berbew | de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/12/2024, 02:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe
Size

94KB
MD5

47087b23f8ced8bfcb3eb74a4c91928f
SHA1

173854331dd99699a45e6815caecd7569b02b533
SHA256

de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32
SHA512

6dce9046c0fda35f2005d64e51e17ffc45e49d51150e25fb6811234e60bcebfbebdbd844d50852a5d3148b6b16c2c9e78b50609def8ab3c14cd97338d723be46
SSDEEP

1536:7LRPSpkqPMYzHPtwSyqBCNc6JC8uasP0LVksInd8Ron8vp4MqPa1:7LRPqRPMuHrBCNc6g8u9KVksIdvnMzaY

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 32 IoCs

pid	Process
2164	Abpcooea.exe
2668	Bjkhdacm.exe
2600	Bbbpenco.exe
2608	Bgoime32.exe
1860	Bkjdndjo.exe
1120	Bceibfgj.exe
2860	Bjpaop32.exe
2916	Bchfhfeh.exe
800	Bgcbhd32.exe
1000	Bmpkqklh.exe
780	Boogmgkl.exe
1996	Bjdkjpkb.exe
1500	Bmbgfkje.exe
3020	Cbppnbhm.exe
844	Ciihklpj.exe
416	Ckhdggom.exe
860	Cnfqccna.exe
2372	Cileqlmg.exe
1676	Cgoelh32.exe
316	Ckjamgmk.exe
2108	Cnimiblo.exe
1064	Cbdiia32.exe
2356	Cebeem32.exe
1652	Cgaaah32.exe
2788	Cbffoabe.exe
2836	Cchbgi32.exe
2800	Cjakccop.exe
2576	Cegoqlof.exe
2684	Cgfkmgnj.exe
2072	Djdgic32.exe
2856	Danpemej.exe
1220	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
3040	de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe
3040	de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe
2164	Abpcooea.exe
2164	Abpcooea.exe
2668	Bjkhdacm.exe
2668	Bjkhdacm.exe
2600	Bbbpenco.exe
2600	Bbbpenco.exe
2608	Bgoime32.exe
2608	Bgoime32.exe
1860	Bkjdndjo.exe
1860	Bkjdndjo.exe
1120	Bceibfgj.exe
1120	Bceibfgj.exe
2860	Bjpaop32.exe
2860	Bjpaop32.exe
2916	Bchfhfeh.exe
2916	Bchfhfeh.exe
800	Bgcbhd32.exe
800	Bgcbhd32.exe
1000	Bmpkqklh.exe
1000	Bmpkqklh.exe
780	Boogmgkl.exe
780	Boogmgkl.exe
1996	Bjdkjpkb.exe
1996	Bjdkjpkb.exe
1500	Bmbgfkje.exe
1500	Bmbgfkje.exe
3020	Cbppnbhm.exe
3020	Cbppnbhm.exe
844	Ciihklpj.exe
844	Ciihklpj.exe
416	Ckhdggom.exe
416	Ckhdggom.exe
860	Cnfqccna.exe
860	Cnfqccna.exe
2372	Cileqlmg.exe
2372	Cileqlmg.exe
1676	Cgoelh32.exe
1676	Cgoelh32.exe
316	Ckjamgmk.exe
316	Ckjamgmk.exe
2108	Cnimiblo.exe
2108	Cnimiblo.exe
1064	Cbdiia32.exe
1064	Cbdiia32.exe
2356	Cebeem32.exe
2356	Cebeem32.exe
1652	Cgaaah32.exe
1652	Cgaaah32.exe
2788	Cbffoabe.exe
2788	Cbffoabe.exe
2836	Cchbgi32.exe
2836	Cchbgi32.exe
2800	Cjakccop.exe
2800	Cjakccop.exe
2576	Cegoqlof.exe
2576	Cegoqlof.exe
2684	Cgfkmgnj.exe
2684	Cgfkmgnj.exe
2072	Djdgic32.exe
2072	Djdgic32.exe
2856	Danpemej.exe
2856	Danpemej.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Abpcooea.exe	de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Gfnafi32.dll	de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Kfcgie32.dll	Abpcooea.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File created	C:\Windows\SysWOW64\Bjkhdacm.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Bjkhdacm.exe
File opened for modification	C:\Windows\SysWOW64\Bgoime32.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bbbpenco.exe	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bgoime32.exe
File created	C:\Windows\SysWOW64\Obahbj32.dll	Bbbpenco.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Boogmgkl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2304	1220	WerFault.exe	62

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll"	de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2164	3040	de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe	31
PID 3040 wrote to memory of 2164	3040	de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe	31
PID 3040 wrote to memory of 2164	3040	de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe	31
PID 3040 wrote to memory of 2164	3040	de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe	31
PID 2164 wrote to memory of 2668	2164	Abpcooea.exe	32
PID 2164 wrote to memory of 2668	2164	Abpcooea.exe	32
PID 2164 wrote to memory of 2668	2164	Abpcooea.exe	32
PID 2164 wrote to memory of 2668	2164	Abpcooea.exe	32
PID 2668 wrote to memory of 2600	2668	Bjkhdacm.exe	33
PID 2668 wrote to memory of 2600	2668	Bjkhdacm.exe	33
PID 2668 wrote to memory of 2600	2668	Bjkhdacm.exe	33
PID 2668 wrote to memory of 2600	2668	Bjkhdacm.exe	33
PID 2600 wrote to memory of 2608	2600	Bbbpenco.exe	34
PID 2600 wrote to memory of 2608	2600	Bbbpenco.exe	34
PID 2600 wrote to memory of 2608	2600	Bbbpenco.exe	34
PID 2600 wrote to memory of 2608	2600	Bbbpenco.exe	34
PID 2608 wrote to memory of 1860	2608	Bgoime32.exe	35
PID 2608 wrote to memory of 1860	2608	Bgoime32.exe	35
PID 2608 wrote to memory of 1860	2608	Bgoime32.exe	35
PID 2608 wrote to memory of 1860	2608	Bgoime32.exe	35
PID 1860 wrote to memory of 1120	1860	Bkjdndjo.exe	36
PID 1860 wrote to memory of 1120	1860	Bkjdndjo.exe	36
PID 1860 wrote to memory of 1120	1860	Bkjdndjo.exe	36
PID 1860 wrote to memory of 1120	1860	Bkjdndjo.exe	36
PID 1120 wrote to memory of 2860	1120	Bceibfgj.exe	37
PID 1120 wrote to memory of 2860	1120	Bceibfgj.exe	37
PID 1120 wrote to memory of 2860	1120	Bceibfgj.exe	37
PID 1120 wrote to memory of 2860	1120	Bceibfgj.exe	37
PID 2860 wrote to memory of 2916	2860	Bjpaop32.exe	38
PID 2860 wrote to memory of 2916	2860	Bjpaop32.exe	38
PID 2860 wrote to memory of 2916	2860	Bjpaop32.exe	38
PID 2860 wrote to memory of 2916	2860	Bjpaop32.exe	38
PID 2916 wrote to memory of 800	2916	Bchfhfeh.exe	39
PID 2916 wrote to memory of 800	2916	Bchfhfeh.exe	39
PID 2916 wrote to memory of 800	2916	Bchfhfeh.exe	39
PID 2916 wrote to memory of 800	2916	Bchfhfeh.exe	39
PID 800 wrote to memory of 1000	800	Bgcbhd32.exe	40
PID 800 wrote to memory of 1000	800	Bgcbhd32.exe	40
PID 800 wrote to memory of 1000	800	Bgcbhd32.exe	40
PID 800 wrote to memory of 1000	800	Bgcbhd32.exe	40
PID 1000 wrote to memory of 780	1000	Bmpkqklh.exe	41
PID 1000 wrote to memory of 780	1000	Bmpkqklh.exe	41
PID 1000 wrote to memory of 780	1000	Bmpkqklh.exe	41
PID 1000 wrote to memory of 780	1000	Bmpkqklh.exe	41
PID 780 wrote to memory of 1996	780	Boogmgkl.exe	42
PID 780 wrote to memory of 1996	780	Boogmgkl.exe	42
PID 780 wrote to memory of 1996	780	Boogmgkl.exe	42
PID 780 wrote to memory of 1996	780	Boogmgkl.exe	42
PID 1996 wrote to memory of 1500	1996	Bjdkjpkb.exe	43
PID 1996 wrote to memory of 1500	1996	Bjdkjpkb.exe	43
PID 1996 wrote to memory of 1500	1996	Bjdkjpkb.exe	43
PID 1996 wrote to memory of 1500	1996	Bjdkjpkb.exe	43
PID 1500 wrote to memory of 3020	1500	Bmbgfkje.exe	44
PID 1500 wrote to memory of 3020	1500	Bmbgfkje.exe	44
PID 1500 wrote to memory of 3020	1500	Bmbgfkje.exe	44
PID 1500 wrote to memory of 3020	1500	Bmbgfkje.exe	44
PID 3020 wrote to memory of 844	3020	Cbppnbhm.exe	45
PID 3020 wrote to memory of 844	3020	Cbppnbhm.exe	45
PID 3020 wrote to memory of 844	3020	Cbppnbhm.exe	45
PID 3020 wrote to memory of 844	3020	Cbppnbhm.exe	45
PID 844 wrote to memory of 416	844	Ciihklpj.exe	46
PID 844 wrote to memory of 416	844	Ciihklpj.exe	46
PID 844 wrote to memory of 416	844	Ciihklpj.exe	46
PID 844 wrote to memory of 416	844	Ciihklpj.exe	46

C:\Users\Admin\AppData\Local\Temp\de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe
"C:\Users\Admin\AppData\Local\Temp\de9c2479d1664c6c6496203969aa27cccb0b3eeb0f7565181e3e524ebca00d32.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\Abpcooea.exe
  C:\Windows\system32\Abpcooea.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\Bjkhdacm.exe
    C:\Windows\system32\Bjkhdacm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\Bbbpenco.exe
      C:\Windows\system32\Bbbpenco.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:416
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 144
        34⤵
        Program crash
        
        PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abpcooea.exe

Filesize
94KB

MD5
6aeb1236fe1b721c76986d6cacfd34d7

SHA1
ede82f9f76f34fb3efe7e56e11ef9b242aa1ce93

SHA256
9d6438b8fb7e0a5eab87c79edd1d28b4e22220bf20f5b9a11b1b2c5a2b6f0486

SHA512
ae9de72dd4539e1b6bcaae2174758a860710558625839846ca123a3a88c8eb5e94a3746411771c0c7dd5238ee9ba8f9582785b49507cc3cd9fd0948c748ea187

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
94KB

MD5
4e1b1e1c10c4289336cc4094d1368663

SHA1
0be8cacac8672e883eece8ff9eb39a8c576c4831

SHA256
aad5d0947463a38742cf6b3055420189cec3f4cfcfc885603a52f8471e2dc760

SHA512
2378a6441b71c54d4b15433ba05b2437408a3d3ca84d9d27f43b0978ea3f7bf358d8252eadda074b8e56f133776f9bfb3d29754b9ee4c2608dac7a5afbb49a51

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
94KB

MD5
9b920391a4da318b71e9cb7ad0845974

SHA1
060c665e7957494f566f732fca6de810c6f5080a

SHA256
ba667a241149016a80722be7974f2dfcc308e75dbb251ea03cd9705b30a1b91c

SHA512
2bcd32bff98e67ffbe3a4f22f5503836a6af2b25eae7fc7eab031cd937a5fc3af85d8852cc99a55f2e24a783992fc0a7ceeb7ece406ead4868f2a8b43aaa419e

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
94KB

MD5
4d9c9b4e96cf8316e37b14119cc69d04

SHA1
bb0417f22a8df9cce3f4664520739ebc5c789819

SHA256
9611a6540d7f9cf1613de32c7837c76b4b5ff061903ddd5d5763f8ce16b31542

SHA512
0353a302b242e33a8768bfd57dc7d14e4661e5bfbc0d31eb235b20d1a46aa18db8a0179e41eca54427d10558026037974327ab7784ab29da100156e384796f58

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
94KB

MD5
67a6031d0c447d52829dbec792555bdb

SHA1
d4a55762d392904271c4434414a93b68373a8bd7

SHA256
ce694214e604790a45001953ea1dc97efbe411356caaf18e943fcf6bcf2e17d9

SHA512
174136b4fa4bd81eec46f13cc586d39d9fd5e519244ed899f99226d293d6b7aa57157c14d651c5bd6d2f8d03c75cda2d9a41c035b5504ef205b32c42a187d632

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
94KB

MD5
da4af9e7ada0bb45b9c0df5d67c515cc

SHA1
76027ee498f4668a534e69c28ab1705402dd5aab

SHA256
8cbb8e02d2e02ac371c0255cb9bf1b6302e80f97042b3e3b7db4c5774c76e738

SHA512
fae485390653cddfb6e0fd85f0154c2b426c98c26980fc7290b2db14ae73af40936f6df8e3b93aa4369b3065b9e41b22433e26af537c87d379e1351a005d52b1

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
94KB

MD5
bcb8fb4505a6a9e5990fbbdea65e508e

SHA1
611c4ba7b54840802ab5aa2070b8f65eee629bf8

SHA256
794228c06196fd71b97a4401768060af812e93861f3c0c4cf6ff3c9022f79bc9

SHA512
11875b5be58df572a5d668bcf275b066ee5a7f69862c94a49604b89af37ab40a163efbf231400ff3bd5234452ff398965b3131db57d25b7b850aa3121be2074c

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
94KB

MD5
9ffcd760fb4234383378c7d40885f855

SHA1
06ddc9ddb0097bee8b9c7fcbc4f6258e9250c33d

SHA256
82c3142c0eeb7946e5ab14ec3a643b9e7e420ac9263f8fe89a3d85747dbfefb1

SHA512
d522aa2d2bdd4e778c4f15a55a6ca4ba1eb5cb801d5e6d682332f59de9788ea247cbd954ed5d4625a8f1f1b5eb5531c92b0bb5fdd3a73c710d596517fc05e2cd

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
94KB

MD5
1ac5400739c2d488497c1bab7006e948

SHA1
df4f9321ba5f3124d27f61a954b0f1b83c49944e

SHA256
217650759f5eb878f36040bb87be213eabdee8c61ac4774625b9c583c4c386e1

SHA512
834217fb012b04bb08232d21b2d923d5ccf5d62d408f81e4c23db3324d7a19a47c30e04f526abdecae2405b2c9caf8404359a160fd8e4c7a224d90b35b22931c

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
94KB

MD5
61ec250a269b5302b5a0761da67e96b8

SHA1
afc94d9881f31efcfae60de83d2b470a3f76ab5f

SHA256
059acf900edb7bb2237e09610f4b8aaeeb26dec60e7f83b119d5ddc044ae0b59

SHA512
26fd3d0ab4cc2e661e7a5d03289ed978f929a9280be747137d47f2a7d064c3ce5cf1c8242ebcbca6aa5d9b3678c6ede42f5e895f521e28ae76af5e3671d00b74

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
94KB

MD5
7d161af45d69e7e80670e20cfffffcbe

SHA1
6b51be7f5bbc4e8f559ff8bf336e3932d23b3d48

SHA256
86e6acb4924b3b1d256d475c3b940fc1c9af5989d36d92a3ec04c4f8b0c89d63

SHA512
eb2c8dd2b2fee52b250b7a186eaf1fc5abbf3aeae01b06e70b2ea980d3e6dfd0220316c14e3ab762bd3db1378078b5937e9cd25042eea29927a34cdd1b313d64

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
94KB

MD5
ecdd425bef77258da9f9a8416a81773a

SHA1
5a5ae090265f083097b6447a1c8cfa111a22bc85

SHA256
a7d4f84aaaed49c1619b61e2b9918c9d20ca6d3a9411882690afb1c951c372e5

SHA512
df7d847f49b8ad1243650075fbabf9eb6e4995e9f339c24fe75c866a289d9bd254d12f721b4634c18657a1c9efd29f4b6f4a5942eac1df321748a0cd1d51df1a

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
94KB

MD5
02eae20ea44a8c3fab326c3b3afc6e58

SHA1
93dad001fda110d857a74254d57ed7f14f596ca6

SHA256
5d44accd69b40bf7d4291ee4946b55aee6942fe1222a15293308176bb10d4aac

SHA512
913e6dea1318d70e078d7ff19b8b237f98e4f0eb35cce43e012ae9bb0b2649250caeb5d1ee37bd51b8ede7416f8deaf0139863f27d447f720b994828cec70cc5

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
94KB

MD5
120ea007b691db736d634270264d3329

SHA1
d1c0d951e881f8fe97e54afb2d84bbed4354aa09

SHA256
37a05566466dce16327648634fa902468f6af0749850dc8424c0fa82562a7ab5

SHA512
c84e9fe9f13166e1c29bc88270a41da005e03faad5fbaffd5dfd485e1cc20b275f19698dc0a9f887ff2e94c113995d2f53ebc946d9881a92a3440d6f06f8d8c4

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
94KB

MD5
983ff8aea2e62ad1e7c07b859571e33c

SHA1
3d4e7ed3c0e10646d42d3f72b9dd07d35ca06db8

SHA256
194841b5cd447f68c1fb226d2e091a062c66de33fbc05d08b53eb01c834d8b50

SHA512
25c0e1b4b794493ed27a4658e8df1af43badc28238ceacc37e7312a323d042a1cda7a4bee7b1246aff670dfd5a7a5e26f7d407de1325ce79270dc310cbc3d299

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
94KB

MD5
19add736adb59667f2e39dd1f4f5672f

SHA1
01a610efff82209adaad7249fff9cd2a8ca5c52e

SHA256
c86e7a451acdee7d031fcc6ded3a9d84040b8540d602676711cb61248d7bd51b

SHA512
af9a53782e32b5770a22952918888da5a1b9fc7ceaea0163af0071e7b0653b9fe86f56c6fb43b5a932a8cb83e70814df64d8f845df252faf682fec77bb47e9bc

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
94KB

MD5
25ec3d037d1e1a86489500b68c52e3cb

SHA1
1f705cc3ab770c8a01d4786977954ab659ef4ae1

SHA256
490b119bc1ca29818b4a70d80a91bf7efc5eff79a6e868524eb81232bf95c0d0

SHA512
4a6757c22f1d423c48e4181a7c346d7a3ca6e8099d4181729aebdcc07057af9ba88f129fe806708dfc271af206826abc8c2a450ee4bd213fdc53a5d933a4be22

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
94KB

MD5
cf198a311ec163b36e43a59292021ee9

SHA1
9f55b53db46a4c445a9085fd67eb204aa70d3de5

SHA256
df1946c54386fd30a626edf75b9686c95e6ac51805d78dd10510d287c4a45399

SHA512
967b3b9c6946286eb510d4ee3027790bf73ee9edf4640b413b8b0074a3b3f92a2c31918e3d70c24d80fc7056b446557d0960581a6ed70e1462daff527b8282bb

Download Submit
\Windows\SysWOW64\Bceibfgj.exe

Filesize
94KB

MD5
3913e9992f27b9537e5a163a3ec97767

SHA1
8c8cc64219fe5e44df467977cffa68d37f5ee371

SHA256
582a6c7ad1ff9a52c16018f7c3f2251a5b4ab4ff7b562fd4eb58880373351b90

SHA512
700ba02d8fb43b81c1e6f562aca947685fa26741dc6a365de9a242d4203a9794c09bd2a25e037b2c8e552c7203e1c98f34ddcf4514460836cd8dc58a9d20050f

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
94KB

MD5
32f2721809bccb5de0902cc9e3b130db

SHA1
81319338015d9df2792e97a1ea0c03ba3024cc66

SHA256
435f9837987e9bb4da0cac816412476d02741bb4af198d81ef38999b6d54b991

SHA512
0913505b74c39030dc2282572a3b166a8f3318503337aa29094c9ba060e602f20359daa52fd467345c4c830246956ca062fa80f7a748257c774d6672c1cbe191

Download Submit
\Windows\SysWOW64\Bgcbhd32.exe

Filesize
94KB

MD5
fbe2988dcb4c95de1471e57fef3d9bf6

SHA1
94a0c2ee4e2eae55c838df51047f27c7e65ba413

SHA256
445c2c3918039f95c2c78055454df4a1032415a0a6d82e76c7c5335255d556bc

SHA512
297dfa997fd315eb33017305c398549c28f76103e324af74881ee3574c6183d74ceddb5d50adaa98e22e4325cabe39cbf8d33485836975b18971d28b5b4afc35

Download Submit
\Windows\SysWOW64\Bgoime32.exe

Filesize
94KB

MD5
d14edba48a35815c37f3aeac4c5e45cf

SHA1
fb2c7deae498cac33892c270dc38b246cd05a821

SHA256
7e90e1bf40ef984e8e665f38168b2bbe900893a0a0f3133079a678ffd7cf91f6

SHA512
c38a80cbf168c7394af32180be9e0f077d64e0a75c7e07736de3608fb6c076d65522c4a86cd27af25452ce755a9a1b182412e237c8ccdb8ef91e875b8822c83d

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
94KB

MD5
b0ec4ea484a80839f33a254df8fba008

SHA1
2289ec53e7fe7f453a3a597b913e4c92504adbca

SHA256
32a2aee300174f1d93a9e538ce28c33b2944df7254de8ddb21096058e6748e5e

SHA512
35f78138172e79a8c4cc1860e94f6143b88ac4c509959c567ba7a162b91cf347a30904548b420432e0aaeb81a2bcf70e29effd717f1bacdeb250e40d4ae98ee6

Download Submit
\Windows\SysWOW64\Bjkhdacm.exe

Filesize
94KB

MD5
b0aefebeaacbba120b73f429aeea1b10

SHA1
ac17f679361935bc67622d2fffff86b05ab2b14b

SHA256
2617eeed85a78849adf8cda0d7551032d264172148dc310d31ebec1428a0c140

SHA512
cbdfebc4d7e84d65cdc7c2e263b8e53f9a339bb58eb06c86c690c514052f2e28f043c424411face41efead7632e2ff4aebcfb746defb2a0ed27d22cdb8f794f4

Download Submit
\Windows\SysWOW64\Bjpaop32.exe

Filesize
94KB

MD5
6d9ad6ec685b93649fdc18b9e6f4c7a8

SHA1
0e1f2fd69fe47221e2f7aa1536a834a7b13ee0d8

SHA256
77010c299899be3cff6dfcf0d670e3c5d946530a4a4757c2b48b56934b022dae

SHA512
ff9aefe1f05c5948b2692f93e0f1c0fbaa3b313c9d5659acb656153913a44d62f06274f3bfc1872408f8660b8c6de7c82f2c95f5c7aa275ff8cb01494dc871e3

Download Submit
\Windows\SysWOW64\Bkjdndjo.exe

Filesize
94KB

MD5
afbb7570f4bc418f85318b9823b3ee51

SHA1
e938d21e2f04d8217e6f62f032a2cb07cbf4963c

SHA256
54afa8e34094480091de01ced2530386da0df98a2d7d89a5b5359aae6f25e677

SHA512
9399ea8838844f3becb182f2884df12097cdfd5bc1c3a2a465798e834f89edd0a54e22e3e8addda2f845efac60ce00f94a20534770343cdd299b1d1d8602b617

Download Submit
\Windows\SysWOW64\Bmbgfkje.exe

Filesize
94KB

MD5
0303228b7662637efe70dda39f2ff9ba

SHA1
9d3cbf18a03cc381c50de90f289c25d2afe853e8

SHA256
1d623945b2eef49c4e74f8328c56ff5deef617e621bef48d488f4d8f8ff31ba0

SHA512
eb9e53d2521ec2afa07dca58fb0c8a82d3450885bf9e8620923a50e1380444834d355c3a7aeb814954481cf0478c95d461401be5377fcb665b12ac5696237e20

Download Submit
\Windows\SysWOW64\Bmpkqklh.exe

Filesize
94KB

MD5
021c729501066ae60ece982c5c441a66

SHA1
8d19f3f9d029fe6830cf9257c43d120ab5012053

SHA256
02435ab58ac7e99b63a59933bfc170282742ff89cafe526a8c34c1d6862edad3

SHA512
21a47b74c227a69930e8ef7feee0bf455345c5557c52df779a64e6ecd5b946eadbfccf091b22091f1a18e5be0cd191ea7a8db1ff53345c9162397e502e260c36

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
94KB

MD5
4345e7e305f189adb3032d87cb987162

SHA1
7d05ad415b636a2b7a3abef54ac45724c3345ba3

SHA256
a7449c143ad3f7e8bd3579c706c81b3dca33d48f88990a711f28ecc1c01ea097

SHA512
43f0354cda885f2b2dea495bbde3f08114a4ed65fdc2be259cc0252c8d406c0619e96483a6aaa400ee3e4410b26e415760f49980ae966cd9415976200029f1d8

Download Submit
\Windows\SysWOW64\Cbppnbhm.exe

Filesize
94KB

MD5
2e9afb5f92265ffad7c46765b322fa7b

SHA1
60afa7049d5ee9606b53443b4e26f12c92f88bab

SHA256
b745d2c6162410a63335bca8bf1981ec8a9c910b080419a44475b3e3df4adf41

SHA512
b00dc0b445ab039d9857d7ddcc7ff8133f40b0f8bd6c7b0dea3c5c6b186da78b706dd79e4f9ade32404be5d39ab7c11d10fd44b84bb1b07216c1e3e5c78cffe6

Download Submit
\Windows\SysWOW64\Ciihklpj.exe

Filesize
94KB

MD5
47d3e75e7468ffb8352196044b621774

SHA1
16a6bbea245bb8b9403501c7a095073491fa31b2

SHA256
d6ea9435b459ec53e7a39fadacc59937b0e38c6dd09ea019f8013210dff6d0bd

SHA512
bd79ed30f3c65693e04ab1d9fed924ada4d657a53abfb9652a753040654c2f4cdbc773509d60621e192d50dcf95f6c3ee6fd727e46387e30b6e95ba2ec992d39

Download Submit
\Windows\SysWOW64\Ckhdggom.exe

Filesize
94KB

MD5
63e4ba704740e3ea8d56e52ed15cc9ac

SHA1
6c34e7fa35f9720e95749236c4ec9a3b7c1ca667

SHA256
def63154814eb79220baf406375111dd51afab2f1701dd8c387464fcc1629d13

SHA512
ea4a091988a2321754ab27275eb60436e9665f0cb8b2e88ae6e3c5901e304dcfeb7f3a74c92d4bb6eba0cfb02bc5e5b19b6bf75ec81faae973b34bc83bda5c6a

Download Submit
memory/316-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-155-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/800-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-130-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/844-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-95-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1220-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-187-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1652-296-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1652-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-301-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1676-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-175-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1996-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-368-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2072-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-366-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2108-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-270-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2164-26-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2164-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-385-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2164-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-290-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2356-285-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2372-240-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2372-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-345-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2576-346-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2600-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-50-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2608-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-41-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2668-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-360-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2684-352-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2684-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-312-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2788-311-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2788-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-333-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2800-334-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2836-323-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2836-322-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2836-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-376-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2856-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-12-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/3040-13-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/3040-378-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/3040-379-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/3040-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads