821b729eab23d89816d0cc1778e698e2d62c14af4811c1b546529962157dc644134740cbcc2f6bf586a6aa73d17ca53771a55d298e704241dfd7bf1dda7088

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
88KB

MD5
9f17715391d8dc0a1bd02537aa848150

SHA1
00cfdaabca761ee297943fb2142b0a59ff1a846a

SHA256
d2b93db9d49c4f04c029a669ec141ee25d9c1fa6a36a1d51c28c797c58e90a07

SHA512
0d8723fd8348aad88be3b3ff46331f899c449e520a003bc133e494024d029980ac65222a148c90441127e7a297692cde1a79c6fbf98a7f3045fc08cb1299584a

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
88KB

MD5
5af3f62f996fb1d01cc8068ead6cd51a

SHA1
9eb5d2facd5076fd5aa81f5f5b78c9f8c7c6532a

SHA256
3066cf5bf025b761342bda38c2ebbbb4c5fd2765c87abfde2c6dc25054838db1

SHA512
5e8995462dd2ea3cccf53869032f3fbedebc539613292fe8130123cca1d5cbdd5cbe17ee4df5f0a4e9a7a88ea322a106af1087b347fb9564b1aff25045f719f4

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
88KB

MD5
1661951f99140555a47648524dfabda6

SHA1
0af963df286275a011d29e0793c4dd968984ec04

SHA256
3a2f65d3225695bc211ca353e5074d75592fecc58fc4570da6ed77db20758a3d

SHA512
6605b8f7b785bd34929b2660b72d860119b28a30c9c8892c9c1673448e029e6591d9da0ef70d0ca3315e55c66b0d34472a3143b01ad46774c0f64c51474e6cee

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
88KB

MD5
6755a20c88f25ac29fa8a3bd918a88e8

SHA1
b46d9e02ba47c3c4a88583a967669a0d177b025e

SHA256
e88469bd0c91377fe4c39c64d2c21815dd8d102ef82fd0ffb971f6582079d15d

SHA512
649d6072c504b360e0f92d82fc7ed0b13f979c0fde8fd9bdf9f2ca30fa0990bdab3b945aeb99020afe81b151b7ec0ff623afaa7fad7f6b9dbd5d79ae21d65268

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
88KB

MD5
8c29c0a1bfa350a868c312da564f79cd

SHA1
311f548da202cbf9f60edb499129d2e23ec58b7b

SHA256
df64cc378d574b66162504fc055911a6aefc50d4835f941937e852ccf5623b3e

SHA512
c3824c0ebb94d2ae99df1e5eb9b66e48a7084c08e64a96ef8d01bd7e793372680f483ad6d32fed87d0359571aad6ca7b7290eaadb2f2498b0863b5cb76cb8c8a

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
88KB

MD5
995fca184ca369474f656cf9a0f0c105

SHA1
21f3453d71e039a062f40cf5de58b63ff1a1f09a

SHA256
843acada6e33f6b63b7b19a47bde520850ea636d01a4a087e5b52e2c3ab2fe81

SHA512
21d6f025fdc690acad7701bd9a929b687674f47300cc8d133ff16b5f84901f1c392f479fedbdf692826e5088b5ac06f8f4416f4522018c377a0e8b4b1817ac60

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
88KB

MD5
a4458305f6999fbebc1d92772dc7267a

SHA1
3ac66f5cabdf39ca24c661a38f93ed8de963f119

SHA256
5aa057fceabc9dee83499324c630918d4d5e75e97d687c28bbb2d41c9b987326

SHA512
170e0fe6a3d21708e051962ea3e56275c79f956bfa21da6fb42d7e8d6604291f524a91f3d7c764831ae3df456ac590e2df63caeb4f875189de2f6a462616ebd2

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
88KB

MD5
f24b2868618344f1c92b06ec19dfd0d1

SHA1
0002f830d880d1327eaddc2543c4b8cf582690a8

SHA256
3c4773454702c8ac59c932a682bae2390a241dc4b17bb23ddcbb95582cdcd345

SHA512
7f998caceb6fa7fd0281453672c2c35e7ca5badc81d51505bf6ea1387a0570d0d5360be13ea9c310ce92a094524ff3c18dd7e353ecc7c4e7d3f4085e3e6cf9e6

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
88KB

MD5
3de6ee49c0533d1f924c069ecbd8328f

SHA1
9325db8aaca663dc3b66cda0f758af59d27f7dae

SHA256
3627a7f77ca471034b324765ec3e17df92d0465a74c9e2c994207efb2e085a13

SHA512
d14ab9fe0074983ff1ca7e00a7bdab6038dba809a37cc75c3f62b53fc8d42b56db00f0f6110d193c466df956dec1706b8f63b2fc942970318716a9656ecb3b41

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
88KB

MD5
1a583b6b9b7ee595e1bf7dabb2f23e54

SHA1
cbacc56202fb04b9f244465b5a62097b952edb97

SHA256
84a61e3ccb3f339ea87f5c8180778d9a2e021498ada6b92065ba2f89bc04e1eb

SHA512
b8e154485e1360adf837969274c20eec404457fc77d66078a2c8548fb75c2d0f6becc62104b098fb7231f241fe962116769d75cf59a4c089da89ca4e3358759b

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
88KB

MD5
a98ec4d84af2e1a23c6938a4076f4fb7

SHA1
be946c560e95d9121fdb1e8e891bc5d2ef24f734

SHA256
ae30ed7915093825b4babd23e8700d964b1c26db7bfbe48d9374e5a214f6c1fb

SHA512
3120c149ea1b10bbdf5e80f0c3c0cc50b0dff57d000297f462227715ea2f9ca24550ef332a6ee98957594ef24d4f76a734c41caecd6edc81618a84a9198c68b7

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
88KB

MD5
423a44c58f100a7646d1b62dbbaec563

SHA1
bc5d0ebb187dbe99a8ca674dfa9d1ea9180d4ffb

SHA256
ccc9524c8f17d1ef9f59f16b9056d3eec3110caad2b808e10fc998f2c6fdf8b7

SHA512
312c2330a1cf436ea4b21349f59e23730ef666b7b984f61a0adafe3224f6713f85f423e1f024ea185b67fb39e2fc252ab108d075cbf1a0ff74f4a4e58c710470

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
88KB

MD5
e2d9e85d5d20b2cbf1f066e1059c5d16

SHA1
7072a4b121d23d9591a3ccffd43090376cbf258b

SHA256
17fa715bfd64a77dccb39f9ab06c525b041d21d9db2adaccee55adb41218e25d

SHA512
34c912fb750241af599c5076eff3c8081bdc2bc5527ff4dd309a5e7fffdc87dd0788f8a1dc4f7424bbb64a13ecaf7cc510d5ed1cd38b0470a1144a9f04095f31

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
88KB

MD5
27bf111f81176748e397c9d2bec51557

SHA1
ccaf2b03fb535d1d10035e35c96c41590ad1a486

SHA256
7ff30d5d1b9bead9c52f1be5ed6bd7d2f83e5e74f91245d5063e6acc67c10488

SHA512
f6c4424166d3cc98ade57323befd4940d9e918bdc41e39724c0ba434a76f4d3c0377e405251bb2c4a9cfd9f95752848467defb0c3c23f7c964789c7c0f87dee3

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
88KB

MD5
fb5723b4cd83b35e3238f75bb80ea5a5

SHA1
e439147bf01f62b412abfa41a7b749a59cd619fa

SHA256
c9ef1d65397b378e7964ea73dd51c116a8b707ce0cdff49560f8b1e9334ae3cb

SHA512
cda5ad2c0d4503639b2f025773263b1efcb48a4de685ab785234857c08c638bd2482d5227796d0c7c7297bc6ea81b11a93c9005f9df578cf8cd6156ca419f061

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
88KB

MD5
ecbf5113c8fd4e530d898c00ec75496d

SHA1
9f70486d24a608ba8303b80e6a7f4f2d2263d3c2

SHA256
625b0bde68f843e0f9998b12d973e72c644e3519693d575d82d34992ddc9089d

SHA512
b14b990b7638539abfddca8dbf5d8372687f22ac6a444e7d9f4faebffa8b831ec61e5dc0ddeb84a5d32f034e9271e699d23cdc5588f9046ff6dbc2144160a50d

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
88KB

MD5
657d985bdb45c150de9659704885e65c

SHA1
8262177c60a468c8b92a83a98088e39f6aba9b50

SHA256
fddb4bd88ec3ca2c230e148895c529e47cf89b24c4737011fe68db3c0c6ad27c

SHA512
4ce2310896c5da4438caad465501f505d4c6a03e3f0e007f676f6bb2316efe2db410647586d45f188a3d657f61ea8929944c591bbf1a3af81c32664a183f860a

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
88KB

MD5
13e1699e7fbe1f5c59add994ec3a61cf

SHA1
cb0f6b3a882d13d5eb826f7c75145745997cf8d2

SHA256
08ac5be918854ab6774d2d3c5db1d12f0d6f07b67ab930bc34e7bcc515f1e7b6

SHA512
77340cfc6f4a0d0429fd3f21ccfc88737aa649a948dd52bb6e365e2665fecacd1e7f6832da9cddbd628e80f60c6ed4285e47cb92cdf98b5f945e74835248fb1c

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
88KB

MD5
350e1831d3edf0065f9ad333e5603c3f

SHA1
1fc58a156040ec83998b44b7893b28cc73057211

SHA256
1b4db35cf4e29091cc79320cf5327b69c9308e6506bea9db01757c63a033ed62

SHA512
0b7c164c274bb3995616cb662e103572bad5bd7cc96c77f3bf0301878b4341d3d66330d1a81dd3b34e765a9f7768184242ba201ca4861cc3bbf2841dde210150

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
88KB

MD5
496e18fd4eb18ca4be249c54f7f72e60

SHA1
f6cedccb1ceabf0d78837d8e8ab5a07c88ed50e3

SHA256
0be74910ec6390f436f0e15c0821b75ef27b91583521a81b8e0cc9e9ee62fb80

SHA512
89623c99c2a25aba71f30556a2716aac9896a936053a2925af662c77aac84001a26f593c3abca5e6eb420264bc3cc6fd7aaeafa5893cb748a154035cb3fe36ef

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
88KB

MD5
605f42fb1b038e9e1d0c46755716d672

SHA1
8a86df04844060b86d803af69c5b2703a687318e

SHA256
2c3267490a204deb40f0982c340b9a49d9c9a92e006f16be3d90d14e783adcd6

SHA512
42834569a1748d122b74f0e33a9caa485f3316557e9539db1ca61a9b81d313527db60b06236991a214f2fc418deef7a0b7b0c54f99e0e5c626156d13a4398932

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
88KB

MD5
e836f08e1219bb461fdb2e7fe8d803e1

SHA1
69a1b7038bedfec6a4fc250e508300ec6bb0391f

SHA256
c330074cf5acf598f527f99cc21aa024be3fdd6b58f1e17a3928aadd93b37b8f

SHA512
84a0f6c9dedb4ff7b73c909c627245b75e325b66c405a38a5fd1cc70b9c15c145cc641d030b3dffb810dde38eb5e699836b79bd60caf10a7043b99ab14b986ce

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
88KB

MD5
6f33ea89683a54d8e7b564d20be6f068

SHA1
bfa05fec1096d2f27454af88a00e0f9be89a98a9

SHA256
eaac378fae56de014d386c4d9b788ad648f4429b6036a58d632ef221a9b2ed9b

SHA512
c3b52b71e250391d3cb499ef1222b8e9e9c5aaa8b8589be011104e68952e2372b5b520dd47954539ee8a966d433e3f837d44e1d56bff6fe63c80ed03fa45ab29

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
88KB

MD5
0713987f0d30a63216747a026391fd42

SHA1
26590cf72c4b6d08920fdff07dff1bb2da41d411

SHA256
55304827190c9e2778cb881c1824bba3efc80b9bf3b48f9a316500faac460e60

SHA512
ae1caecc47edb660e5fd178fe0bd9ec91bcb0eed681319fdd695f17572a23cf8672d2a319a46f7831bac5b1acd6a0f8c1a812ce582b43fc4e0396ade02d45c78

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
88KB

MD5
d16826d06a0ba71c87cd379b750693e6

SHA1
d89b33dc6e4c4644101d7a9329a302fe0f2c2205

SHA256
d5ba525a367202d3c224242675fbeee3bf483b618984034e2a4b9a28113d5640

SHA512
0331248b8851a9e15f635cf82b62e8439616d246aa89474362512caf945247d203124143212ae32c26e3a97936a234c5dd087fc3d523e5e9076a49099c3cf61a

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
88KB

MD5
32bff92a0ceef454348579d04be75dcc

SHA1
7b3c36651af025f715a6ead238a10489ee22ef36

SHA256
1f4baef581d055f80014aedbd4c4c3ab8b978c12c6e7437f784f791cbb337350

SHA512
413473265e8f64e157e4e1d0e12a26f234ae9e67e951972cb3ad07b30dcf14e9bf444c3cdbc1fe38d22e9c69fac688d41beff34877d13990b9ccb8ec6eb51530

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
88KB

MD5
99a4449567f2615a694790b82d64c2a2

SHA1
fa5a918f36c5613eef031f6291ce17ddda6b3f3e

SHA256
bab3ee2587e35b61cb0c72997dc92e4b7dea511b1fc3ee99e075915a00e818ac

SHA512
17fa35f49c6728b2adc09585c50fc9539626973dd5701e0a26f46c6e0a28d73c06cb1908cee49a60a5595a34b3d9e7eef5a54060be30956cdea0015dc2e6aec7

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
88KB

MD5
3bfad172cedab27355219f46348c0d2f

SHA1
75ca887624a247d2e644d62005bfe7a4eee5e753

SHA256
b1ea633e41a2e95274dd7fa31d5e9d6f61c48185b3fd31430acd4c5377f2bf6e

SHA512
d0d022e65e14eda0068d1e8c80bdc805b129c8190196ee2af56d87a6d7833e3497ade92300184de0b234d28c092f1cc5d5f77c24a4d0026305c0eba261e38773

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
88KB

MD5
2616905827dc7679a255128c57ab1867

SHA1
2512bde18e3aef7c4703160f2f637f041c655a00

SHA256
139dc3c92a6054ef176eb9eecee10b185343b32eb53fb1f5d46347b3eda59c8b

SHA512
8200a18c2f8e070af0194be817105c8eddc0bf8e50aede3bfa98cf75c1185bfa74ac73e78924aa730efbe0d1d2d26b379d9152d5d24af8504a9858cfbd1a9b69

Download Submit
\Windows\SysWOW64\Bmbgfkje.exe

Filesize
88KB

MD5
f6343f3fefa623d88f5f972457a87807

SHA1
e9711cef2b0e5e37fa4afea2b5ce82a05a467f76

SHA256
e8c573687e86cc8fd7e63061c4954ec94250aa6787636d179b9417477c7ea1e7

SHA512
589b980d3526d26b514589af5f186a2c075b4461d512a11872f9e9049688240de1b37d77c7e0271fa7daaa50c22569f39b9c78ac04c4a0e2fd6d28bd5526f3ed

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
88KB

MD5
467483838bfbd6e9364f2a24d6fbf5c7

SHA1
ecb322fafdbddad53fed7898a260b457e6430473

SHA256
22855b55fa43a80fc9c4d17a54023dd24905e429543c82eaf41531e2e6751df7

SHA512
31d474896bcb34524914b9c1261323e687ad2fe41830e64bb4dce1ab2a3ed01eafba86dc7a66f0c615dbaf73931429e167349a57cebc191725c2f59e52a6d9c5

Download Submit
\Windows\SysWOW64\Ccmpce32.exe

Filesize
88KB

MD5
a7062e8d05d6f963a4bcd5825a08e226

SHA1
1e40b8cd137b1727791eb247f11b10bc89f16eb8

SHA256
2d0f9fc169fd614ecc3dee23f3507a514a715b76add7e06ebaf8f3c70001b3f3

SHA512
76877a92c05310ffbec8cdd1238cc20cdd14bb502adfcb18e3e81f42e8e84d222a8525858c4c52ec6d534b0f82c328d9778cd210f0fd41a64175ec832f8af374

Download Submit
memory/320-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/664-127-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/664-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/664-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/828-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/828-228-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/828-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/996-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/996-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-324-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1624-325-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1628-93-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1628-433-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1628-101-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1644-251-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/1644-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-250-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/1668-283-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1668-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1668-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1668-279-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1672-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-310-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1672-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-311-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1716-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1716-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1716-375-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1764-379-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1780-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1780-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1780-11-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/1780-13-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/1936-427-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1936-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-222-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2020-220-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2088-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-153-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2100-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-91-0x0000000001F70000-0x0000000001FB0000-memory.dmp

Filesize
256KB

Download
memory/2240-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-206-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2240-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-166-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2444-260-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2444-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-261-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2488-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2488-272-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2488-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2488-270-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2536-237-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2536-241-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2536-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-289-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2540-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2572-74-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2572-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-66-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2636-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-346-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2688-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2688-48-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2688-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-313-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2728-314-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2736-336-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2736-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-332-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2768-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-356-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2768-357-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2768-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-39-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2820-368-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2820-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2892-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2892-396-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2892-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-400-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2968-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-402-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads