berbew | efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe
Size

79KB
MD5

12ab15bf427159ac3810d19b43bf1df5
SHA1

48e85f2983df20b5a67307945b234a08afc32922
SHA256

efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf
SHA512

366481e10ba7c5d668f41cacbfd660057ac145245f4829e38c699d9b668a1eaaa63a0f272705fd7db419019cf235bc736b1e0200df4bfcf24319b04f83b06a77
SSDEEP

1536:bvKLrq8V6vHAn84X+0GpHenAUEaiFkSIgiItKq9v6D6:bvKLrq8V6vHAZX+XHeAUEaixtBtKq9v9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 29 IoCs

pid	Process
2492	Bniajoic.exe
2248	Bmlael32.exe
2272	Bfdenafn.exe
2868	Bmnnkl32.exe
2840	Bchfhfeh.exe
1716	Bffbdadk.exe
2580	Bieopm32.exe
2224	Boogmgkl.exe
1644	Bfioia32.exe
320	Bigkel32.exe
2780	Bkegah32.exe
1144	Ccmpce32.exe
536	Cenljmgq.exe
3028	Cmedlk32.exe
1952	Cbblda32.exe
1200	Cepipm32.exe
1300	Cpfmmf32.exe
1408	Cnimiblo.exe
968	Cebeem32.exe
1732	Cgaaah32.exe
1012	Cbffoabe.exe
2388	Caifjn32.exe
2116	Cgcnghpl.exe
2232	Cnmfdb32.exe
1016	Calcpm32.exe
2940	Ccjoli32.exe
2664	Dnpciaef.exe
2856	Danpemej.exe
2720	Dpapaj32.exe

Loads dropped DLL 61 IoCs

pid	Process
1752	efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe
1752	efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe
2492	Bniajoic.exe
2492	Bniajoic.exe
2248	Bmlael32.exe
2248	Bmlael32.exe
2272	Bfdenafn.exe
2272	Bfdenafn.exe
2868	Bmnnkl32.exe
2868	Bmnnkl32.exe
2840	Bchfhfeh.exe
2840	Bchfhfeh.exe
1716	Bffbdadk.exe
1716	Bffbdadk.exe
2580	Bieopm32.exe
2580	Bieopm32.exe
2224	Boogmgkl.exe
2224	Boogmgkl.exe
1644	Bfioia32.exe
1644	Bfioia32.exe
320	Bigkel32.exe
320	Bigkel32.exe
2780	Bkegah32.exe
2780	Bkegah32.exe
1144	Ccmpce32.exe
1144	Ccmpce32.exe
536	Cenljmgq.exe
536	Cenljmgq.exe
3028	Cmedlk32.exe
3028	Cmedlk32.exe
1952	Cbblda32.exe
1952	Cbblda32.exe
1200	Cepipm32.exe
1200	Cepipm32.exe
1300	Cpfmmf32.exe
1300	Cpfmmf32.exe
1408	Cnimiblo.exe
1408	Cnimiblo.exe
968	Cebeem32.exe
968	Cebeem32.exe
1732	Cgaaah32.exe
1732	Cgaaah32.exe
1012	Cbffoabe.exe
1012	Cbffoabe.exe
2388	Caifjn32.exe
2388	Caifjn32.exe
2116	Cgcnghpl.exe
2116	Cgcnghpl.exe
2232	Cnmfdb32.exe
2232	Cnmfdb32.exe
1016	Calcpm32.exe
1016	Calcpm32.exe
2940	Ccjoli32.exe
2940	Ccjoli32.exe
2664	Dnpciaef.exe
2664	Dnpciaef.exe
2856	Danpemej.exe
2856	Danpemej.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Bniajoic.exe	efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bmlael32.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bieopm32.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Ccmpce32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2832	2720	WerFault.exe	59

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffbdadk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2492	1752	efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe	31
PID 1752 wrote to memory of 2492	1752	efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe	31
PID 1752 wrote to memory of 2492	1752	efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe	31
PID 1752 wrote to memory of 2492	1752	efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe	31
PID 2492 wrote to memory of 2248	2492	Bniajoic.exe	32
PID 2492 wrote to memory of 2248	2492	Bniajoic.exe	32
PID 2492 wrote to memory of 2248	2492	Bniajoic.exe	32
PID 2492 wrote to memory of 2248	2492	Bniajoic.exe	32
PID 2248 wrote to memory of 2272	2248	Bmlael32.exe	33
PID 2248 wrote to memory of 2272	2248	Bmlael32.exe	33
PID 2248 wrote to memory of 2272	2248	Bmlael32.exe	33
PID 2248 wrote to memory of 2272	2248	Bmlael32.exe	33
PID 2272 wrote to memory of 2868	2272	Bfdenafn.exe	34
PID 2272 wrote to memory of 2868	2272	Bfdenafn.exe	34
PID 2272 wrote to memory of 2868	2272	Bfdenafn.exe	34
PID 2272 wrote to memory of 2868	2272	Bfdenafn.exe	34
PID 2868 wrote to memory of 2840	2868	Bmnnkl32.exe	35
PID 2868 wrote to memory of 2840	2868	Bmnnkl32.exe	35
PID 2868 wrote to memory of 2840	2868	Bmnnkl32.exe	35
PID 2868 wrote to memory of 2840	2868	Bmnnkl32.exe	35
PID 2840 wrote to memory of 1716	2840	Bchfhfeh.exe	36
PID 2840 wrote to memory of 1716	2840	Bchfhfeh.exe	36
PID 2840 wrote to memory of 1716	2840	Bchfhfeh.exe	36
PID 2840 wrote to memory of 1716	2840	Bchfhfeh.exe	36
PID 1716 wrote to memory of 2580	1716	Bffbdadk.exe	37
PID 1716 wrote to memory of 2580	1716	Bffbdadk.exe	37
PID 1716 wrote to memory of 2580	1716	Bffbdadk.exe	37
PID 1716 wrote to memory of 2580	1716	Bffbdadk.exe	37
PID 2580 wrote to memory of 2224	2580	Bieopm32.exe	38
PID 2580 wrote to memory of 2224	2580	Bieopm32.exe	38
PID 2580 wrote to memory of 2224	2580	Bieopm32.exe	38
PID 2580 wrote to memory of 2224	2580	Bieopm32.exe	38
PID 2224 wrote to memory of 1644	2224	Boogmgkl.exe	39
PID 2224 wrote to memory of 1644	2224	Boogmgkl.exe	39
PID 2224 wrote to memory of 1644	2224	Boogmgkl.exe	39
PID 2224 wrote to memory of 1644	2224	Boogmgkl.exe	39
PID 1644 wrote to memory of 320	1644	Bfioia32.exe	40
PID 1644 wrote to memory of 320	1644	Bfioia32.exe	40
PID 1644 wrote to memory of 320	1644	Bfioia32.exe	40
PID 1644 wrote to memory of 320	1644	Bfioia32.exe	40
PID 320 wrote to memory of 2780	320	Bigkel32.exe	41
PID 320 wrote to memory of 2780	320	Bigkel32.exe	41
PID 320 wrote to memory of 2780	320	Bigkel32.exe	41
PID 320 wrote to memory of 2780	320	Bigkel32.exe	41
PID 2780 wrote to memory of 1144	2780	Bkegah32.exe	42
PID 2780 wrote to memory of 1144	2780	Bkegah32.exe	42
PID 2780 wrote to memory of 1144	2780	Bkegah32.exe	42
PID 2780 wrote to memory of 1144	2780	Bkegah32.exe	42
PID 1144 wrote to memory of 536	1144	Ccmpce32.exe	43
PID 1144 wrote to memory of 536	1144	Ccmpce32.exe	43
PID 1144 wrote to memory of 536	1144	Ccmpce32.exe	43
PID 1144 wrote to memory of 536	1144	Ccmpce32.exe	43
PID 536 wrote to memory of 3028	536	Cenljmgq.exe	44
PID 536 wrote to memory of 3028	536	Cenljmgq.exe	44
PID 536 wrote to memory of 3028	536	Cenljmgq.exe	44
PID 536 wrote to memory of 3028	536	Cenljmgq.exe	44
PID 3028 wrote to memory of 1952	3028	Cmedlk32.exe	45
PID 3028 wrote to memory of 1952	3028	Cmedlk32.exe	45
PID 3028 wrote to memory of 1952	3028	Cmedlk32.exe	45
PID 3028 wrote to memory of 1952	3028	Cmedlk32.exe	45
PID 1952 wrote to memory of 1200	1952	Cbblda32.exe	46
PID 1952 wrote to memory of 1200	1952	Cbblda32.exe	46
PID 1952 wrote to memory of 1200	1952	Cbblda32.exe	46
PID 1952 wrote to memory of 1200	1952	Cbblda32.exe	46

C:\Users\Admin\AppData\Local\Temp\efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe
"C:\Users\Admin\AppData\Local\Temp\efdf1c6c9be281642c5580b4621afa5c57f64e93caa8a46fe56f066e20c742cf.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\Bniajoic.exe
  C:\Windows\system32\Bniajoic.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\Bmlael32.exe
    C:\Windows\system32\Bmlael32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\SysWOW64\Bfdenafn.exe
      C:\Windows\system32\Bfdenafn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 144
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
79KB

MD5
6212b5f1458607342df437da1d4b3605

SHA1
7d8d5916c6b071c3b9f6567e931bf942de9125f4

SHA256
fc35ac0872c858cd7375a0c8d857007366010e5c2f0fedf6436d87810fc8df87

SHA512
fbe5665c4702fd853022c089a4ad985efd38ba76b240e8d4f6311d33f659ca5acb514c5f3c90eda299aa17a272282452bad526e9ea641a4ca0592a55196500bd

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
79KB

MD5
c477313ef2b49d4a21ad7b067c94cd74

SHA1
296b47facb11a81fbd42edb550e0c6842ccb0645

SHA256
36c6613ea85c238508ff8f04cae413418be313f17c764fbb054c7e431733647c

SHA512
9ae7ed85ef9cf3768df6915bf1e665c0d11c142e98f13edfdf7af903b9a16628ab37038d0f5b1ce26b39049427c3ef88f1a126a0282c246d3a92a6ced5f51c36

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
79KB

MD5
fbec25e2998c19d48e7d19a37d61376b

SHA1
2b3e0409f4719f3f1c702d668e352b0131e8aa5b

SHA256
d2cc1aef2a706182cec72675c4e505869945ba9fd2d8a730c0eb6fd714c86b35

SHA512
c9ad332194ac35f09b441ed6337ca4fa574e17921e25456f7c2b4662227ade23ff28c16a53748e6dcf9d1ebb5367e2ef61a7fe5118ca91f1c3addcd325775772

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
79KB

MD5
e493f6d63fee14325291ccb89e18d857

SHA1
33f83198a83cd1971afdf21f3faeaa6830e21b2c

SHA256
3227b46180e8b4e6727344cb943781979be7a5d017e265a4189e14da06b73585

SHA512
69c3fcf23c7c9b80573a5e423a3281280ebf3680138bd2c961a484315270aec74cb21a9faad71d288add24f29dcf584c016c95be5b658713bf53d1cd0322f71f

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
79KB

MD5
3b8231628f371f6240635ef229a923df

SHA1
832b14900fb917f0b71dc1cb5d16853af4e4f52f

SHA256
a5390ad65038781f5c2320dc9503d16aea4fc17e24e8f3f1a8c72a7b32461674

SHA512
d79bf8fd32fd3c8bda053fe44e55d5e9934cb675bf7a4f0984f1165a63833ea7ee396685d87cf7be73beeef7c8d36ad563cd0d24b7eb1e63592f85460eefb7cf

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
79KB

MD5
0749249ec6afbac8a2ea7bcde65fffdb

SHA1
e33525debacfc7724b8d5aa06d9e065a745917a6

SHA256
3ceec046dae6ec7ebd1026084c9f1d91ea46f56dc7c2cff58cd79d60f785f847

SHA512
416a480d070ef3a1f21bf57a3fe0c0a7082bffc6de97164ee575bf7048dba7c77bff10a86ead49c68eeb77e36c4ab59494368a2cbc1efaa68d364704028be646

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
79KB

MD5
98771cfd8822b6425e6f78bb19162be7

SHA1
77cb3120ab5686d816b42c4e144f697f12a19d67

SHA256
91299a4d44b2ba29f2d735f3611242f470a33d04e473fdf67e19792873691fa6

SHA512
3d2ff12ea1722b5cb1f4ff9cd8877058250b255073cdb4971d79cc1364f969fdcbbaec2ebbd6736ca0580be9f2b55196980c3204ed885a8f9d7dd662d53812db

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
79KB

MD5
acd55e3c80a9dddf990498ff3c48ee1c

SHA1
719c86f0c872b77a108ea841f15a90a27144fc88

SHA256
cb9f608898e9404a70d4a5d1af5efa105d608efe131d89fb1c6ebcaacb9dd078

SHA512
0f4745d700172811fcf2a67b612a729f4c6b50386ff7b72b234bcce6eb4a0fdbe741acafc6464dedfdf2f97afa4815fffe2a8a4e821808071c1a06257a92c4bc

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
79KB

MD5
bc4255945982e61a1e3e12220e3593c6

SHA1
e45aa5aac2f48b70c9eefd26fd3b517a6131fe76

SHA256
f98bb6a5e84bb5301666ed593da15791fb70900b11fcce627c2b018b64956dda

SHA512
ae11021afebfaa66fcc26c993abf912ca3b86320588f9b6c36c824053e159de49ead7b4348bd8fe8bbc736f1a4cfcc4b8903b2da613cd1d1f3bcbe541845139c

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
79KB

MD5
ca040758609ad443fb3ec8281b676309

SHA1
d2e6b9136ebb00fc91f17b72c8168b8a7d6bad72

SHA256
0b58937835c3afdf43d4b4cbb833d2173d8b11f8c3a7659a5bbbe3b740f7a302

SHA512
cfe80904fcb7958e099dbf5a0aed56c3aa6dcc238efa75e131b138b07642c126a875f981ba41f791d7258064bbe9454b60a9ed494426340b96d108eea250dfd9

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
79KB

MD5
bff721e20604c117179febf5807fb8e9

SHA1
8d411d68a1fc9349a0f1ed2950e1fa2ff75d7d98

SHA256
99c9b385b7229369104cd371597614b2f9944c42726e295765cb7f756b913411

SHA512
701952f824d3bb1031996d744c5a26b9c84974c5433197ea700fcbd48c54f1b8523bde6ea7fb615fcb1073ae7da8df22cae80f866ff6a535f3973ebb29e0a823

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
79KB

MD5
4fb63dd8551378cadc91022e0c47b5c9

SHA1
d5c8ba41c3e987f2bfb586ec1669787020de1f5c

SHA256
80ff6ed7f873cf6f1966046a9a0342088995c3931ad99a1d5128860af12eade7

SHA512
51c8de78115348550808bc7f7294cb3e6d341b191bc58a55f905c9cafb0736b1a3c33a0fae8bcc39585fe507b58985acb15020a494848808158e8e930c5aa68b

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
79KB

MD5
4e3d209ac6270b890e22a989c11779c9

SHA1
dbebf8bd2cc6438918c5a38e218767ec246cbd78

SHA256
cba82c858baca5b40a9f5b96a044199684526b77f5a62046402abcf4cf963bea

SHA512
0103c8153d0bfd39263b069e530f357d3cf0e9f448527c38878c4d3bdb5492153ae782d020e16d65430dc3361d074f9f72a91da416863faa8746ba57b90d0015

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
79KB

MD5
5d0a410dbd3968962889fd105a923ee7

SHA1
73958bdd5fb61f59502c3fedeeb94201f54fb1b9

SHA256
ccf60595ec45dbd366a9f64b15e486a230fe1edbc1359422428aa17d279bbe32

SHA512
421f7d9824fc941d91ac9a32ab8aef1f2a063e30c655f0ea061517195125af1ba61709295c3bbf5b3ca6d4c3c94daf7a4ad6457e067f2fedf25a1051cceba356

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
79KB

MD5
f64975f64a3ca975371a3473d91f52fb

SHA1
2e2c4ad80306f719123e9bf59d0115e63d230614

SHA256
43abe512480aaef05c235e5bf93adc4ba6f8f884142102cfbcb614c5c5aef2ae

SHA512
8287498d7a79546fe91588f48c9aef5196314c5a5e0eb05df565c0439318e61f99f8c5699bc9b0f1833950a9f5f3cf68f0d5b6e18d390b628a89f9bdac7bbcdf

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
79KB

MD5
9f8ebf1d393f554266cdf041a65e92c1

SHA1
2c7831caa6fb88304fdcbe00ac120fbd8054de11

SHA256
19607566ec67cc1affe8ac8f856ff67dc0f140de571efbde5cd3798999f6c3f2

SHA512
9ef65d17fcf5284c515205135c7be79d554eb9a13a3ffaef0a36ce4ce9df16a0dd62cf15eadcfa99f477a098f051e39f4056206f9f1fa1ff41257acc4ecd7d74

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
79KB

MD5
e8b760bc4d59529a881a0f8c43d3c024

SHA1
d0f5af08d6f3afa62af2bf285ee24ec7bc5ce711

SHA256
3f6c2e82ee31d2d32460b88adca77ccd297f2dbf1a1d81f7271f3916226c7fb8

SHA512
77b8d031ee6ecfe5925f9c5d2b1da512dd106271be85385c095ebb19994b25cc7ee4ab9f495e4b446317ec4957fc33ac573640bef4ba135970e5feb17efc2cdd

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
79KB

MD5
75d43e5c6d70a433b248d111cf91e4ef

SHA1
d58373946b47d466c8f0e7ff22c46e0c087c97d0

SHA256
5da18e3490fe9bce5010fa2f2d606a9ff73496da55024144f43654fa8f1c7788

SHA512
c8bb9af658361244a1e02c976070ba158099e156eee547c5360f6c197191631d710b0e0f3753a0ca79c75e75d1ad2ac167b7b0f2b2d494ba91f9c247465e709f

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
79KB

MD5
7a55ffb8b6f793f594d6e9fd0526d23d

SHA1
6428c0da578688ff1a28a0821bce02cf440af4aa

SHA256
1f6b5a55b697d6ba7533be25c6f5734eeffa7f53f6dc07d96be06213c3783a92

SHA512
919a4d9f41b376bb8120830d75b07a06b3e48796ae0474e9b25a50a3f8b5e7fbd4d4db65391d18a3ae0ea9ad51c1f73cdb53111324f2b680e806727148130867

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
79KB

MD5
fb930e4b27e40caf9e691af695767492

SHA1
defd44e97e02671824bf3c13848c02628b17a98d

SHA256
a24e33b57e0855fa242aea9a52eb316f3c6e1f3aacd2b9a5f22eced0a056a9e0

SHA512
08a56436431f8ad40e6b464f67d4e867abd4f11ce795d91dd9bae2b55b62d90e548776ae388fc5e0c85e0ce930751ccf426a005a2e355e40e751165f5c9acff2

Download Submit
\Windows\SysWOW64\Bfdenafn.exe

Filesize
79KB

MD5
73286f5b0f3c182bf671292919b86737

SHA1
c64adc42fae2ac499770da801bffec2450781e30

SHA256
3cced627a9bd61f43050e05f1a69fa42a733bace05f2fb31afbaa4d013821eee

SHA512
0ef3f909d272e7488668260f078d9606503cb1c2bf235a1bac1b517928239e1efd02cf214bdb674563a3566be5fb9e78b907e42a155ee902d6da6b4eb24e9ec0

Download Submit
\Windows\SysWOW64\Bffbdadk.exe

Filesize
79KB

MD5
3d346f448705a05cd2ee36786a6a9122

SHA1
985c82875076f0bd824b1e5fae1a3a80587b85c8

SHA256
8cae438d7e598eaeb8a633eacdd68942d3653e61ee1ba55e7fafd17794ee8362

SHA512
e4acf875883919288beecc672672c875c8b1ba53caae23a5176e3627e297ce7f58e31679616444057f97d4a211e091beeb6eb03beaee0d6ee7567e37c2abc71a

Download Submit
\Windows\SysWOW64\Bfioia32.exe

Filesize
79KB

MD5
0de15b1f21c5295eae52b02ee235d622

SHA1
a259d363dc8522589ee5d4c66ed94a3284b27eda

SHA256
2b5bb8e2f15c4950a20ce74bc650d76e5c2d87ea688211ef9561edade0efdba4

SHA512
0b347d20f0ff4a1d816aafcae656ec92a17d94d4c8aeba8e79d2e0c4752d75b991f961150133b4ba970b1667face7c62f3e9b27d353ca4b187330bfe16ccaef3

Download Submit
\Windows\SysWOW64\Bieopm32.exe

Filesize
79KB

MD5
3ec782898c00b635ffe45f6844eb97ba

SHA1
8bb97f7fe6dea7f5a75eebd0ba702339c660dd47

SHA256
32941f79b4a62eae3dee01da49873e4ceab6043c0f53d11c4d147689e1c833cc

SHA512
f309163a17c62ee4761cb4ff8c2c744c612ab51ab3ca3c660094435b56e4bad44a76b4082ae45837db667c6d71093ec54030538101b362709170b8562f626c49

Download Submit
\Windows\SysWOW64\Bigkel32.exe

Filesize
79KB

MD5
bb4c4dfcc3c074c9f196e69ffc28de27

SHA1
71d2919e5507bd78c4200ee6116a3277855ae824

SHA256
ca297b28a02ae40854579da75b6f15d73fbc005d6dc1dd7da64bca353b82920d

SHA512
f4fdd7d1d8ac2653c21b55f8b28a4156e7d28724ad00eaf6d58ef6a9951c095a5e2ede9b052052bde802584211ef0e26c0c6c38554e3fddc72a8c853a8b8ddc2

Download Submit
\Windows\SysWOW64\Bkegah32.exe

Filesize
79KB

MD5
99a6d3d3d7a7c49fd250e8b4d17211a9

SHA1
6507a949043145120e5d63e55cc0cbeabc04ee33

SHA256
f5caa8c9510b3174e7722c6c39c1a4c294000030965333c07d6fb80b591a60ef

SHA512
dc1fcefe95347b483ffbf3507844a80035e44360e979c00146e17eb86aa83ce9b29fd92e4cd2bd270397150584361a96f44d36493fcb7a4cbfb05c3f1f27007f

Download Submit
\Windows\SysWOW64\Bmlael32.exe

Filesize
79KB

MD5
876bfd9696330668b02af45ffde90548

SHA1
b00b0ed58cda72671eb10af001a2ac8875ea4afc

SHA256
13867c411678b27fbecbd65b9a5c825b41ca4f3035f74bcbb026d772aa881080

SHA512
4d6db50d27dd4e9177a3a28438b0f637ed3661fd36afd31ab761b55baab846b2a40a66670e71138c528910cbd689a570f7870a3489b9cdd2a5a26d34166e4ab7

Download Submit
\Windows\SysWOW64\Cbblda32.exe

Filesize
79KB

MD5
c03dff13e2e4a0aadfd4c2bdd05d744a

SHA1
18201cec6b3fa81691198de5f6ff0cc63e777af5

SHA256
0a0a8682012672596f8a9f3cf914ebafcc349a56152d6a0dfc08f38027e8423c

SHA512
5a40175b6807ad3fa90980df49218de7a09529ec9a2c74d493a202879d755b3a956e14e5a50a4bb3d3249ebc0cea3191f5d679b2f76a638d024ed2905f150e41

Download Submit
\Windows\SysWOW64\Cenljmgq.exe

Filesize
79KB

MD5
3e1b1c9c86bbc62c0cb192f1de0c06b3

SHA1
c81bb07283afa805a080538b0e6df66d186aaa63

SHA256
5b209257c36aa79ce0a134c8d4389ec59e712b1f130a3dabaf683ece28fda178

SHA512
4cfe8d66238e2a786e0528ac6ff2560f4a56ecec3d0a3deb1a78bfbb132f9a158772795da8555236a07ca39422068a591b6bc24b28d927711d0386c4d02db7e6

Download Submit
memory/320-138-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/320-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/320-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-379-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-252-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/968-251-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/968-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1012-272-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1012-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1012-273-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1016-312-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/1016-316-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/1016-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1016-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1144-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1144-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1144-165-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1200-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1200-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1200-218-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1300-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1300-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-241-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1408-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-237-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1408-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1716-86-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1716-78-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1716-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-263-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/1732-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-259-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/1752-344-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1752-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1752-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1752-17-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1952-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-293-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2116-294-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2116-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-113-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2232-304-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2232-305-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2232-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-353-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2248-33-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2272-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-280-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2388-284-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2388-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2492-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2580-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2580-92-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-336-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2664-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-335-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2720-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-350-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2856-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-59-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2868-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2940-322-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2940-326-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2940-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-192-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads