berbew | d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f.exe
Size

96KB
MD5

2b3f216fa5125cc22511beeaef1b2fbd
SHA1

f14064ae8e0c02c8ad856a1b68dc762450ff4443
SHA256

d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f
SHA512

589ff7e6e6ce193e60bd1b47a6f3049ffb6b46d6869c3ad5d1de7bb25261d03e9f26a73d3b420084e347d9169fb75e9c9db27bff589afc601ad0f0e7a919e29e
SSDEEP

1536:cjEnxV9RiJmJXdh+UEjgf9w52L27RZObZUUWaegPYA2:RFFJXTejgfmy2ClUUWae1

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 42 IoCs

pid	Process
228	Aepefb32.exe
3700	Bfabnjjp.exe
4124	Bmkjkd32.exe
2984	Bebblb32.exe
3772	Bcebhoii.exe
2704	Bnkgeg32.exe
1004	Beeoaapl.exe
4332	Bgcknmop.exe
4568	Bjagjhnc.exe
4628	Balpgb32.exe
1992	Bcjlcn32.exe
2120	Bfhhoi32.exe
2892	Banllbdn.exe
3152	Bclhhnca.exe
4308	Bnbmefbg.exe
1824	Belebq32.exe
748	Chjaol32.exe
3576	Cjinkg32.exe
1388	Cmgjgcgo.exe
1192	Cenahpha.exe
4972	Chmndlge.exe
4848	Cjkjpgfi.exe
1660	Cmiflbel.exe
1752	Ceqnmpfo.exe
2992	Cfbkeh32.exe
4224	Cmlcbbcj.exe
4004	Ceckcp32.exe
5004	Chagok32.exe
1260	Ceehho32.exe
4496	Chcddk32.exe
1148	Cnnlaehj.exe
876	Dhfajjoj.exe
4764	Djdmffnn.exe
4452	Dejacond.exe
5072	Dobfld32.exe
4988	Delnin32.exe
4800	Daconoae.exe
1828	Ddakjkqi.exe
852	Dogogcpo.exe
1132	Daekdooc.exe
4328	Dgbdlf32.exe
456	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bclhhnca.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4792	456	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 228	3496	d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f.exe	82
PID 3496 wrote to memory of 228	3496	d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f.exe	82
PID 3496 wrote to memory of 228	3496	d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f.exe	82
PID 228 wrote to memory of 3700	228	Aepefb32.exe	83
PID 228 wrote to memory of 3700	228	Aepefb32.exe	83
PID 228 wrote to memory of 3700	228	Aepefb32.exe	83
PID 3700 wrote to memory of 4124	3700	Bfabnjjp.exe	84
PID 3700 wrote to memory of 4124	3700	Bfabnjjp.exe	84
PID 3700 wrote to memory of 4124	3700	Bfabnjjp.exe	84
PID 4124 wrote to memory of 2984	4124	Bmkjkd32.exe	85
PID 4124 wrote to memory of 2984	4124	Bmkjkd32.exe	85
PID 4124 wrote to memory of 2984	4124	Bmkjkd32.exe	85
PID 2984 wrote to memory of 3772	2984	Bebblb32.exe	86
PID 2984 wrote to memory of 3772	2984	Bebblb32.exe	86
PID 2984 wrote to memory of 3772	2984	Bebblb32.exe	86
PID 3772 wrote to memory of 2704	3772	Bcebhoii.exe	87
PID 3772 wrote to memory of 2704	3772	Bcebhoii.exe	87
PID 3772 wrote to memory of 2704	3772	Bcebhoii.exe	87
PID 2704 wrote to memory of 1004	2704	Bnkgeg32.exe	88
PID 2704 wrote to memory of 1004	2704	Bnkgeg32.exe	88
PID 2704 wrote to memory of 1004	2704	Bnkgeg32.exe	88
PID 1004 wrote to memory of 4332	1004	Beeoaapl.exe	89
PID 1004 wrote to memory of 4332	1004	Beeoaapl.exe	89
PID 1004 wrote to memory of 4332	1004	Beeoaapl.exe	89
PID 4332 wrote to memory of 4568	4332	Bgcknmop.exe	90
PID 4332 wrote to memory of 4568	4332	Bgcknmop.exe	90
PID 4332 wrote to memory of 4568	4332	Bgcknmop.exe	90
PID 4568 wrote to memory of 4628	4568	Bjagjhnc.exe	91
PID 4568 wrote to memory of 4628	4568	Bjagjhnc.exe	91
PID 4568 wrote to memory of 4628	4568	Bjagjhnc.exe	91
PID 4628 wrote to memory of 1992	4628	Balpgb32.exe	92
PID 4628 wrote to memory of 1992	4628	Balpgb32.exe	92
PID 4628 wrote to memory of 1992	4628	Balpgb32.exe	92
PID 1992 wrote to memory of 2120	1992	Bcjlcn32.exe	93
PID 1992 wrote to memory of 2120	1992	Bcjlcn32.exe	93
PID 1992 wrote to memory of 2120	1992	Bcjlcn32.exe	93
PID 2120 wrote to memory of 2892	2120	Bfhhoi32.exe	94
PID 2120 wrote to memory of 2892	2120	Bfhhoi32.exe	94
PID 2120 wrote to memory of 2892	2120	Bfhhoi32.exe	94
PID 2892 wrote to memory of 3152	2892	Banllbdn.exe	95
PID 2892 wrote to memory of 3152	2892	Banllbdn.exe	95
PID 2892 wrote to memory of 3152	2892	Banllbdn.exe	95
PID 3152 wrote to memory of 4308	3152	Bclhhnca.exe	96
PID 3152 wrote to memory of 4308	3152	Bclhhnca.exe	96
PID 3152 wrote to memory of 4308	3152	Bclhhnca.exe	96
PID 4308 wrote to memory of 1824	4308	Bnbmefbg.exe	97
PID 4308 wrote to memory of 1824	4308	Bnbmefbg.exe	97
PID 4308 wrote to memory of 1824	4308	Bnbmefbg.exe	97
PID 1824 wrote to memory of 748	1824	Belebq32.exe	98
PID 1824 wrote to memory of 748	1824	Belebq32.exe	98
PID 1824 wrote to memory of 748	1824	Belebq32.exe	98
PID 748 wrote to memory of 3576	748	Chjaol32.exe	99
PID 748 wrote to memory of 3576	748	Chjaol32.exe	99
PID 748 wrote to memory of 3576	748	Chjaol32.exe	99
PID 3576 wrote to memory of 1388	3576	Cjinkg32.exe	100
PID 3576 wrote to memory of 1388	3576	Cjinkg32.exe	100
PID 3576 wrote to memory of 1388	3576	Cjinkg32.exe	100
PID 1388 wrote to memory of 1192	1388	Cmgjgcgo.exe	101
PID 1388 wrote to memory of 1192	1388	Cmgjgcgo.exe	101
PID 1388 wrote to memory of 1192	1388	Cmgjgcgo.exe	101
PID 1192 wrote to memory of 4972	1192	Cenahpha.exe	102
PID 1192 wrote to memory of 4972	1192	Cenahpha.exe	102
PID 1192 wrote to memory of 4972	1192	Cenahpha.exe	102
PID 4972 wrote to memory of 4848	4972	Chmndlge.exe	103

C:\Users\Admin\AppData\Local\Temp\d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f.exe
"C:\Users\Admin\AppData\Local\Temp\d028ee87d316beab0e6b200b170eb29c0db39b58e670194f7ff2b0486991054f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\Aepefb32.exe
  C:\Windows\system32\Aepefb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\Bfabnjjp.exe
    C:\Windows\system32\Bfabnjjp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\SysWOW64\Bmkjkd32.exe
      C:\Windows\system32\Bmkjkd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4124
    - - C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 404
        44⤵
        Program crash
        
        PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 456 -ip 456
1⤵
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
96KB

MD5
e411e1f8e374c4580287738be19299d7

SHA1
3abaf64b7351913eb08d83fac9201caee66e242d

SHA256
f662e58bf9a5453741d09e06cc7a0298b87e5dcf8c1db8c46b504c20900fd214

SHA512
5c90d41e9e490642cf627a54afe2866d7e414910ff878c2387126d4ae9ee3bf986604513ba14530d334c87973cc26167b2f32523f61a5e48fc03a9480a080e2e

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
96KB

MD5
ed9dfcbee88b86d65d123dd92476c13c

SHA1
788ba5482f171fc8164a257e7444fed8506c10b4

SHA256
d2f7e362c744a4480cb015ed531a28dcb89b457e0d165e31c22c79e205bf793e

SHA512
c24f1e5ce36902e4bb79d423d91fac29a5843a286c0593ddf73e1a61c9d507f415b35bdfda343e5509696357e3ac0d3fd2d9d6be0a0c8c61678952ec23ac644e

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
96KB

MD5
b0f864cd9235734eb675e4b07f698f0d

SHA1
93b8588e7ebf48379ee40a1e75893bae03c03ba2

SHA256
d2f03edbdad203b0b92f0c73b8c4a3bc70d84378bba4450be8ff7bc70692dd0b

SHA512
6ba58d7021d2015b9e2039a88795308313694f04f1f775127bef86e6f51d66bd605f201c78334188488013f287d2dceded5516e714c0a60b12b33b4cc8d9b966

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
77fc849745b33c9a231f5859b7b8d171

SHA1
fe8181c97cb61798d0d6f9b6111a3120ae3cdd90

SHA256
fc5b9e851287da3ff00537a050e2ca7b65d5f7138945c676826dcdf1a18373aa

SHA512
d7fe8db6789abc6258bae8dc9a1f9b51e5d98d23965ff8d0bdb6a9038d3d4546585a6e021109ab61c1f5ce1a924de539a58716e40e62c94ad270a9c66cb7670d

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
96KB

MD5
ce1f84dc546037d43c70c54be2762e7d

SHA1
f465e9873b88c02009aff380a1089e31be3d8c27

SHA256
2925a6519a17f554ebae8c6c2faa0369acddd18215508f3debd09817ddd7764e

SHA512
ea5518979ec75bfc0ea9f4aca29628c5fda97b757eadcf19cb0f066e03ccb1ebbf25f285166ccf854c269979535ee81573f8292eb06c6a71a610af3415197fe0

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
96KB

MD5
d17c6bb4b25bf661e7ca7016f7ae5500

SHA1
c6e146bbcf12aa723c7bac95f897b9f7e5ddc09a

SHA256
b5c4abc67adc36775b3b6adc9002e11c8502f1f8d21857799d10252ab8f9e831

SHA512
4890c37ad37484f55bfb2e5f415eab0ca779f8a4030e6dc165e69b5f029ce735a5f1d5e2434141b6880ed0ed48d0a6da7d9be05d816f7ed0c5ea8d793652a6b3

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
96KB

MD5
5079523072b96c2b06fb5a550172439d

SHA1
1d568572ed7574f8eea69ff1b0ba4f71965e3592

SHA256
7c4c1cd98980d01b38fa8c60340f708431abd1852d3f3e8a018c19da4dc76a07

SHA512
2b0577936f0c048719dcb1ac95f4193bd320cbfc66f6d003fcca1bf87ca3286097a46b14dbc4024b700ef5004763bb6c2932ba4bddc71febb06fa98ff16ded80

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
96KB

MD5
19606a2fe2253ce55a23ad0db8d9d1fc

SHA1
0f9272945c41f3b38dbc8f660a9cc6f419da865c

SHA256
017c21d88ce7c0e7372f9832d0e26a36a8167b97e6c34d4a39b7bf3098888e2f

SHA512
68b107f5886aa24d6e6ae92d742c86c9f82a0ededa0ad5bd7a14e0b843226593e6e06201d3e5591dc1800649398535e1aa7d5e36d6fd9e14533ca06705d17462

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
96KB

MD5
0436565283f2c0242525cbdb57d1cbbc

SHA1
c5b826c4b51b8e39c51ca3ed8f38ab58628ec7ed

SHA256
8030e68f5a8a3cdb47f2b631d7ce2e474d7bf8930080e8c874fc6de71f59ac68

SHA512
b31ab9c67c10df8aef665efdc7c9608eeddb660fabdd717d370b569bc2e01ac7b9124f931e01ac49d12d4251e21799add5588941cd8a700c3b7c2dc6a4d95b2b

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
96KB

MD5
cda623836b4e4f924b4de8c79392ea1e

SHA1
95fad0a484e554a0634b283d52adcd9412817b0c

SHA256
e740f167f398fb534644dd8d01aba24c25c9a76ff912561ea2eaa99f694525ce

SHA512
48d1f85a96935e9f6d6d14e96c29a2d8d359b998ea021bdf6c35af82bcbe01a535bb0bd1516be6650ae3df5b4ee22d07c03d67f8ee5fc0bedbe93394d3655068

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
7c1d392a480a15a239179ab50f2b0d75

SHA1
5c0d8e5c7eea315b95d09057ffd54c4b8813dd02

SHA256
c8fc0b030de6c51603396baeb0f739bf35ac8d3608e7ff045e3924b285017d68

SHA512
ee653e039777e852d3c3a1aa83cfdc794939068cff3e038c8a6573e49c087615edaa05c80677a5fa2212a7b7e3eb4191e0fcbbcda2e6028154ebed3ee14b5382

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
96KB

MD5
03a2add58964209de6b7ed52dec5f54e

SHA1
4cac09bea96bcce4db39de08a370093066a0034f

SHA256
0bfa0d3735797ebfe602ac29d4b9ae891570004771e3099e9fd7ffd92ce852b5

SHA512
bca9b4455198f07704340c746cf7f92dfb2e8f07acc98e883a4db536aa52aef86dc64b933c12b9e79d38a6ff57b218cbde98f3f8a4923cf26a79bb1a38b75b30

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
96KB

MD5
14d268946fd2aba8cec5285eef9fd563

SHA1
366c22fd003861b166a705a028a210147274f98d

SHA256
14551abb11d00f325e243dc63892326245d4c0ae677f07870ba821be52b3dd69

SHA512
88d3221ab0ee1ad7ee91bae4634fc6fe605c6a737c4a6392f85d05b7a355938414d9371e968b81899e33f8ec29974f93f5451ba744f89dc6ced73fa12784b8e0

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
96KB

MD5
e6f2a1390e9a621578bc48b561c739cd

SHA1
a95a21184d10819b5eb187c851c99e9e42283bb1

SHA256
6b98023efbfe50cf692207f423464b3957f812c3d672f1f60b946d055baaabc1

SHA512
4ab104f6dca7db49b84ca696ab406af578f179e3c65a39fc9b3a117159f7b328ab5208a3f1a8740e6c0f03fcbc11c58ee16dc95179df2474ec0ee817915f990f

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
96KB

MD5
0102317dac0c7bae9764b0095a115a75

SHA1
c9e1a8d133df0f4e54d019b53b694c3763a71486

SHA256
48df8687584703cfcb383346a387694055ad4078d86541b8845bd8a0e0b3b5bc

SHA512
66523b50c804030b78b21c40e897f7a378dc1a79f46c96ffb3cefe9e922685198e2d9f768c58d847c1349aca46633c3a4c5391aaa44a1b2fad570c1606c296af

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
96KB

MD5
4d385707f4354e0b34314c9359c26a76

SHA1
2781f93f93a60892bf51e01b6572e5bd450422b4

SHA256
622235aac8c34f7a369aa05074b34ac5b5e69801ac352852c867016514c56ccd

SHA512
8da1d78ba8fd50adcca11e9c5268ca6367d16e2dfb2f70658b8073f9fec3a13571bafb091d1732645cf3327ad7cbfc22937dddc5544b3a860e12264c9f3a0560

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
96KB

MD5
0c8fd02aacd3d901cf409e89b2d6c904

SHA1
fd14d990e6e8efea7d7d34a5085d5e1164b2848d

SHA256
b6dafb32f0aa422fd8c08a27874b3cd843d07a73281acd25c905dda19e088c83

SHA512
b3c1c476d9c1c719d36cec55c67725fa72deb9d2f4ebebc1b5d653efa57d9dd58e41aee1fa91f615f9412ec21ab9823926ac2ea8f8ebee412f01816d54c12c5f

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
96KB

MD5
6853c009acb6da76b02cb01f3bfd9324

SHA1
232c185ff67ec2327e3ccdf7dd75e27d049e498e

SHA256
a41e0071eeba6ee0fc69a25acf5e9b87a709e8730231b367f6baad13b19f6a6f

SHA512
d8ca624e1a84ee2013c00536e9c0493855aa5898e346ffb7b3ec82f432d0aedb93549f77c3f3c7751f19db4742386b4482d25815ca89e163228c3d26f4748522

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
96KB

MD5
641e97286d5c50453fabf938f33b3cef

SHA1
4ad35b1a649ea4a3420569a717ce23678d0cb969

SHA256
c843924b390cb226b58a481ea91b2b30a856845320b90e859cddf11106c6ad2a

SHA512
d5417ec6c8228e9ddd038175c8dcbd7e1c22527850bd923c3623ef7498a04a887089fda6d0d5b6ab90482c606ca5993b292777aa67a562ced8de621560a354e7

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
96KB

MD5
b6d092648c496c526019c02997e27e3e

SHA1
da987ef480bffc825a9bc1ec5f428907524a7909

SHA256
50d56847ec32e45f0d11ef9e9d7bce10621e173cbe5decfaa4d60db7a7f68ad0

SHA512
72f93596b9ae20088e6e8a343b8afbe2e5aefcb41fafb0bd59a6c82ac944cf163d397783479172b1614b7664c91721415abd1e07cd4391c97ba29ecaecd3771a

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
96KB

MD5
cd6153bbe6d800e0abf2ca9408552cd3

SHA1
0ccdd30f42823c7b1773ea7869306e098d07f2b5

SHA256
2782dac177ca42134b525bda7600af4fd4bbea6b68a1dcb68cd68f583fb6e5a7

SHA512
4a0d69485d7ac05fc8188fd531032f6aab7ef05834aeb0b74bdfc2e99695d9a3c1ec00bb0bfe2e3c8fc58190bbe701dd2824e7248b465686c539ba470efbbbd8

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
58c88c59fb1dc9151851f2325cc0c4b1

SHA1
b069c6dcece9e38a11db2174a151d4efd9df6b86

SHA256
0b6aab50892ceb118a663af41f1a080938f52a0099ae784a30839115a80f8ea0

SHA512
a0056a7fd8f09e863473fcc25ecfe9870eae90a6bd95e1e3f9f0c84e6d14e90b633542e54d4399748aa80a581a156865b1112ad5e847eae2e2c34169c0c5803c

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
8b9c75dbc6b2777dd8c7a11912005db5

SHA1
90831ec646d0031d7d8d1965a783e6e3a8a587fc

SHA256
88879fda01dec54b7b1f011e5256d246399930f9db5f3ee1e8e5e264b70251c5

SHA512
9edf4557a75f241783b2a5f3aefd05020201df42637c311248d0324b22e4d551bfaad7ebf14f06bf2d4d5e2f5b4b4851d295b87538456f8737c15ff91011ec0f

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
96KB

MD5
51027cd4982c299b853d02766485ddfb

SHA1
80c278342e48322dd4f60beeb73acc8659e32a00

SHA256
141d49cefa08c523c969540dedf2e15a123df52aa6858b9a34bbe97ce6ae3266

SHA512
3cecd01d33af64442888e5099cc426eaff073ee75128df5a544bea7ee0a7da9df74474e3818c1393957bf610d563eb6b129a32d5b0c0c7161709298ac56c1a18

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
96KB

MD5
6b303c0fd4aa60ac9ea4b4598ed76ed0

SHA1
5eb505b3922f9b0d5e32ed1c70740da292f91e4c

SHA256
e2a6f32ca01c493ce7427ede089eda9f84773f195086b6234b3312538b208e54

SHA512
113941834ea7f66a9ddfbbfbd9c52ea9e8c238c65846ad522c319ac9b00f616515fd5d4a8db8cc432106e66b60cd13bb7637187aeeaf1f3ca322cf05da41a83e

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
942a5a194c5c5a83d0382a93c14ba71f

SHA1
431bd5850f8224368e640c8341fe99e9b83c120d

SHA256
701de38136d063972f0290f79bf15f8ad64d084f260f79074925cf9223c4c299

SHA512
48d26becb0d25a2a52c973b200683a8ff99dee8340b4d6766fc9600ebd20549f4657dc541452760304c364c68edd5c7922fa9ffab1aea30c1cda1028703be453

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
96KB

MD5
e916fa28d9033066c8d782aec72ccbfd

SHA1
e3d8e3e314aeeac3cb84da1e59c3d2b84f98c11c

SHA256
aa8211c2a40ce560e69ca2d9f895377d460d35a373ef81908ea0ce2555ac0e2f

SHA512
f6ea03e6589854de8df73327554ef64d3152ffccc309c9b5e2247b536dc0b9bd80e5112b66e204f94a62361680ddaf2287ff9965acd7775b6b10dd5e86a27c22

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
96KB

MD5
abf6104b6b861f3e41dbe67a71840bfc

SHA1
08a5185265f69b32c76ae002302b8aa5ad08d7b6

SHA256
3fb6f38a8b9417ebb7f8199b4580af525d4517b7d774d620ca4a80eb41b4a2db

SHA512
a1bbbdca1363a7102baf80aa426f299fb42f1d397f56a7ed090584d7fbeb06cdf76675751ed306d346a2c2ea277870a44f66aea61f62b38da4a6d038f5d20282

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
9832090a409080ee593341ae49961b8c

SHA1
28ed516199b36aa110e30804fe8523e566c932a4

SHA256
a8fbf6032cf3e888bc656fd3f050f89be27f5dd7c40d8d7ad352336c8bb2a4aa

SHA512
239962845b4e65ff4780c087096d0afca869a70f6147835fa6e902311c4bfdca521cc95900745bdb98ca08177ea8ff03d20beee271181b35df18f6ac3cb59f38

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
d7c22f011e134e02d96b45f622a90642

SHA1
525a632d020e54a0c7b9ad7942968b0f2d97554d

SHA256
5cac8be2468b65e4c23ce32996d999817ae1ce4e770c1b8d0b1638c8028d15c6

SHA512
453d3a14464e5e86813f4563c46b2e04a7140032972b40633c86a26480950b075d1a392bbcbfd72c3320f83763f27113cb62810501a008a6027ee05a053d1cdd

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
e153f7334e47ce74c59d7a2dd205dd86

SHA1
0d01e0fdcd20201015a31bea88a7b36ea82bcaf7

SHA256
470bbfa16a8dd8a58946f1d2eef8cef6c1dc56d109495fd85e68fb7b9045048d

SHA512
3a674f961d471dd9c36ec7bd5588233f0e179616c0619d28817caf024a578fd40276de8902779ec5fa5294044ad6ab3c37e6ce7832cb2f3f953e3d1f7b076326

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
52a49781646a8cd82c955a8a2f04193e

SHA1
906d1c80cfa8c5c9149d8b9fef619aa862d318fa

SHA256
d4c45c5661ee5c497c80be6c3dd67c46a0fd8a2879a91da89e56af28a80e3ee6

SHA512
4287d681e8814111450c680151cbd7cb73477803d50b454d1bf665b706df553fec7d0094ab9a145e1346a70fae4d31498b54521a37e9cd05201895e4def8c404

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
61606e01ac1e802a9754c7b3c8d7c218

SHA1
b728a60fb95a8a698771dfdd9b258b2a7c30930a

SHA256
dc6014618b8986646d963f3ace012774c9c45459c105de680564554207ae39c3

SHA512
9d6c053400ff26e777949c068744fcb50617006246c4e4b1dd0bf1ce2c7ed20191fd0ac9da11e3a84e4b868c2dc9c635ff834d02b6995e6de9236d35f02d94a0

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
96KB

MD5
9ea61545f2352c332544a43cf2b270d5

SHA1
637928221769ee9429d11181b1acd9abaae87502

SHA256
f6d2f216622b111fd432fdf6daf29201d737a3aecfbb66a90cead613871bde63

SHA512
d276e75d0e99d66543da850fd9701b19e6ce9acf76a3dcd66fcf559d309a10564c2e95692d3cfdf8433cb9574794845d504112615d94f54ac0d8496e698da5f4

Download Submit
memory/228-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3496-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads