berbew | 15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8

Analysis

max time kernel
74s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe
Size

93KB
MD5

ebd81dbb01e34cdb6b87b8405e566020
SHA1

ae5a3bcc9f6888321cb7ed017d98b9107e7dec39
SHA256

15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8
SHA512

54b017e62398661df842b64d31c9bd5491795afb3b3d9fb7adbc109e92c61f46542618f7f4b7e8c863bf1ae55801f921d964c80c8470b843137caf454bc91af9
SSDEEP

1536:EhRP1ukv/uC9D4JFz9azjsI9Kwr1DaYfMZRWuLsV+1D:2NuWtD2FZSjn9KwrgYfc0DV+1D

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 31 IoCs

pid	Process
2492	Bmlael32.exe
2940	Bdcifi32.exe
2108	Bjpaop32.exe
2964	Bmnnkl32.exe
2012	Bqijljfd.exe
2696	Bgcbhd32.exe
2604	Bjbndpmd.exe
2224	Bieopm32.exe
1480	Bqlfaj32.exe
1276	Bcjcme32.exe
2788	Bfioia32.exe
1216	Bjdkjpkb.exe
1984	Bmbgfkje.exe
3028	Coacbfii.exe
1952	Cenljmgq.exe
1200	Ckhdggom.exe
1300	Cnfqccna.exe
1680	Cfmhdpnc.exe
552	Cgoelh32.exe
1732	Cnimiblo.exe
1612	Cinafkkd.exe
1508	Cgaaah32.exe
2120	Cjonncab.exe
2968	Caifjn32.exe
3008	Cchbgi32.exe
2036	Clojhf32.exe
2644	Cmpgpond.exe
2144	Ccjoli32.exe
2688	Cgfkmgnj.exe
2748	Dnpciaef.exe
2876	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
1752	15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe
1752	15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe
2492	Bmlael32.exe
2492	Bmlael32.exe
2940	Bdcifi32.exe
2940	Bdcifi32.exe
2108	Bjpaop32.exe
2108	Bjpaop32.exe
2964	Bmnnkl32.exe
2964	Bmnnkl32.exe
2012	Bqijljfd.exe
2012	Bqijljfd.exe
2696	Bgcbhd32.exe
2696	Bgcbhd32.exe
2604	Bjbndpmd.exe
2604	Bjbndpmd.exe
2224	Bieopm32.exe
2224	Bieopm32.exe
1480	Bqlfaj32.exe
1480	Bqlfaj32.exe
1276	Bcjcme32.exe
1276	Bcjcme32.exe
2788	Bfioia32.exe
2788	Bfioia32.exe
1216	Bjdkjpkb.exe
1216	Bjdkjpkb.exe
1984	Bmbgfkje.exe
1984	Bmbgfkje.exe
3028	Coacbfii.exe
3028	Coacbfii.exe
1952	Cenljmgq.exe
1952	Cenljmgq.exe
1200	Ckhdggom.exe
1200	Ckhdggom.exe
1300	Cnfqccna.exe
1300	Cnfqccna.exe
1680	Cfmhdpnc.exe
1680	Cfmhdpnc.exe
552	Cgoelh32.exe
552	Cgoelh32.exe
1732	Cnimiblo.exe
1732	Cnimiblo.exe
1612	Cinafkkd.exe
1612	Cinafkkd.exe
1508	Cgaaah32.exe
1508	Cgaaah32.exe
2120	Cjonncab.exe
2120	Cjonncab.exe
2968	Caifjn32.exe
2968	Caifjn32.exe
3008	Cchbgi32.exe
3008	Cchbgi32.exe
2036	Clojhf32.exe
2036	Clojhf32.exe
2644	Cmpgpond.exe
2644	Cmpgpond.exe
2144	Ccjoli32.exe
2144	Ccjoli32.exe
2688	Cgfkmgnj.exe
2688	Cgfkmgnj.exe
2748	Dnpciaef.exe
2748	Dnpciaef.exe
1800	WerFault.exe
1800	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bdcifi32.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Oaoplfhc.dll	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe
File created	C:\Windows\SysWOW64\Bdcifi32.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Bdcifi32.exe	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Ogdjhp32.dll	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Coacbfii.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bjpaop32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1800	2876	WerFault.exe	61

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2492	1752	15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe	31
PID 1752 wrote to memory of 2492	1752	15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe	31
PID 1752 wrote to memory of 2492	1752	15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe	31
PID 1752 wrote to memory of 2492	1752	15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe	31
PID 2492 wrote to memory of 2940	2492	Bmlael32.exe	32
PID 2492 wrote to memory of 2940	2492	Bmlael32.exe	32
PID 2492 wrote to memory of 2940	2492	Bmlael32.exe	32
PID 2492 wrote to memory of 2940	2492	Bmlael32.exe	32
PID 2940 wrote to memory of 2108	2940	Bdcifi32.exe	33
PID 2940 wrote to memory of 2108	2940	Bdcifi32.exe	33
PID 2940 wrote to memory of 2108	2940	Bdcifi32.exe	33
PID 2940 wrote to memory of 2108	2940	Bdcifi32.exe	33
PID 2108 wrote to memory of 2964	2108	Bjpaop32.exe	34
PID 2108 wrote to memory of 2964	2108	Bjpaop32.exe	34
PID 2108 wrote to memory of 2964	2108	Bjpaop32.exe	34
PID 2108 wrote to memory of 2964	2108	Bjpaop32.exe	34
PID 2964 wrote to memory of 2012	2964	Bmnnkl32.exe	35
PID 2964 wrote to memory of 2012	2964	Bmnnkl32.exe	35
PID 2964 wrote to memory of 2012	2964	Bmnnkl32.exe	35
PID 2964 wrote to memory of 2012	2964	Bmnnkl32.exe	35
PID 2012 wrote to memory of 2696	2012	Bqijljfd.exe	36
PID 2012 wrote to memory of 2696	2012	Bqijljfd.exe	36
PID 2012 wrote to memory of 2696	2012	Bqijljfd.exe	36
PID 2012 wrote to memory of 2696	2012	Bqijljfd.exe	36
PID 2696 wrote to memory of 2604	2696	Bgcbhd32.exe	37
PID 2696 wrote to memory of 2604	2696	Bgcbhd32.exe	37
PID 2696 wrote to memory of 2604	2696	Bgcbhd32.exe	37
PID 2696 wrote to memory of 2604	2696	Bgcbhd32.exe	37
PID 2604 wrote to memory of 2224	2604	Bjbndpmd.exe	38
PID 2604 wrote to memory of 2224	2604	Bjbndpmd.exe	38
PID 2604 wrote to memory of 2224	2604	Bjbndpmd.exe	38
PID 2604 wrote to memory of 2224	2604	Bjbndpmd.exe	38
PID 2224 wrote to memory of 1480	2224	Bieopm32.exe	39
PID 2224 wrote to memory of 1480	2224	Bieopm32.exe	39
PID 2224 wrote to memory of 1480	2224	Bieopm32.exe	39
PID 2224 wrote to memory of 1480	2224	Bieopm32.exe	39
PID 1480 wrote to memory of 1276	1480	Bqlfaj32.exe	40
PID 1480 wrote to memory of 1276	1480	Bqlfaj32.exe	40
PID 1480 wrote to memory of 1276	1480	Bqlfaj32.exe	40
PID 1480 wrote to memory of 1276	1480	Bqlfaj32.exe	40
PID 1276 wrote to memory of 2788	1276	Bcjcme32.exe	41
PID 1276 wrote to memory of 2788	1276	Bcjcme32.exe	41
PID 1276 wrote to memory of 2788	1276	Bcjcme32.exe	41
PID 1276 wrote to memory of 2788	1276	Bcjcme32.exe	41
PID 2788 wrote to memory of 1216	2788	Bfioia32.exe	42
PID 2788 wrote to memory of 1216	2788	Bfioia32.exe	42
PID 2788 wrote to memory of 1216	2788	Bfioia32.exe	42
PID 2788 wrote to memory of 1216	2788	Bfioia32.exe	42
PID 1216 wrote to memory of 1984	1216	Bjdkjpkb.exe	43
PID 1216 wrote to memory of 1984	1216	Bjdkjpkb.exe	43
PID 1216 wrote to memory of 1984	1216	Bjdkjpkb.exe	43
PID 1216 wrote to memory of 1984	1216	Bjdkjpkb.exe	43
PID 1984 wrote to memory of 3028	1984	Bmbgfkje.exe	44
PID 1984 wrote to memory of 3028	1984	Bmbgfkje.exe	44
PID 1984 wrote to memory of 3028	1984	Bmbgfkje.exe	44
PID 1984 wrote to memory of 3028	1984	Bmbgfkje.exe	44
PID 3028 wrote to memory of 1952	3028	Coacbfii.exe	45
PID 3028 wrote to memory of 1952	3028	Coacbfii.exe	45
PID 3028 wrote to memory of 1952	3028	Coacbfii.exe	45
PID 3028 wrote to memory of 1952	3028	Coacbfii.exe	45
PID 1952 wrote to memory of 1200	1952	Cenljmgq.exe	46
PID 1952 wrote to memory of 1200	1952	Cenljmgq.exe	46
PID 1952 wrote to memory of 1200	1952	Cenljmgq.exe	46
PID 1952 wrote to memory of 1200	1952	Cenljmgq.exe	46

C:\Users\Admin\AppData\Local\Temp\15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe
"C:\Users\Admin\AppData\Local\Temp\15ecf00e61e5f7f0aaaa00016484c457c909e1ffcb7c12801c4aa4a91df7b2e8N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\Bmlael32.exe
  C:\Windows\system32\Bmlael32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\Bdcifi32.exe
    C:\Windows\system32\Bdcifi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\Bjpaop32.exe
      C:\Windows\system32\Bjpaop32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 144
        33⤵
        Loads dropped DLL
        Program crash
        
        PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
93KB

MD5
c0dbf04049b45dd29d75a3bf97182ee5

SHA1
fe5c670d1321b14d3b924eebdda8adcc1668932a

SHA256
8e5d126b2e3d379853063e18da08fa2da3a66d07351de7ce68aeeb88fdaa04bb

SHA512
4022619fd14dcc41851400214d31083d547ccf7d134a1de1fc905b494f8972d90791fa84643a539e9d23434eb40f080b31b457b1a90b2a342fcd7408376b16eb

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
93KB

MD5
8370fdf8bf333fa0b50fff376b0bf2ea

SHA1
915af896e31f8f8fecca61da9eec6c83ffb8b72a

SHA256
e7d2750130ceecb9ed95910594e04e4c9ba56a709c2d71906445e77e61234dfb

SHA512
a03ae62acb30e0cfc18d8e5d7164945fbbcb8280924582461b5f29669842a4f25bf0ec4d5bba1106c1d1a99dbd8ecd676adc845176e51630063574df98e56b36

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
93KB

MD5
2747c645fc8eb6eb362a4f33a20225c7

SHA1
15189ed16552241e4f171013cbe9791388afdf37

SHA256
eda4c237afc55a4857a6fdbcb4ec6dc96f9d46c41ec52c2e4b2cab52b844e373

SHA512
4bb780495c504dc331bf0fa5fac5bc3bcbf2ac058113976b9ef473582a94cbea31e35de74bb7b9044cffcd6c4990b54e53c72bb33e904209674c061f219db5a4

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
93KB

MD5
6fde45560df88ff8fdedf4905f1261ca

SHA1
bc0650da1f157c16341371830df48f3c539cbe67

SHA256
4a62aca0600afb2b5619d3f9da3ee6fada935dea10943640d35250b67d557111

SHA512
44176a98bb227fac09bb546707e31c37df52e3190a8f1c663b9cdf639a236ae72f0762cc92652e95bf5cab1697f6a8da51af3081f5171278cdaad3b7f4969803

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
93KB

MD5
e97b452857e72cb4689667d67210e1c7

SHA1
aeb5d1a9bc7514617cf860dc7067ae71a0f1e06c

SHA256
f886d1392ea6abf73bd53a11cd040e01800e75aacc501a64eea1ed18a55e2afa

SHA512
14171f76a8372653c3b5049593cdce41a499a1b39afbf80445e308b676ef4de8d32cce36a7282f710db1d1f518e1ecfc9d54695adb28416cc68d0bd9f2801297

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
93KB

MD5
2f582bcca503b991904a81a19c2d9001

SHA1
40fa0a3cac9d1555fdf416dd24059015d018d223

SHA256
8048f1828606bec3e6d9cc44877c693cb118ecc7232b4b0cb3c79e45c4dafca9

SHA512
8b51fc3053b0e09f0deaea2eda29108320a43e92ce7f77845f42ca433ac2f68891d9e2781ab847fb2942fa457b32d0d9c9416c779b67bac19eb0797e1ed3a01b

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
93KB

MD5
683ef222597a5de3c66c479188e6b991

SHA1
54ca75f7431268b0bd0d4be22343b7b64c9fff3f

SHA256
6dd34315bd391720ca2b003345a57a146b60947fef8f62373485a770c07d6bbd

SHA512
a8bd9d4fbedf76ea978447cd61cdfd8911be7d63e57e592a0c506886cf30a0d1ad40f78fd8e72d70e645b142096e46f7e4df02b769612007e526daddb90c9018

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
93KB

MD5
187576ed0722464a870c546aa0983edf

SHA1
de16b0a613835df4dd90f06d5fd23747de80f447

SHA256
dae24f19baab5ac7205c69bb3ceddab428119c8d2572e4ea13734c4a56f8e8b2

SHA512
1734a71a5d0981ad666fae8c6d891cdeb3c18ef869c12dda8798427089a3ed92fd43cb3c3221ae990f5a34009464161d3c0c2de0f1d156051f078748ed787fd8

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
93KB

MD5
4e427c91c0aacf657a94ee1bd1efa333

SHA1
e028e5c9f60b4d00c0bf7936119e316c7336ca73

SHA256
9aaef5e5f326f4b5e7ada54cdd8cecd18d77118d29b0fddf46698209c057bebd

SHA512
e92c934b04e74d2ea029fc589f753b8d58f38b420bb7213c2371f5f5333f7b61f17d0d93f6551c858c00f4343b6b7f903f136edcd6c977d5caf8bbe5cfba2fbb

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
93KB

MD5
610c04f2e88827b10ff221d3c23f80ae

SHA1
055e5cdee2880c1eb89b7b2f060ae37c2e28e918

SHA256
5b500796bd94970499479f98704ed34f686a99bfb17cc91b3b8b8bac828c2e52

SHA512
44f2277e6083d01cb51a4cba9f87a406f762956dc2d4ce78cf09196cdc938a25409056f0f476e6d1b12be542dc7f26a6d750e4fa2b0d4de54afebfa60cd79fef

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
93KB

MD5
26de46873c145e1186edcfc89b24a777

SHA1
39b9a360c890549f691bdc8b806150ce5edd8f75

SHA256
e1ac251b82b0012071ed6dface47c60112dec507481a38f3dc802fb778f4b698

SHA512
13c9a23faa3298f757afa1066bdc4756654242880276e91c107d528c512f011566f89838e304ca58c6fb444e4c6fbda915024412b7bcdfa2eb4f3b784923f6aa

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
93KB

MD5
201199674d5de3cf4916d779185f30fd

SHA1
dd75126aa60ec002ecda459876158daf15ccc5a7

SHA256
84e3fe701434b7ace21f9c307b170a530632734f704ef35e897f1cba51338030

SHA512
ea10f5bdfec0e0fa8636c600cd3717cc3f9b0a49b3f10b0a3f1d70e187422cd941b734a43117f7b281016a413ab6b8a8c46343006d64905fd47e28437c1c414f

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
93KB

MD5
c1c10df52cd8b295a300737892fcb91f

SHA1
83a5b63f73b5b4677aa4d98c43d87b1204a897fd

SHA256
0225ba5375a72ab0ebe6b922a9ddef9638ffa0e9ef473834830a7e3c532c0a87

SHA512
278855052ccaeb4eae718845858cd7aa41916ed96838b9400bc9d53354df7a152404ed991cf343da4e2f2c45e7e30afe1164a90c6327917b608c00ebc372049a

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
93KB

MD5
5c748e7f2687d8d1fa33cae4265fe2f0

SHA1
f5d260ed692d7ad89b0d47f7c2e5021936519c13

SHA256
23b9dcb91367210bf68845ef06454281d38042bdee9b436c0ff2f903cedaeb83

SHA512
79c7cc42707504c7a876fc826b7e160e89f2fcd647969db0b36b7e6cf31f14437daf7089bde8fef2f85fd9ee014e151c1e23e61eba670188d72df59917ded577

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
93KB

MD5
dc3fcbbfb83e0e0e4088d581a708f979

SHA1
56789b201cdb56d6b59e357bd0e843edcaf6d056

SHA256
307ac727b074d191a5a9717649354f41195d8f7a52dbde52178db9d772cf134a

SHA512
2b8fb2fc52bd1716d0531f941a521037ae5200cbe30f90199de2e3f14e21504b21ba1787092d02694651d1a3c4087f62f8244956da581c60d78caac69bf3ba03

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
93KB

MD5
c9c265254f0edcc76ad4666775f6fdaf

SHA1
e0e2edecb619f0cad36bcddd96a6ab8d29f8b262

SHA256
fe7e11413706ca405a57186c4a8a93da7d367346f58fce9e0891ad20550107cb

SHA512
1a249ffee269c8fe3265aa999435562babd212723e1e2410515d30633d1a28b752f424dfcf39d0546584053cd0ccb4291b746cc23db478c33b29ccb72f480e68

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
93KB

MD5
2055bb0d80dc6e522ce22c2b0288894b

SHA1
169d5b69ac6029ab5a4367e118c61ddd4cc9c537

SHA256
288e6fe2d8fb0fd6e9a0ecc97460bb226a149bb1c60c7eaade84e17d518cfdab

SHA512
e1f536feea171d9b80c97e793db82b8a125bcb74575e4b868bccd2f0a08091ba33411217f8bb1dbc07ca8b026ac04733a62cc455d7ced5ff7ed4b668dea39e3e

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
93KB

MD5
3fb67c9747defec4e88ef775aeb943b5

SHA1
65c50f73cb3f04dde768e4dee5cab04106d2d6a4

SHA256
71ff07e64894f64561043c372f7ecd6130678429025f384d6e717b3d00aee40c

SHA512
d495ffc881d8cecf32c324e5143e37e979acb4150869ca8eec5e061b0fe4b65a550664dc1a60483a450d84789f00f6d422d4907400d424d795db1bc36885e2eb

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
93KB

MD5
9fe896f037ef319f29fac557bb437d44

SHA1
50c6d6556e4d4d023993c296c6257cce03c1b8f5

SHA256
a35538ea58b91ba10403508d97250c5012bfea2d81aefc0a3016a561fa583c92

SHA512
4bdc2040c12b8a5a4ace8c57632f8852b2d94aabaa4fbd290a1037b5e63740f49657f6869c3873b6c799dd0339759773aa44b2a9152ff4f85de3064cb2a45c42

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
93KB

MD5
aa326a1671717d103619b7a0d32f622b

SHA1
91a14f911df065541cb072f292ad592ecac3ccd1

SHA256
d1c1185c00eabcf8d56246af91091cf2c972ba4f31d1bfc735439d8d968ca57b

SHA512
2a6545d9743113d6dba6aa950a44bec70cd0e266c06b1f7098b52da55aaf4ef89ff357ce028c2e1757ce2e6bd6e50f8d8e7d73dc5439406a0fb63bd171fee000

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
93KB

MD5
2e9bbb3dc899e6829e077eb53506d771

SHA1
82c6355f0660f50ed5e121f22fcd79d8d1d4e8d9

SHA256
06840551776e8ce2d9067494f8659817e82bb37616aee5931669356388bb4027

SHA512
cfd2beebb84bf302482467b2791562904772e5d471c2b968f6ea4fa2b79e1c2bf1275516c59811c60bf634b6b9e2f0dc894afaae0fad7eee55aca4a2e0cfdbc0

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
93KB

MD5
682a1d93668673e4d057ce42163139e5

SHA1
15f3ab8287542d540dd3c28876f5e8d0ba8bec44

SHA256
0281a19f4504f12a7da95f949518fb788bbefb87b5e9f101b967aa39c68b709e

SHA512
bcd735d1fdc71e406142e65e3b03e031cf683c2e6ff6701d650df92d15893ed2f33d75b54efa7e154898087d84e6f3cb937dfc251a57cf34c4e45f5dd2d6069b

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
93KB

MD5
8cfac05f799c8714e9de728f3b741018

SHA1
2414c0ab9fe1b3402a0f2c13a638bdfc98f1b71d

SHA256
44d8c66d804b811265f39641f4e743abcf5df0536bea788265b606f6dccf1a64

SHA512
5f75d3ed9cd1b06929e49d96248887fadb417619d2fdf275478ae148a93c93740be40c085a2cafee77d08ddb0deec5d60e93d6b1b7ea88932a2d0ec3b63db863

Download Submit
\Windows\SysWOW64\Bgcbhd32.exe

Filesize
93KB

MD5
a2b6637f992ba6bea5a98e0a742d74f2

SHA1
472c156e18e724d6afc9bb56994a75ac3ad59bb6

SHA256
2af8d74b4e4f542121f9e5a6b16635a9a43b8a951c5f1ca4003139aa89518d27

SHA512
6cac126433d6d3d577a33f1bd31e633584def97acf474efa4bcf9e1d268107b422427870e6f1d4e5de892a548374401c8e99894301f3042e9117b5dff9499e5b

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
93KB

MD5
d5f58bb671d67933af6707b0dff5ebe0

SHA1
662e29d7cc8737e412fc5ba9fec9527f64970aeb

SHA256
3532bf0ea8ae2f4e74d6ae5b0e0f7e8ae6a3d170aa7963e71df03307e0826504

SHA512
6887adfc54d2187d7f5914a7261ad23c924ffc9601967d3051f56fbd8a69db13a5f062dc33c966b8dcc5d47ae8422f6e57f62d6a138be5088baeff69ac8cfc2d

Download Submit
\Windows\SysWOW64\Bmbgfkje.exe

Filesize
93KB

MD5
2996e6aec4f78545f0d0c19cb3e3481a

SHA1
257be36ab45e25ecab754e1175ce1a0bd6e45d21

SHA256
ad8bc65d50717ea1c1e5ed51f74bc505421d8e0b650b2edc4e0e9c55e041d77f

SHA512
1287ef80c7205630edabed182131d7b5fca6c896caf3a34d0d673610846d0f22bc38823dbc755fa190cac89b508a9b8e52208ea48d5aed16b2657e39773eeeb2

Download Submit
\Windows\SysWOW64\Bmnnkl32.exe

Filesize
93KB

MD5
0dd16481489c5b2441b87b206239c93e

SHA1
ff81ff63d32d86165e932863c47fbd1fce0dd2b1

SHA256
c2e3ed6169f3e45156748d97006c398930b51f44be0ebeaab24e54594f24c1c1

SHA512
3f76c9248a9d408d9b9c2a4b5b783759e951a38eee9a7b18cdd2e51b34b2b5c83dd6d5a938f0b4c789acb927dd3f29277d3938dc73de86b09150194379606be1

Download Submit
\Windows\SysWOW64\Bqijljfd.exe

Filesize
93KB

MD5
532d6df34c5c39c44e224b1b77dfabf6

SHA1
8821c7a9e4eb57af280bb49ae0ba8ec4828567b4

SHA256
1388eae802881eaab98eb498654a9f8c34ba9cb61c9221c3c672e1a6bc3cfb69

SHA512
0eae4cc0bbfb04f6bd795e6dbaf7f21520b89f628c723df7e25a86ecf40fbfe3dddf035078ff52a7aeea2038faaf6334d9b16e078c730204e9ee7ee5695685e4

Download Submit
\Windows\SysWOW64\Cenljmgq.exe

Filesize
93KB

MD5
386ce7e68e245c7ed4527d1cf352d5a5

SHA1
22d5650b0dcf3af84ca686360e6fef6c1c1ad877

SHA256
26cd04717c57ddbe222c2f4e3601476ffb280efe1698c6cf6c7daa7230945dc0

SHA512
3e37318daf9958b61cb9ff0d7cfebe214a00a4b32d43bff63a100e1abdf38807610bcb7f11e9f0479907ae6e6fe4b03aee411eea33b24b232a6db87969ca9b76

Download Submit
\Windows\SysWOW64\Ckhdggom.exe

Filesize
93KB

MD5
d59882bdc1ef902456dc1cb52cd3d85a

SHA1
4bb7da629f4e15df7d3a4e556424131a478cac6a

SHA256
4d2b1b0423cb2419ab1e685ed913c2283d4ce3f94ae58fe9d58b2edf9c4cb5b8

SHA512
d0aa5466e91f4de5af51125ab24f1aed5b3fc2812c563d5ab7be367c9e93d5b40d7d97a2359cc321ede3f12121e2a9a4a500cc52b675eb295f90cb3a50ac08bf

Download Submit
\Windows\SysWOW64\Coacbfii.exe

Filesize
93KB

MD5
769a9d5e6296e39dea1e89f82ff9d427

SHA1
7f9a8e16229d8cc39a9be943ab3ad027a4472c01

SHA256
14da9c79dd166acd20f882b8772e5675b3d99b0dfbd5c9006c11a5bca363c1e8

SHA512
376c67f5ae4551507d15092631f36f558cb1a76edc3a0bccd09efa81b38c5c12e08aeea40b23f81eb32dc90f1d9759c4528ef45b1b904703a532de57962a7d70

Download Submit
memory/552-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-221-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1216-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-166-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1276-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-140-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1276-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-228-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1480-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-275-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1508-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-279-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1612-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-238-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1680-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-256-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1732-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-12-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1752-13-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1752-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-179-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/1984-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-318-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2036-322-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2108-53-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2108-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-289-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2120-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-290-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2144-343-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2144-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-22-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2604-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-104-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2644-333-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2644-332-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2644-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-357-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2688-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-355-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2688-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-87-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2696-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-363-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2788-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-34-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2940-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-61-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2964-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-300-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/3008-310-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/3008-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-311-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/3028-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-192-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads