berbew | 1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17

Analysis

max time kernel
85s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/12/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe
Size

60KB
MD5

36fda59c1ca7c001a19dd92972ac2a08
SHA1

27813922447bc07ddfa955e878b38acb5f086294
SHA256

1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17
SHA512

369a86897973497cf185472319934948783972cedc654c8b01f1ab368b09164b8552f04f7a8124653a31afc8d2bae90c375d7cc5d3be001ac8b1c0235925082d
SSDEEP

1536:Djzny6OM+sVvbIP6mZvy/JTnP02sEXtbQ/5JAB86l1rU:TxWP6J3URJAB86l1rU

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 31 IoCs

pid	Process
2052	Adlcfjgh.exe
2880	Aoagccfn.exe
2776	Andgop32.exe
2680	Adnpkjde.exe
2584	Bnfddp32.exe
2668	Bdqlajbb.exe
2968	Bjmeiq32.exe
1604	Bmlael32.exe
304	Bgaebe32.exe
1684	Bnknoogp.exe
992	Bchfhfeh.exe
1688	Bieopm32.exe
2732	Boogmgkl.exe
2200	Bbmcibjp.exe
448	Bkegah32.exe
2436	Cfkloq32.exe
1040	Cmedlk32.exe
836	Cnfqccna.exe
720	Cfmhdpnc.exe
2540	Cileqlmg.exe
1972	Cbdiia32.exe
2108	Cebeem32.exe
2460	Ckmnbg32.exe
2236	Cnkjnb32.exe
2080	Caifjn32.exe
2788	Cgcnghpl.exe
2360	Cnmfdb32.exe
2356	Cegoqlof.exe
2720	Cgfkmgnj.exe
2600	Dmbcen32.exe
2156	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2280	1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe
2280	1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe
2052	Adlcfjgh.exe
2052	Adlcfjgh.exe
2880	Aoagccfn.exe
2880	Aoagccfn.exe
2776	Andgop32.exe
2776	Andgop32.exe
2680	Adnpkjde.exe
2680	Adnpkjde.exe
2584	Bnfddp32.exe
2584	Bnfddp32.exe
2668	Bdqlajbb.exe
2668	Bdqlajbb.exe
2968	Bjmeiq32.exe
2968	Bjmeiq32.exe
1604	Bmlael32.exe
1604	Bmlael32.exe
304	Bgaebe32.exe
304	Bgaebe32.exe
1684	Bnknoogp.exe
1684	Bnknoogp.exe
992	Bchfhfeh.exe
992	Bchfhfeh.exe
1688	Bieopm32.exe
1688	Bieopm32.exe
2732	Boogmgkl.exe
2732	Boogmgkl.exe
2200	Bbmcibjp.exe
2200	Bbmcibjp.exe
448	Bkegah32.exe
448	Bkegah32.exe
2436	Cfkloq32.exe
2436	Cfkloq32.exe
1040	Cmedlk32.exe
1040	Cmedlk32.exe
836	Cnfqccna.exe
836	Cnfqccna.exe
720	Cfmhdpnc.exe
720	Cfmhdpnc.exe
2540	Cileqlmg.exe
2540	Cileqlmg.exe
1972	Cbdiia32.exe
1972	Cbdiia32.exe
2108	Cebeem32.exe
2108	Cebeem32.exe
2460	Ckmnbg32.exe
2460	Ckmnbg32.exe
2236	Cnkjnb32.exe
2236	Cnkjnb32.exe
2080	Caifjn32.exe
2080	Caifjn32.exe
2788	Cgcnghpl.exe
2788	Cgcnghpl.exe
2360	Cnmfdb32.exe
2360	Cnmfdb32.exe
2356	Cegoqlof.exe
2356	Cegoqlof.exe
2720	Cgfkmgnj.exe
2720	Cgfkmgnj.exe
2600	Dmbcen32.exe
2600	Dmbcen32.exe
1728	WerFault.exe
1728	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Andgop32.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	Andgop32.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bmlael32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Bnknoogp.exe	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Dqaegjop.dll	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Jmclfnqb.dll	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Bnfddp32.exe	Adnpkjde.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Aoagccfn.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bjmeiq32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Adlcfjgh.exe	1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cmedlk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1728	2156	WerFault.exe	61

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andgop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2052	2280	1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe	31
PID 2280 wrote to memory of 2052	2280	1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe	31
PID 2280 wrote to memory of 2052	2280	1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe	31
PID 2280 wrote to memory of 2052	2280	1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe	31
PID 2052 wrote to memory of 2880	2052	Adlcfjgh.exe	32
PID 2052 wrote to memory of 2880	2052	Adlcfjgh.exe	32
PID 2052 wrote to memory of 2880	2052	Adlcfjgh.exe	32
PID 2052 wrote to memory of 2880	2052	Adlcfjgh.exe	32
PID 2880 wrote to memory of 2776	2880	Aoagccfn.exe	33
PID 2880 wrote to memory of 2776	2880	Aoagccfn.exe	33
PID 2880 wrote to memory of 2776	2880	Aoagccfn.exe	33
PID 2880 wrote to memory of 2776	2880	Aoagccfn.exe	33
PID 2776 wrote to memory of 2680	2776	Andgop32.exe	34
PID 2776 wrote to memory of 2680	2776	Andgop32.exe	34
PID 2776 wrote to memory of 2680	2776	Andgop32.exe	34
PID 2776 wrote to memory of 2680	2776	Andgop32.exe	34
PID 2680 wrote to memory of 2584	2680	Adnpkjde.exe	35
PID 2680 wrote to memory of 2584	2680	Adnpkjde.exe	35
PID 2680 wrote to memory of 2584	2680	Adnpkjde.exe	35
PID 2680 wrote to memory of 2584	2680	Adnpkjde.exe	35
PID 2584 wrote to memory of 2668	2584	Bnfddp32.exe	36
PID 2584 wrote to memory of 2668	2584	Bnfddp32.exe	36
PID 2584 wrote to memory of 2668	2584	Bnfddp32.exe	36
PID 2584 wrote to memory of 2668	2584	Bnfddp32.exe	36
PID 2668 wrote to memory of 2968	2668	Bdqlajbb.exe	37
PID 2668 wrote to memory of 2968	2668	Bdqlajbb.exe	37
PID 2668 wrote to memory of 2968	2668	Bdqlajbb.exe	37
PID 2668 wrote to memory of 2968	2668	Bdqlajbb.exe	37
PID 2968 wrote to memory of 1604	2968	Bjmeiq32.exe	38
PID 2968 wrote to memory of 1604	2968	Bjmeiq32.exe	38
PID 2968 wrote to memory of 1604	2968	Bjmeiq32.exe	38
PID 2968 wrote to memory of 1604	2968	Bjmeiq32.exe	38
PID 1604 wrote to memory of 304	1604	Bmlael32.exe	39
PID 1604 wrote to memory of 304	1604	Bmlael32.exe	39
PID 1604 wrote to memory of 304	1604	Bmlael32.exe	39
PID 1604 wrote to memory of 304	1604	Bmlael32.exe	39
PID 304 wrote to memory of 1684	304	Bgaebe32.exe	40
PID 304 wrote to memory of 1684	304	Bgaebe32.exe	40
PID 304 wrote to memory of 1684	304	Bgaebe32.exe	40
PID 304 wrote to memory of 1684	304	Bgaebe32.exe	40
PID 1684 wrote to memory of 992	1684	Bnknoogp.exe	41
PID 1684 wrote to memory of 992	1684	Bnknoogp.exe	41
PID 1684 wrote to memory of 992	1684	Bnknoogp.exe	41
PID 1684 wrote to memory of 992	1684	Bnknoogp.exe	41
PID 992 wrote to memory of 1688	992	Bchfhfeh.exe	42
PID 992 wrote to memory of 1688	992	Bchfhfeh.exe	42
PID 992 wrote to memory of 1688	992	Bchfhfeh.exe	42
PID 992 wrote to memory of 1688	992	Bchfhfeh.exe	42
PID 1688 wrote to memory of 2732	1688	Bieopm32.exe	43
PID 1688 wrote to memory of 2732	1688	Bieopm32.exe	43
PID 1688 wrote to memory of 2732	1688	Bieopm32.exe	43
PID 1688 wrote to memory of 2732	1688	Bieopm32.exe	43
PID 2732 wrote to memory of 2200	2732	Boogmgkl.exe	44
PID 2732 wrote to memory of 2200	2732	Boogmgkl.exe	44
PID 2732 wrote to memory of 2200	2732	Boogmgkl.exe	44
PID 2732 wrote to memory of 2200	2732	Boogmgkl.exe	44
PID 2200 wrote to memory of 448	2200	Bbmcibjp.exe	45
PID 2200 wrote to memory of 448	2200	Bbmcibjp.exe	45
PID 2200 wrote to memory of 448	2200	Bbmcibjp.exe	45
PID 2200 wrote to memory of 448	2200	Bbmcibjp.exe	45
PID 448 wrote to memory of 2436	448	Bkegah32.exe	46
PID 448 wrote to memory of 2436	448	Bkegah32.exe	46
PID 448 wrote to memory of 2436	448	Bkegah32.exe	46
PID 448 wrote to memory of 2436	448	Bkegah32.exe	46

C:\Users\Admin\AppData\Local\Temp\1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe
"C:\Users\Admin\AppData\Local\Temp\1ec8ea88a684e54a5c6c6adaf50ea4277c941ad55d4627a6a0efac4d07266c17.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\Adlcfjgh.exe
  C:\Windows\system32\Adlcfjgh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\Aoagccfn.exe
    C:\Windows\system32\Aoagccfn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\Andgop32.exe
      C:\Windows\system32\Andgop32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 144
        33⤵
        Loads dropped DLL
        Program crash
        
        PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
60KB

MD5
fda78385f5eae3fc92a9f3617e62dd7f

SHA1
59643bde226841054de662a57fe80b2ca8bd124b

SHA256
88c54dfec2cedc8856c9607a36caea288e0c84cf7742c5535bc69031b0696ffb

SHA512
1d0bfecd88ad0e1efc46a9f5d1b0ce0c3791fe8c1156b7611e3fda5ab3bb3e2bc9b087d4829e424038c4af284564d9f689ada977f692b99320e8d7f7a1011732

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
60KB

MD5
45d75afbdadf6da4f70fe928134702d3

SHA1
2457fd308ff4397bf415f413e52e87f2a9657463

SHA256
d8dbb27578cee5e10743c56e8ccd796ecb8017ea2c067faedda7357bb998813c

SHA512
626f0461b654c9c53b25defba8d003ad5657d6553f867d45723cbcc8143108ce23a57fe3351d6597ff0500ebbb0bbf8c6872ec56b842cbd6b89a0936ab6d2b15

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
60KB

MD5
cb97e76b300963453ca4c11ee2ed714d

SHA1
2f06368eb576d42f1edc233f6971a130d4514bfd

SHA256
db7abb371d15f3d54b53eeacb4de307875095de59cc0714c180200e6e01b8dcc

SHA512
aa875f94f2a5bcdc9f82fd6679f6a056db070428978f541726cb829d98fd1cb3c4a72abc5703249eabdc62707b97b459402fa358422172fd07df6b24d03092cc

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
60KB

MD5
6942cf0758d6a95c22bcb0d944922361

SHA1
0fb2c1362bfadad06259b382d20363511e9fbec1

SHA256
94654562019ec3885248b0fc491a48591123c6afefc6666a0f8e1f4343ba01d2

SHA512
4621e8b03bc407296525fb450df5f90ba804bee7adf5261096668bcf6fe2bb9bfdd4879f8692def96c26326702762e89e56f9b41041ed71bd9abb32883ebe9bd

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
60KB

MD5
fc30be79a2ee6a069ad98c49718280b5

SHA1
8af2785dea1a501b76718c52bee3d8d4626f79a8

SHA256
8bdb5b4291d88b480dbc53801b055c0c428bfbd9672dded52862715d26abf6b4

SHA512
ecb0d8588f6c454e95a9c1eff3645c3e3e1497b517105493ebab1f25741e4c22fe4d556647b612ec55341d41e1fb213c7260eb691e345fe34d733b354e5d6add

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
60KB

MD5
bbeb456728781ff0cbce9f9d17c11fee

SHA1
5f6d8d40250620a81cd6c6a27e61cd11eb793ffd

SHA256
99678367bbce11262ce30bd31845cefa483f73da866f6909cd46f0559605cd27

SHA512
1d7ad8fa37b2696c0b47587c2b0eed39c30866358d8da9c01806d41be68a8fe27930ff48b868ef060c8e2e5e1e6b009c9c50b2b969cc648ef075b1c3a7c27883

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
60KB

MD5
dab7d1fe647cd71f178e68df8fd1d658

SHA1
dbbcd7314479a1f462b96292b062378200b836c6

SHA256
1a2a12d1da1c5a0df7816f44fc11663d2f277c40b54301678bff9335df20f714

SHA512
befd977ff9c3f088c216ea2ba9e08e080780fedd57ac49470f2341a7d0ab736a8bc76b5b91d34c5c76953f7463fed8f59900e0222d75b29708905ad254b6d86f

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
60KB

MD5
22235b7a64a9a9951a11d1d35b249a3c

SHA1
cd2e1b6e5afe7da28eb1657a54ee4adf51069634

SHA256
14300cb9f84c17fb3ec160ebd17923a2e813c42596bb1bfb36c8d619cfdc08f8

SHA512
1ba0433099ab9cef4b5db4f2cdb12974b0b74504e17cc9e7895f98222002fe655c8f9a2c6360550f123d7f6d87aea0f5eaa0d3d9c404dc169c12b358a9dac770

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
60KB

MD5
ed7788e19a8f7d3d31e0911e471a59f7

SHA1
8db5da7c7b872c4727b1475ac66c1d952c8777ab

SHA256
2d1713941d775026dd2f698a88564366d2fb10bf1b25d7750ab8c7edfcf635fb

SHA512
257d09a682857d30f5f485f2d7fa4de22fdbcf7214bf693f19c95144d673b72f0723df1ca59236893ce35bc2156a23866cf0bfc9357b17c024a9bcfdeb7aabaa

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
60KB

MD5
ecd3591c586640849223df754b5702bd

SHA1
b185fc011520fbf8d80ec02c39f394814ee708f0

SHA256
c70c592f0a3a9f342be3cb48a036983a876332f851fb7f3340eebaa51046abca

SHA512
fc1182d43ee19a778cb803e494f0fe196a99f0113392a3068da52cd82ba3de8db582a0fceccd9ee1bb2baacd1aa596fcf453feb51453a6258831acbedf9bc4fb

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
60KB

MD5
bd265727df24de4e6f3fad99d6ccf431

SHA1
6a05a0ca33ab05294e3e565e0b60b747c0acde88

SHA256
75626ec5ee7aef9e05a631a8b182a789ad7ef1a1148b58d0af93866dfeb4eaa5

SHA512
0821b3b30bf7e43bc1a1a8fd997834bb1e7934381f5f64053208778e2a42f4522554b76740936661e3adbe064ff92abcf986c46dc1d73f28891013fb27f77e5f

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
60KB

MD5
32ac900349a667070a444825e083d33b

SHA1
f0d0a1b9f87fdcf94a163a8343df27c42e145123

SHA256
9ad0610f260288715a354ca17757efbc64201728f372b3df86896bdf4ab3aeb2

SHA512
9b0edd0d1475ff3da4223faa5662a6dd7c2eca817ba3b116b0525deaffd219a96be83d04911880f3b70b08f8b8b7cc3b0033410fe30eb1646b741c10eaea70c2

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
60KB

MD5
921ca9294d7f9d157c1204a8772c6cb7

SHA1
51dfa32a973cd06ca8063b2f3729158c9888bd2f

SHA256
138010015b3b32735d427b3943df674fc150380f6cf6cfc1552c75783251ac03

SHA512
fac08135493de053532992477c2124177891ab5699ab44e26da2747cdf4d875c5ae89ed49f2e19904e29b32251963f11c05abd405add936e27873d706c839e7f

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
60KB

MD5
14ba21d70a188ee2fad07be18e94ed86

SHA1
7d2bbe5f8d027cac8650c445a9a238cf67571ec7

SHA256
46ce804b1296df992b674b69ad31a2309216c4e337939d272c2d3f116c3e0c79

SHA512
23c83a1ccc0d5ada04c7d766a96a537850bc9e78bb2376519cd7f5101111f00f4cbbfbb940061a56b1de3890988603a65e16e750fab58fe831511755413cd13c

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
60KB

MD5
0bb672de642bcaca012435710de0962f

SHA1
8e79afd3c1b6db9038203548637e61ff2061ab50

SHA256
76f7954d02acafd48f22f8be9ef7cb31604e6c31b40f2e47801a8ee30315bc7c

SHA512
e823ad3f62fd209214252d9a6b66e8cc68d8e85df25eb3e151bf08458d4490103aad4a9e1ad195ebfb3825f9fa54ce0a7ee3a5f181cb39403ddb218a42b2552f

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
60KB

MD5
7a7c510d2712967bfc0a6b143f364aba

SHA1
daf183869dc876810a762282dd90cd1066a7e203

SHA256
9aa8c89b6f8a1eb070fc37e4bba8e485047d082b2402daa6ea1ed5a03c8f6927

SHA512
d35ab8b349bd5ef4ad4d3f04a50af4b929fcf037d29b0a7437e970f557fa00122afd106f3696bf723b3ff77f0fc353fb48da30eeca9801607277e5a4a006e337

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
60KB

MD5
e96ea0186f0923fb8277169879928c14

SHA1
17bfd23860ffd536316c8020e68bcb1ea5f35ca4

SHA256
04d2f791787bd0551b0bad2e0e9c39b8ec87c335165d4d3156267836f35b5d75

SHA512
e21603cff226c84b0c5999348df7b9d2bd09e96b10deab31e91ee0d7ecd862f90519fe1d1806c06274faa34ab16f35c788cbced05eddf6e16abd1e560935b055

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
60KB

MD5
c2517305b9bf9be8d2f26f3bb25ada3a

SHA1
84bbf3e1e5d3d10bc59d3b5bd5995c3d16e8e117

SHA256
528130fbf4ffbf905f16adecbd4effa510890b8c1a3ed3bf5ab77dfbf13a3b23

SHA512
e6514e023d136c290646271d50a33e8f93d8bdbd7cc6934f44efe3850553ea54e0b63faf7e3d9a7c1e759715e45bb5b01fb9f9938384b66af9af49f89858e74a

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
60KB

MD5
dcba999f6ca8f49803080db3f4ceda11

SHA1
68d592342856688e1145c63969b77b5f34efc9f7

SHA256
89de2f3c33419df62f3410db60d1aa7c2c120513907e441397054af3d2bf8702

SHA512
e23429271116203cd10e20284020eef96c43f50ca9d93eadf0a5c4b1493f10c1af5703152af053a9a218624d04f56135ea01baac2def290e00b433dc41e203a8

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
60KB

MD5
d56e5a202eefaad0764c789532dbe8a3

SHA1
554fab5c60e4fdca1211263e809e4e6144fa39f1

SHA256
0b38bf27c79c7d9fb8f5fdfaa3337199aeb894befa80ee573d01e10a9447add0

SHA512
139d588dac9839372f956cdfbce1e1d8c1bcea3614f8d338618f57e3c7545396180816db98e8768e9971871f8e8549a191ab503f9e391f8f075685eb4694d630

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
60KB

MD5
10a347165c4daee2ff2a5fe2db222b08

SHA1
1df994be4f0908271e814e21d5e416c34486923e

SHA256
3f6e4a6fa750c793513f6ac4e19b8d4f1bb8a4703500034a1eb6a11e2232c9c3

SHA512
530d1b6fc816a7a0d3225597802a53972d682de197c803e10023195be94b9213c3793e2cdbaa18d0c3525adec336b00741a054e872a1efb13189789060ff8e57

Download Submit
\Windows\SysWOW64\Adlcfjgh.exe

Filesize
60KB

MD5
ea189d25458d1320dc638db7a926cb25

SHA1
f146039f7fe11bd9b5b1e7e9558717e242d0c200

SHA256
8969bbac72f57b10277df2e1b7c2b9eecd4b873cf825b39f2fd2ce836bebd642

SHA512
1ce5d578be850694bf5d5efe66a4c631de346fc268205aca31e8861948a0d11ebbc75d87fd3f7e4a87c0fd238b360fa5548428cfe40dbfbaeb3a8e7bafa958d5

Download Submit
\Windows\SysWOW64\Andgop32.exe

Filesize
60KB

MD5
f564aaedfbd354acb98bceb9737cf522

SHA1
6670516455b6f5b7fa62058750661af8a987245a

SHA256
7353a6ca75876c548d284023642380261911370c625238062f8805701a46d076

SHA512
7a63c86fd037a1599eb96d0ca459b5711b2a69b98ceac422f5a7a70b2b3236c56d588e84026eda303460d3c2fc0227c8139bb3831161202a384341db1f8f7023

Download Submit
\Windows\SysWOW64\Aoagccfn.exe

Filesize
60KB

MD5
ba84c154dd2ca86c6476aca21af43744

SHA1
9c042ec5ffc1d78df36fa69878a1c4715e3b5f6c

SHA256
eea195e437c0d8a26632b4df7dd1f4d4389884acb10e1f1cda0a93d05e0a5b7d

SHA512
1d41ed7d0d71f57b8624a29fc6cb04fb9f4f4543e68f1947445fd36f70727532b9ce43c47692a1f2d3613e749b0007354b5d0976e1a99d5e2ea0c8bf5ae9c165

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
60KB

MD5
c753211d96f48d3dce6cc8d6505d716e

SHA1
2eed3df6a83fa0adee6601e7351b822cf8990afb

SHA256
efbc6cdee8d109ba602065f83775b98156ac4ff78b674439b5e867a8fec0b878

SHA512
7f1b38247fe8926d89a7dca7e1fafb9bee8f7fed37aba0306942e2cfb26ba3d9570c7548c5c9416d5bdf7d7e4ed66ed84894fac1d7b2a6ed06c5f19cbf6f6f9a

Download Submit
\Windows\SysWOW64\Bgaebe32.exe

Filesize
60KB

MD5
418d534394d2833de53c2031c80e1022

SHA1
74cd56911b939ee7ca98b3d1aa40ced426668295

SHA256
cf13912779d81c15d4f74fb3396ddcb2ad44ac6ecb9209d48ffc4ccec28f04fa

SHA512
cd4e47efd8ae6c3a5387be085165e9d8b6c8149e18e15da5ce3d921b0ce1f3519078a32e6f60c3f275701f5092c08f3f0d79e411ff8beb2491408ca0a816cb8a

Download Submit
\Windows\SysWOW64\Bjmeiq32.exe

Filesize
60KB

MD5
ffbc85c7cd2bc959a5e16d90f77600f8

SHA1
df20fa7a05644d36381b154916bdee0d84deba7f

SHA256
72a03c576555a410b0d895aa472cc3cba513be7161f4f44a335ea5606e4ad4e7

SHA512
6c48f96043ac952961944479ba705862db83ee6331f6297450c2238e82b69241b62dd33346e3ac0bbcd65cb962da8767702cdbfa70b25765b2c6f66ef7e9062b

Download Submit
\Windows\SysWOW64\Bkegah32.exe

Filesize
60KB

MD5
d271bc959402a963b7aea7f5745ad9e8

SHA1
71f65786c71c4644e826fdaf2dfdeae08d7b646d

SHA256
df6d48503ffc21715b4d13e35e96dc91b94a363a2cc1529f772a6132478e295d

SHA512
950f7d4782f404ab0a4f9484bbc733898a98ebec124f6d596a365e60e6e688a84a772304004c412d81b0ca893b51204ea027c136a1b0ec75d59e5444430ac9d7

Download Submit
\Windows\SysWOW64\Bnfddp32.exe

Filesize
60KB

MD5
08ef55166a2156876d619943cb8fb600

SHA1
c7d5cff3af5c690543a768350572f89e1efbcf1c

SHA256
938ac14b6ec877a90e0ab1e299fa899c14d89c634c43957cb76cd8c62bd5af22

SHA512
f9121f8de61f8b59ea201ee2f4c02aa0e778154da0d9bc2994d5a477a492d23f8d4d1a80686183a44f200031d3260d5d56c373aef0e5809a14e4568f438814ca

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
60KB

MD5
61a9f7bae365cbc30694742a30535520

SHA1
6cb02e85c16449e1d2a6ae01bee76c45f236cefe

SHA256
ba98385a592439d29cd685ad6905c80691156a6f308af25bbb1a064efbac8424

SHA512
9171a7e7c58857b36e4e5d826e162aece80e109183c70156e2e049d23257eee3b13779d7367f361b5718d37396c2b7a44585b167d6bdbe6bd6c1937d80a59e7b

Download Submit
\Windows\SysWOW64\Cfkloq32.exe

Filesize
60KB

MD5
b70fdfd18d40ffe95c6fcc7d304437c7

SHA1
baaad7d6aec2182f87134192920035a3d4fb691f

SHA256
3ac1ab2beb21980e58d7e526447de33a0456795b70d12b499874712031aade8a

SHA512
98ccf34e442f9dd1677c7a7fb3c0c8fbcafbbde62f82fba8767c2908785251591977a3c1260da2f7ed1f8905dddfc4fbffe0f79fe4d324347d297f43af946a8c

Download Submit
memory/304-432-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/304-137-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/304-184-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/448-228-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/448-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/448-430-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/720-263-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/720-273-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/720-437-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/836-253-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/836-295-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/836-259-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/992-156-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/992-434-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1040-286-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1040-249-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1040-439-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1040-243-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1604-170-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1604-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1604-119-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1604-110-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1684-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1684-201-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1684-148-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1684-155-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1688-179-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1688-186-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1688-171-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1972-438-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2052-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2052-441-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2080-325-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2080-334-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2080-425-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-427-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2156-386-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2156-403-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2200-202-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2200-210-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2236-324-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2236-315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2280-7-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2280-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2280-53-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2280-12-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2356-362-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2356-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2356-402-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2356-389-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2360-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2360-429-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2436-242-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2436-230-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2436-275-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2436-274-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2436-241-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2436-272-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2460-309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2460-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2460-346-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2460-428-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2540-276-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2540-282-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/2540-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-74-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-440-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2600-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2600-382-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2600-393-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2668-139-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2668-82-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2668-90-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2668-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2680-117-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2680-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2680-109-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2680-63-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2720-395-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-366-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2732-240-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2732-187-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2732-431-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2732-199-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2776-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2788-335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2788-342-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2788-433-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2788-375-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2880-39-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2880-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-153-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2968-435-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads