berbew | 18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f

Analysis

max time kernel
91s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Size

250KB
MD5

8b8c6309d211814c0ff603cc157dc798
SHA1

2b8e2442294cedbc583ea94525db40062028f3b1
SHA256

18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f
SHA512

679265d396fb3316f7fa4425fff0a739b1b556adc98798fd3bb1d9b166ecf4aede5ba757664ac2a7e06f360b2c750472d29539f1fd5f78f0ebb829304955deb5
SSDEEP

6144:/SvcyDvCvfmZ7KRRRGBCvfmZ7KFpNlJTBCvfmZ7d:/Iy

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiilge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ablbjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbchkime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddkgbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbadagln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcemnopj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aicmadmm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbadagln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efhcej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egpena32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amoibc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camnge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddkgbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doqkpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqngcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efmlqigc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkmdodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blkmdodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dklepmal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aicmadmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bikcbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfahaaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bakaaepk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcemnopj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efhcej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amoibc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doqkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbchkime.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddbmcb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiilge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dglpdomh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgjdong.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Empomd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blgcio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkcfjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efmlqigc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blgcio32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkcfjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dklepmal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Empomd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccqhdmbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ablbjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfahaaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Camnge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddbmcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqngcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bikcbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccqhdmbc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 33 IoCs

pid	Process
2764	Aicmadmm.exe
1668	Amoibc32.exe
2864	Ablbjj32.exe
2532	Blgcio32.exe
2572	Bikcbc32.exe
616	Bbchkime.exe
1728	Blkmdodf.exe
2148	Bdfahaaa.exe
2728	Bakaaepk.exe
2844	Bkcfjk32.exe
2916	Camnge32.exe
2952	Ccqhdmbc.exe
2240	Clilmbhd.exe
1076	Cjoilfek.exe
1216	Coladm32.exe
696	Ddkgbc32.exe
836	Doqkpl32.exe
1596	Dglpdomh.exe
1412	Dbadagln.exe
1924	Ddbmcb32.exe
2492	Dcemnopj.exe
2264	Dklepmal.exe
556	Ecgjdong.exe
868	Empomd32.exe
2760	Efhcej32.exe
1660	Eqngcc32.exe
2740	Eiilge32.exe
2652	Ekghcq32.exe
2576	Efmlqigc.exe
3044	Egpena32.exe
3060	Fpgnoo32.exe
1960	Fipbhd32.exe
2136	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
2668	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
2668	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
2764	Aicmadmm.exe
2764	Aicmadmm.exe
1668	Amoibc32.exe
1668	Amoibc32.exe
2864	Ablbjj32.exe
2864	Ablbjj32.exe
2532	Blgcio32.exe
2532	Blgcio32.exe
2572	Bikcbc32.exe
2572	Bikcbc32.exe
616	Bbchkime.exe
616	Bbchkime.exe
1728	Blkmdodf.exe
1728	Blkmdodf.exe
2148	Bdfahaaa.exe
2148	Bdfahaaa.exe
2728	Bakaaepk.exe
2728	Bakaaepk.exe
2844	Bkcfjk32.exe
2844	Bkcfjk32.exe
2916	Camnge32.exe
2916	Camnge32.exe
2952	Ccqhdmbc.exe
2952	Ccqhdmbc.exe
2240	Clilmbhd.exe
2240	Clilmbhd.exe
1076	Cjoilfek.exe
1076	Cjoilfek.exe
1216	Coladm32.exe
1216	Coladm32.exe
696	Ddkgbc32.exe
696	Ddkgbc32.exe
836	Doqkpl32.exe
836	Doqkpl32.exe
1596	Dglpdomh.exe
1596	Dglpdomh.exe
1412	Dbadagln.exe
1412	Dbadagln.exe
1924	Ddbmcb32.exe
1924	Ddbmcb32.exe
2492	Dcemnopj.exe
2492	Dcemnopj.exe
2264	Dklepmal.exe
2264	Dklepmal.exe
556	Ecgjdong.exe
556	Ecgjdong.exe
868	Empomd32.exe
868	Empomd32.exe
2760	Efhcej32.exe
2760	Efhcej32.exe
1660	Eqngcc32.exe
1660	Eqngcc32.exe
2740	Eiilge32.exe
2740	Eiilge32.exe
2652	Ekghcq32.exe
2652	Ekghcq32.exe
2576	Efmlqigc.exe
2576	Efmlqigc.exe
3044	Egpena32.exe
3044	Egpena32.exe
3060	Fpgnoo32.exe
3060	Fpgnoo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Efmlqigc.exe	Ekghcq32.exe
File created	C:\Windows\SysWOW64\Doqkpl32.exe	Ddkgbc32.exe
File created	C:\Windows\SysWOW64\Dglpdomh.exe	Doqkpl32.exe
File created	C:\Windows\SysWOW64\Dcemnopj.exe	Ddbmcb32.exe
File opened for modification	C:\Windows\SysWOW64\Eqngcc32.exe	Efhcej32.exe
File opened for modification	C:\Windows\SysWOW64\Bikcbc32.exe	Blgcio32.exe
File created	C:\Windows\SysWOW64\Nelafe32.dll	Bkcfjk32.exe
File created	C:\Windows\SysWOW64\Dbadagln.exe	Dglpdomh.exe
File opened for modification	C:\Windows\SysWOW64\Eiilge32.exe	Eqngcc32.exe
File opened for modification	C:\Windows\SysWOW64\Egpena32.exe	Efmlqigc.exe
File opened for modification	C:\Windows\SysWOW64\Ddkgbc32.exe	Coladm32.exe
File created	C:\Windows\SysWOW64\Apafhqnp.dll	Ddkgbc32.exe
File created	C:\Windows\SysWOW64\Blgcio32.exe	Ablbjj32.exe
File opened for modification	C:\Windows\SysWOW64\Blgcio32.exe	Ablbjj32.exe
File created	C:\Windows\SysWOW64\Cabcdq32.dll	Bikcbc32.exe
File opened for modification	C:\Windows\SysWOW64\Bdfahaaa.exe	Blkmdodf.exe
File opened for modification	C:\Windows\SysWOW64\Aicmadmm.exe	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
File created	C:\Windows\SysWOW64\Mbendkpn.dll	Aicmadmm.exe
File opened for modification	C:\Windows\SysWOW64\Bbchkime.exe	Bikcbc32.exe
File created	C:\Windows\SysWOW64\Bakaaepk.exe	Bdfahaaa.exe
File opened for modification	C:\Windows\SysWOW64\Bakaaepk.exe	Bdfahaaa.exe
File created	C:\Windows\SysWOW64\Camnge32.exe	Bkcfjk32.exe
File created	C:\Windows\SysWOW64\Ekghcq32.exe	Eiilge32.exe
File opened for modification	C:\Windows\SysWOW64\Fipbhd32.exe	Fpgnoo32.exe
File created	C:\Windows\SysWOW64\Lgdojnle.dll	Blkmdodf.exe
File created	C:\Windows\SysWOW64\Hclemh32.dll	Ddbmcb32.exe
File created	C:\Windows\SysWOW64\Fipbhd32.exe	Fpgnoo32.exe
File created	C:\Windows\SysWOW64\Bbchkime.exe	Bikcbc32.exe
File opened for modification	C:\Windows\SysWOW64\Camnge32.exe	Bkcfjk32.exe
File created	C:\Windows\SysWOW64\Cjoilfek.exe	Clilmbhd.exe
File created	C:\Windows\SysWOW64\Ddkgbc32.exe	Coladm32.exe
File opened for modification	C:\Windows\SysWOW64\Dklepmal.exe	Dcemnopj.exe
File created	C:\Windows\SysWOW64\Empomd32.exe	Ecgjdong.exe
File created	C:\Windows\SysWOW64\Efhcej32.exe	Empomd32.exe
File opened for modification	C:\Windows\SysWOW64\Efhcej32.exe	Empomd32.exe
File created	C:\Windows\SysWOW64\Ngeogk32.dll	Bakaaepk.exe
File created	C:\Windows\SysWOW64\Coladm32.exe	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Baboljno.dll	Coladm32.exe
File opened for modification	C:\Windows\SysWOW64\Ddbmcb32.exe	Dbadagln.exe
File opened for modification	C:\Windows\SysWOW64\Dcemnopj.exe	Ddbmcb32.exe
File created	C:\Windows\SysWOW64\Eqngcc32.exe	Efhcej32.exe
File created	C:\Windows\SysWOW64\Eccjdobp.dll	Eqngcc32.exe
File created	C:\Windows\SysWOW64\Aicmadmm.exe	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
File opened for modification	C:\Windows\SysWOW64\Dbadagln.exe	Dglpdomh.exe
File created	C:\Windows\SysWOW64\Ecgjdong.exe	Dklepmal.exe
File created	C:\Windows\SysWOW64\Fpgnoo32.exe	Egpena32.exe
File created	C:\Windows\SysWOW64\Mgaajh32.dll	Bbchkime.exe
File created	C:\Windows\SysWOW64\Doejph32.dll	Ccqhdmbc.exe
File opened for modification	C:\Windows\SysWOW64\Coladm32.exe	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Jmhdkakc.dll	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Hhejoigh.dll	Dglpdomh.exe
File created	C:\Windows\SysWOW64\Ddbmcb32.exe	Dbadagln.exe
File opened for modification	C:\Windows\SysWOW64\Empomd32.exe	Ecgjdong.exe
File created	C:\Windows\SysWOW64\Mhibidgh.dll	Ecgjdong.exe
File created	C:\Windows\SysWOW64\Fiqechmg.dll	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
File opened for modification	C:\Windows\SysWOW64\Ablbjj32.exe	Amoibc32.exe
File created	C:\Windows\SysWOW64\Ophppo32.dll	Blgcio32.exe
File created	C:\Windows\SysWOW64\Bkcfjk32.exe	Bakaaepk.exe
File created	C:\Windows\SysWOW64\Ccqhdmbc.exe	Camnge32.exe
File created	C:\Windows\SysWOW64\Hdpbking.dll	Efhcej32.exe
File created	C:\Windows\SysWOW64\Eiilge32.exe	Eqngcc32.exe
File opened for modification	C:\Windows\SysWOW64\Ekghcq32.exe	Eiilge32.exe
File opened for modification	C:\Windows\SysWOW64\Dglpdomh.exe	Doqkpl32.exe
File opened for modification	C:\Windows\SysWOW64\Amoibc32.exe	Aicmadmm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2180	2136	WerFault.exe	62

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkmdodf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccqhdmbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Empomd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bikcbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doqkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbadagln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpena32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clilmbhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aicmadmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbchkime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Camnge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddkgbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dglpdomh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddbmcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgnoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efmlqigc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amoibc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkcfjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjoilfek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcemnopj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgjdong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqngcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fipbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blgcio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakaaepk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekghcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfahaaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ablbjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dklepmal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efhcej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiilge32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blkmdodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedoacoi.dll"	Bdfahaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apafhqnp.dll"	Ddkgbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbadagln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfjh32.dll"	Empomd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Empomd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmhdkakc.dll"	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doqkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eiilge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qedehamj.dll"	Amoibc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccqhdmbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clilmbhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Empomd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccqhdmbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhfbgmj.dll"	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdpbking.dll"	Efhcej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggcij32.dll"	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blgcio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkcfjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddkgbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcemnopj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dklepmal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqngcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll"	Eiilge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpdkq32.dll"	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophppo32.dll"	Blgcio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dklepmal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecgjdong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqngcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcngcc32.dll"	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eidmboob.dll"	Ablbjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blgcio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbchkime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfahaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidbakdl.dll"	Camnge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclemh32.dll"	Ddbmcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnqe32.dll"	Dcemnopj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aicmadmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amoibc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbchkime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blkmdodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdfahaaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coladm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doqkpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dglpdomh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aicmadmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ablbjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ablbjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelafe32.dll"	Bkcfjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddbmcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccjdobp.dll"	Eqngcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eiilge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkcfjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baboljno.dll"	Coladm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2764	2668	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe	30
PID 2668 wrote to memory of 2764	2668	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe	30
PID 2668 wrote to memory of 2764	2668	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe	30
PID 2668 wrote to memory of 2764	2668	18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe	30
PID 2764 wrote to memory of 1668	2764	Aicmadmm.exe	31
PID 2764 wrote to memory of 1668	2764	Aicmadmm.exe	31
PID 2764 wrote to memory of 1668	2764	Aicmadmm.exe	31
PID 2764 wrote to memory of 1668	2764	Aicmadmm.exe	31
PID 1668 wrote to memory of 2864	1668	Amoibc32.exe	32
PID 1668 wrote to memory of 2864	1668	Amoibc32.exe	32
PID 1668 wrote to memory of 2864	1668	Amoibc32.exe	32
PID 1668 wrote to memory of 2864	1668	Amoibc32.exe	32
PID 2864 wrote to memory of 2532	2864	Ablbjj32.exe	33
PID 2864 wrote to memory of 2532	2864	Ablbjj32.exe	33
PID 2864 wrote to memory of 2532	2864	Ablbjj32.exe	33
PID 2864 wrote to memory of 2532	2864	Ablbjj32.exe	33
PID 2532 wrote to memory of 2572	2532	Blgcio32.exe	34
PID 2532 wrote to memory of 2572	2532	Blgcio32.exe	34
PID 2532 wrote to memory of 2572	2532	Blgcio32.exe	34
PID 2532 wrote to memory of 2572	2532	Blgcio32.exe	34
PID 2572 wrote to memory of 616	2572	Bikcbc32.exe	35
PID 2572 wrote to memory of 616	2572	Bikcbc32.exe	35
PID 2572 wrote to memory of 616	2572	Bikcbc32.exe	35
PID 2572 wrote to memory of 616	2572	Bikcbc32.exe	35
PID 616 wrote to memory of 1728	616	Bbchkime.exe	36
PID 616 wrote to memory of 1728	616	Bbchkime.exe	36
PID 616 wrote to memory of 1728	616	Bbchkime.exe	36
PID 616 wrote to memory of 1728	616	Bbchkime.exe	36
PID 1728 wrote to memory of 2148	1728	Blkmdodf.exe	37
PID 1728 wrote to memory of 2148	1728	Blkmdodf.exe	37
PID 1728 wrote to memory of 2148	1728	Blkmdodf.exe	37
PID 1728 wrote to memory of 2148	1728	Blkmdodf.exe	37
PID 2148 wrote to memory of 2728	2148	Bdfahaaa.exe	38
PID 2148 wrote to memory of 2728	2148	Bdfahaaa.exe	38
PID 2148 wrote to memory of 2728	2148	Bdfahaaa.exe	38
PID 2148 wrote to memory of 2728	2148	Bdfahaaa.exe	38
PID 2728 wrote to memory of 2844	2728	Bakaaepk.exe	39
PID 2728 wrote to memory of 2844	2728	Bakaaepk.exe	39
PID 2728 wrote to memory of 2844	2728	Bakaaepk.exe	39
PID 2728 wrote to memory of 2844	2728	Bakaaepk.exe	39
PID 2844 wrote to memory of 2916	2844	Bkcfjk32.exe	40
PID 2844 wrote to memory of 2916	2844	Bkcfjk32.exe	40
PID 2844 wrote to memory of 2916	2844	Bkcfjk32.exe	40
PID 2844 wrote to memory of 2916	2844	Bkcfjk32.exe	40
PID 2916 wrote to memory of 2952	2916	Camnge32.exe	41
PID 2916 wrote to memory of 2952	2916	Camnge32.exe	41
PID 2916 wrote to memory of 2952	2916	Camnge32.exe	41
PID 2916 wrote to memory of 2952	2916	Camnge32.exe	41
PID 2952 wrote to memory of 2240	2952	Ccqhdmbc.exe	42
PID 2952 wrote to memory of 2240	2952	Ccqhdmbc.exe	42
PID 2952 wrote to memory of 2240	2952	Ccqhdmbc.exe	42
PID 2952 wrote to memory of 2240	2952	Ccqhdmbc.exe	42
PID 2240 wrote to memory of 1076	2240	Clilmbhd.exe	43
PID 2240 wrote to memory of 1076	2240	Clilmbhd.exe	43
PID 2240 wrote to memory of 1076	2240	Clilmbhd.exe	43
PID 2240 wrote to memory of 1076	2240	Clilmbhd.exe	43
PID 1076 wrote to memory of 1216	1076	Cjoilfek.exe	44
PID 1076 wrote to memory of 1216	1076	Cjoilfek.exe	44
PID 1076 wrote to memory of 1216	1076	Cjoilfek.exe	44
PID 1076 wrote to memory of 1216	1076	Cjoilfek.exe	44
PID 1216 wrote to memory of 696	1216	Coladm32.exe	45
PID 1216 wrote to memory of 696	1216	Coladm32.exe	45
PID 1216 wrote to memory of 696	1216	Coladm32.exe	45
PID 1216 wrote to memory of 696	1216	Coladm32.exe	45

C:\Users\Admin\AppData\Local\Temp\18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe
"C:\Users\Admin\AppData\Local\Temp\18d63cd2798db92776386dcffe37c5ff1b4e222e8d929c210da94581da2d2a0f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\Aicmadmm.exe
  C:\Windows\system32\Aicmadmm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\Amoibc32.exe
    C:\Windows\system32\Amoibc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\Ablbjj32.exe
      C:\Windows\system32\Ablbjj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\Blgcio32.exe
        
        C:\Windows\system32\Blgcio32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\SysWOW64\Bikcbc32.exe
        
        C:\Windows\system32\Bikcbc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Bbchkime.exe
        
        C:\Windows\system32\Bbchkime.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\SysWOW64\Blkmdodf.exe
        
        C:\Windows\system32\Blkmdodf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Bdfahaaa.exe
        
        C:\Windows\system32\Bdfahaaa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Bakaaepk.exe
        
        C:\Windows\system32\Bakaaepk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Bkcfjk32.exe
        
        C:\Windows\system32\Bkcfjk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Camnge32.exe
        
        C:\Windows\system32\Camnge32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Ccqhdmbc.exe
        
        C:\Windows\system32\Ccqhdmbc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Clilmbhd.exe
        
        C:\Windows\system32\Clilmbhd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Cjoilfek.exe
        
        C:\Windows\system32\Cjoilfek.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Coladm32.exe
        
        C:\Windows\system32\Coladm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Ddkgbc32.exe
        
        C:\Windows\system32\Ddkgbc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Doqkpl32.exe
        
        C:\Windows\system32\Doqkpl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Dglpdomh.exe
        
        C:\Windows\system32\Dglpdomh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Dbadagln.exe
        
        C:\Windows\system32\Dbadagln.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Ddbmcb32.exe
        
        C:\Windows\system32\Ddbmcb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Dcemnopj.exe
        
        C:\Windows\system32\Dcemnopj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Dklepmal.exe
        
        C:\Windows\system32\Dklepmal.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Ecgjdong.exe
        
        C:\Windows\system32\Ecgjdong.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Empomd32.exe
        
        C:\Windows\system32\Empomd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Efhcej32.exe
        
        C:\Windows\system32\Efhcej32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Eqngcc32.exe
        
        C:\Windows\system32\Eqngcc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Eiilge32.exe
        
        C:\Windows\system32\Eiilge32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Ekghcq32.exe
        
        C:\Windows\system32\Ekghcq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Efmlqigc.exe
        
        C:\Windows\system32\Efmlqigc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Egpena32.exe
        
        C:\Windows\system32\Egpena32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Fpgnoo32.exe
        
        C:\Windows\system32\Fpgnoo32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Fipbhd32.exe
        
        C:\Windows\system32\Fipbhd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 140
        35⤵
        Program crash
        
        PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ablbjj32.exe

Filesize
250KB

MD5
2b31f400c7e8982498ec0a6b237bcc70

SHA1
8c540f1f764704538615e7a454f99ce7083d6338

SHA256
12382f79508447e97f31d00814cb6a392d79bab70d52d0e63c043190f9271c82

SHA512
cc04a96a62080a05d5ab51f2524f7e7b7a049c08f3eff9ccd89754afb3189109e2e934272ec898f6fe11769000daadec66a5742e9e6cc64d7e9e7ce9ccd14207

Download Submit
C:\Windows\SysWOW64\Aicmadmm.exe

Filesize
250KB

MD5
2fe2d05d75f3fcaf1585a7c40d1c43a3

SHA1
c6af4e818433f288856c7f5c03af54ac5a1b9cae

SHA256
e6eec0fff408a9058fd8f160745df73bc139392057cd8aacbe2774e1e3cef476

SHA512
0184077a2cbb802bd767d118491ad81df2470081be55aa023d429ba7d85c7bf856c9fcaeff9613517c28c0c85999bcc494f710cfcd4f80bf335f1e5ae2c8110f

Download Submit
C:\Windows\SysWOW64\Amoibc32.exe

Filesize
250KB

MD5
e6629d1d8e807786cf92eb6803894d6e

SHA1
88b1aca2be091971f53e6bff83c7108564ae443d

SHA256
353ea8178a33cd18a6c88b9b3fb48d3d69634d7e0327e122277e3acd7116a369

SHA512
05d6f3ea06fc46ad94707846001a209d5b725594ecd59eeacaf81a86679556d41efe0e4f5dbd88e22a71a4931ff74df9a246e67d96dee5e13362af3b8ec145a5

Download Submit
C:\Windows\SysWOW64\Dbadagln.exe

Filesize
250KB

MD5
bf267d093d561abdc3ec12d51864f693

SHA1
c29611c68461cb97f4bcbafa42fba6e8af33457b

SHA256
b08c43f0d7809153a4fbb4046c264a461b6cb52e661d2e895114b5af3539cebb

SHA512
0cacfaf31d1421867e192e7f647bc2a650e4758f27369eaba375375897f87a6415815a225402f04c7fce17eb36a1e5afc4aea291190cae578d1f6ee0f98f416d

Download Submit
C:\Windows\SysWOW64\Dcemnopj.exe

Filesize
250KB

MD5
961afd9aed4d39b1b5891f04ff486ec9

SHA1
767862238a89942848c32d616a1f19245baaf451

SHA256
b6eefaa1181b4eda453ff65403bf60baae2d29f7fd52bb01b1b832614ea867d6

SHA512
41798aee47bc83e9897405ec1bebd4ef70ebd22009c1725a8e02009a4509cfef8294cab390b2fb03646b78ba7c6c50c4101d3ecf9f24a2339745255ed613d8d9

Download Submit
C:\Windows\SysWOW64\Ddbmcb32.exe

Filesize
250KB

MD5
2191d05b21a73db5fd996e8e4b47e6e0

SHA1
5107aa4783bb8652f9044e5a53d689963bc4fecc

SHA256
c2bb5a535456cd41adeaf987a422791b9132b7f75b12d74078a53e9fc578d1d5

SHA512
73cc635f493d7ee54790800712239c364f7ff7df461e9738bf0f9023ebf2114eddffb72d53c9ce2c14e19d7476c8a97431c2b3fd5d21ee9120ec5bedfb0feb68

Download Submit
C:\Windows\SysWOW64\Dglpdomh.exe

Filesize
250KB

MD5
518a34c0071ea4f9b5e22ca83f37bb5a

SHA1
1a28cbbce1477cf02404cfa3bdb7df00f580aef1

SHA256
4018a913cb01c60dc3755d1b69e4ada952ddff107abbc38bcf5aebbdddef49d2

SHA512
e4ea8293fb916c032ce270216c255e90120ab367ad4a6844478cd0695e0c1701cedfdc4de81d1a19ec42e2dbfbc314215f9fef76055a220f8588ebe4596fcc7d

Download Submit
C:\Windows\SysWOW64\Dklepmal.exe

Filesize
250KB

MD5
230afa1a109e2065cbee499d0b112b0a

SHA1
92eeb5ed0b48af1d954458020442349312fc1114

SHA256
c237908999d19ee0690a192f4778d4534cb2750663eec8657d367be6c904a8dc

SHA512
6ba3bb2c96bb32876c89b60bc6eef06f8d04df6613cd5a2aba139e8b5851265306f5eefc39ec294879b073977e0e5e2fdb8456c155f7cc28783fd536eedfc3ff

Download Submit
C:\Windows\SysWOW64\Doqkpl32.exe

Filesize
250KB

MD5
40de0cf63e6f8f8b01e274fa2bd39c3b

SHA1
4280870538f1edda0c4087cab78db68c0dbd4fac

SHA256
cdb7ea5b546b84157c9add96bce9adfc9922cea3da8e760d15a1b905cf3ddb7a

SHA512
455e40314b20b7ee428aa6fc395103b74498a919b5f499f91ac8d6f3bd3d520003a445ffe378599cc9659b4c9d3cb900c264f180a8c7a1c74da3e8d4a8eeac05

Download Submit
C:\Windows\SysWOW64\Ecgjdong.exe

Filesize
250KB

MD5
5dbede6d7df2412d24be687ef597c6d4

SHA1
2bb8899277bc92620495745ac5c95232037f9fbf

SHA256
2bb088c95b426a31329b2a4e1ce4405672ba5edf8b6f73b1ded689493206d7e9

SHA512
e73aa2cff97dd06760b0e98f8f2b537ea859bf8c0023f789918a6fff062bc55239f40ce6784dbfe5a9e61627db76ca166335fb1a9e218471d0340c60a647087d

Download Submit
C:\Windows\SysWOW64\Efhcej32.exe

Filesize
250KB

MD5
7f8c30c81cf9fbd263009ae28025cc62

SHA1
9fbf3d447cf7ae198cbbd1bfd6386ede622ee294

SHA256
960f6cada31aa18c5ffb6eef3ccf565aac131303c297df5c70525a80abd3d36e

SHA512
41d784cff999ef106d4e9998bc7350d3fb69c60f55b2b2d1af340c605a4f3fd7e3fc3e8af907072fad19fbdb6976679d5a327b364ecc9892f4906011b11d1e17

Download Submit
C:\Windows\SysWOW64\Efmlqigc.exe

Filesize
250KB

MD5
4559685a08b284cf0663cdb73d18687b

SHA1
59687f425e736b67261cb5e4011d9fffad754067

SHA256
0f826615c09b0f9879535d3c05df2124436680038c5dc14d64b04e03c30602be

SHA512
75e8439e374e645c93ba601870be1358abadf1211c83dd99f65ab12e882be4d91b15eda45bd63b5f68a11e0ac5f029ef2196d2c361f8084958b8c3f548572b09

Download Submit
C:\Windows\SysWOW64\Egpena32.exe

Filesize
250KB

MD5
3ffb091fdb1a69b4994e200080b026e2

SHA1
9117bbd4dda70710877847f887356dc26a5b8958

SHA256
bcfb3149fd31d1eedf0d2e208c79c4dc08fbea7b74d4fa4cfa210e52f21a7599

SHA512
f0dde63b2dbba51858274cbef07be0d692af428ac974651613491f8f247b099f612a6c85dd0c0b7767ea327dd71987fe833854d62239723b6464ffd1081162a0

Download Submit
C:\Windows\SysWOW64\Eiilge32.exe

Filesize
250KB

MD5
97ebf6341c22354da778099ed1c237a3

SHA1
b398b0e1de12d0b5f872d4c0a073e8ae7637cdfd

SHA256
ce80aa7bd7e0682edeee04ccad3386e7daef921a2327f50d94df968277d82303

SHA512
e6cea4905514a491403b185a6254afdae238d7425b06480b0724be16a9041b9d046418d4ae20c75297ced563e5898602890a9f209e0e1dd65dead51a89895c80

Download Submit
C:\Windows\SysWOW64\Ekghcq32.exe

Filesize
250KB

MD5
d1e12bd607afcd838ffc9afc13338c5d

SHA1
23f9e3173f3f521c3e978d704089f90f8c2a875f

SHA256
337713d300c2880a515fd34fd19b17799234514a6f78b533e9aabbffaa509d99

SHA512
60d4785219965ceb9a8d41fb51c5346cf3715e70df59739821c14b56924950ec2c7af61bfc3d6bf24e98cbdc878a424b6f2d254311aa008395706d5f4f5fd7c2

Download Submit
C:\Windows\SysWOW64\Empomd32.exe

Filesize
250KB

MD5
9b621bd5744ddf6a838457989052e87c

SHA1
b4c35baef1802b72af4c3c86d949c2e2ab4375a3

SHA256
9b5379701292a2997870c30c69931c82d1140671d5759474c3114291513ef040

SHA512
14d48117f690336a284adf782ef6d052056ccd6d5aabf0547381250a83c72d14e0f674ab3f5a29236d6c91706a56b06010c185c741dc650470dbb2d61fd201bc

Download Submit
C:\Windows\SysWOW64\Eqngcc32.exe

Filesize
250KB

MD5
e2ef35d44f8e6a2cf9c6469af6267fff

SHA1
089396cced69c6c4ebff49c3c613154eed63c4e6

SHA256
b9f4b15997592fc17d8f288c5633ede972b08b7c6dbb7e600bdd86d91eab5352

SHA512
73e6f0989e7336ba5cc22fc24999ad610bf7976272dfd92cd900cd6e73c3645cf9ade61c07c669c47740488904e73b53565bf6250ca5b23732e2d52ddd040f8d

Download Submit
C:\Windows\SysWOW64\Fipbhd32.exe

Filesize
250KB

MD5
e60db2e14f7fe3854c6a5bf2878b5597

SHA1
49b8b9a72ba67599cfe115ba10cfb139939dc865

SHA256
e1f8dc38b525b4f6fd9309c7cc9be7d9107d73d734b640eab28da2363846912e

SHA512
e10431335ea9efe689f475fd71df655be5f8103d072f742e57eaddf60182489495c654ba830fa5307f0f2878f7e27b1e511e76b7d4ce68db23cfb1d48613ebdb

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
250KB

MD5
aa024825ecbdd6bd2261382030c068e5

SHA1
742a44ac5d60edfe73774a6c9f0141dc1936d55d

SHA256
e74cc3f4fbdfe11df212dc3f69d2c48c0f497f6a52c416be6ae8f54a7f53ea9f

SHA512
da88eeaacb7bf5b564c8827f0c0e732938bd3414673a7cc1e14316e96c0f720379a419d89d18c6ad0d58664cca5fc69ed1cc50628d98a9052d0fb0d45acca21b

Download Submit
C:\Windows\SysWOW64\Fpgnoo32.exe

Filesize
250KB

MD5
7d942fc6d81a0e64ba1561df08e506cc

SHA1
3669f87e5c7f8b9cb973d3d79876df1828a37b14

SHA256
c828b095bd58a646a8545e1848aeffbe4de484fa61911a2977383ea546a85188

SHA512
a78dcb40be5b891089d050c6fa8e6f296efb56688cbee8b5038cff3909c7fca7d528661ca9ebe2d0b623a8e46c80326eab1001713a73380c95dff270160c59c0

Download Submit
\Windows\SysWOW64\Bakaaepk.exe

Filesize
250KB

MD5
5b880a0f6e45e15bbe07cd2923d34916

SHA1
1c674d6d05a212626a02c53d4f11c1ccab472642

SHA256
b6c3f73708a38c1831bce0043f2c64851bff61d39d4d975a85af6dc53b8c10b1

SHA512
f95a2636ec0dac80b9dfdb24a346bf1cdcccee1b0af869148cd7d41cd0a17822b4de474126f3919141296ab80e79fd56e2825586857411411cc881bb30a325dd

Download Submit
\Windows\SysWOW64\Bbchkime.exe

Filesize
250KB

MD5
9cb19bbe75267c1b196b491252ad9cb5

SHA1
688bf28012b7a6c03215ae698759f72c7b8ad829

SHA256
3d9b3e073b399f565bdc3e8a7ee5b5a3071a44aa3b17d6318aa72af3c945f59c

SHA512
9a1c26b5e154161ff5bb1a9e2c6c9d379ececd681ba809d1a53d436a78eb986bc54132ad0c345238cbeca0429b65d2cc7fd6d15fdc0207f5667c45346879f4cb

Download Submit
\Windows\SysWOW64\Bdfahaaa.exe

Filesize
250KB

MD5
3ab8a0833f3eef70a428d4e5b991a14b

SHA1
df09754fed6f40567ce56532ab96e5513dbb6c9e

SHA256
a07369bdc46c1cc7be2f2d9e310c60e49d82ec39bbd3b5b5b820ff4d2a6ea4fb

SHA512
244332c8a625c2b90197adebc8d05030ca61eb98654cafe881743a2f305aa01c9dd19a9393a559c1ecaa98a07042515ae5d336df138fba1b6a81ded6dec3c634

Download Submit
\Windows\SysWOW64\Bikcbc32.exe

Filesize
250KB

MD5
03e74c5f1bddbd2d6bace0c2585104ed

SHA1
7514e8991f9028ecdfb42f28c5207a9771c2fe15

SHA256
6d3d6c10c1d588af8b7ac3b45dec69a0010f93d1c567c464d42fe628744834c9

SHA512
b11e94277862e42a40ec42850802be1c33a9803d00590ea9ddbae578843eef629411eb7cbfb521d38e5d7615a12de77af253a207c7d94e2797f6a6e047543739

Download Submit
\Windows\SysWOW64\Bkcfjk32.exe

Filesize
250KB

MD5
bb84144735689fc38f7b8abed11573c5

SHA1
e2edcb17c5899534034f2f59502a22f094bc6936

SHA256
605807f50106284a18c844647605d6bc0b7b923f901cfefa8b4f0dbb1c2c112b

SHA512
be1636129a06f5057abc503fbff7be3cb6977bb2834dae92fac52f6e753c045ff449bde0de2bd7cb42da3ade2d6b9439f06d4e52434e7b375a86062c4dd2e8ee

Download Submit
\Windows\SysWOW64\Blgcio32.exe

Filesize
250KB

MD5
bed113dede8a6d33b22b8f2d2a4a5e84

SHA1
0c33c650aee9363c1585d8bd02bb6b6a1f019e4f

SHA256
d4a8b4f3f1338643a2f8d8c4aeb6505191fc4b0edcd91d147ea63a5dc8f4d737

SHA512
fc26614773f361086be3059100ab18f67d9e06e4d963cf2c56f9dd1ff1d67261d4eaf4bd3e4abfc965fc8890c553da8d753214e063c5c186fe56c7b8d13501d8

Download Submit
\Windows\SysWOW64\Blkmdodf.exe

Filesize
250KB

MD5
a5fd82fb385c81752a264a3dceebe609

SHA1
b8beb16f959bb01d380d2929a060e411ad3d40b8

SHA256
3a01e21bb6a9bc8abac0f4e91e93ccc63b2afe87e700d1a83b6f1e587940f445

SHA512
ef62c0dcbf6745bcc1d603835a9fb84b6986680fb36cf5f3a5ce12787043c35e02e0df10ff694cb62df6336ed08116546b570b5a686b0043400003df3af42cc5

Download Submit
\Windows\SysWOW64\Camnge32.exe

Filesize
250KB

MD5
cd078c815331434c784b956b21eb8091

SHA1
929f5c74c7fdd85fa8fc2a1b0bd27b00145e9f44

SHA256
0e0b3281933442f6bb4d042951efa5bd6664b0efd0dd3e3502a8d54e1fc047e7

SHA512
441d2cd467c3481c995602620dfbffaf3c872adf8e4fc0f782af3ec6c026735bcb0c83b003ce21645fb02215340283c2356324012417f6458aa3d9fa56b411f5

Download Submit
\Windows\SysWOW64\Ccqhdmbc.exe

Filesize
250KB

MD5
bd265ddb07e13e7086029a9a3079cf72

SHA1
19820fcd73b2e3b4ef8fd0267577d527e3b0e178

SHA256
69ca984b3c021dc9422bf88a6e560aba318caf1116d7c1a9d73824166565d568

SHA512
23eaa499ee917486e943edc4e22462504cbc8a81f5a468464aa6239d6a7389df8337a422f901c989e2deadcfd527dd10de2245dcca907abdcd7ce53afcec0b4b

Download Submit
\Windows\SysWOW64\Cjoilfek.exe

Filesize
250KB

MD5
289e0b3d516aef5786d03a1183f1070a

SHA1
886293df4a456a5a03099d13a54abb80fa11f8c8

SHA256
6f0f4ce5727ff2deededa33b6b4c4c28eefd94bc1332c0d86b85789515a2d05d

SHA512
3d67710b0a023644ce4a6b0bf0b7f98469e75cbf8f63a383048aaf6ee6ec631c6b9b6cd00dbb8bf5ebb4a39f65e78f074a67271476ee93065db1940b8092a779

Download Submit
\Windows\SysWOW64\Clilmbhd.exe

Filesize
250KB

MD5
ba1a75ce407a1fb53672cf75b2f64d44

SHA1
abf9f8e8a29d3369cd1b3c422195ff2c01cb8e84

SHA256
e7e89f99295330bd78d91547c09ffbe3697348e282e70b5412eaec5243c70690

SHA512
184720d0b6cbd1835ed83243ad2b478afe905ae44f85c512a870c894d8145f75a0a25f9f06042376cc3bfa95bc594f1d58116d38949ad40d09da13b9fff3d159

Download Submit
\Windows\SysWOW64\Coladm32.exe

Filesize
250KB

MD5
d4bc0d2aaa2e70e26b18ac1f81e396d2

SHA1
425a80c65c819f0300a090b1f4d9608d12ff3277

SHA256
faf60d5414c350626f954e329ea117ae7c5ebbed0677e58f0304f1a648b832b6

SHA512
eab79361980b4624878ee0d6b46351a98555205fd381a4098654e40ce5df0b779fd4cba3495566d544c657df6acf130c9b2fa738c1b7f1441966487d1dd0d157

Download Submit
\Windows\SysWOW64\Ddkgbc32.exe

Filesize
250KB

MD5
bfcdc260f55ff4f5ef655cdbabbfd74b

SHA1
bc4023a7be3783839cca3b443d6cb97a7f5003e0

SHA256
c82ae573f83e35baf82e1e5df1f8921136d38ad9dd96a8c00718e56a82f98b4f

SHA512
c222ac5e0992a287152d8543e68fdff275faf6c350b8bda2d50a3c31c4d07f3a9c93404b00b7c8e0f9a2b26855a0669aee1e5a856999b4c3380f528d5a7030f6

Download Submit
memory/556-413-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/556-301-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/556-302-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/556-292-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/616-447-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/616-445-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/696-423-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/696-429-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/696-224-0x0000000001F90000-0x0000000001FF7000-memory.dmp

Filesize
412KB

Download
memory/696-228-0x0000000001F90000-0x0000000001FF7000-memory.dmp

Filesize
412KB

Download
memory/836-242-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/836-430-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/836-229-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/836-421-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/868-433-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/868-308-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/868-313-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/868-312-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1076-201-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/1076-431-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1076-425-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1076-202-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/1076-193-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1216-222-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/1216-424-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1216-426-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1216-203-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1216-211-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/1412-250-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1412-420-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1412-263-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1596-248-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1596-422-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1596-243-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1596-249-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1660-405-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1660-333-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1660-332-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1668-31-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1668-455-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1728-453-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1728-91-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1924-427-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1924-269-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1924-268-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1960-408-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1960-390-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1960-396-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/1960-395-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2136-397-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2148-439-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2148-442-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2148-104-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2240-181-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2240-428-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2240-173-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2240-187-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2264-291-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2264-287-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2264-412-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2264-285-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2492-444-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2492-271-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2492-280-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2492-279-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2492-432-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2532-53-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2532-449-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2532-451-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2572-446-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2572-448-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2572-66-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2576-366-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2576-356-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2576-409-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2576-365-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2652-355-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2652-464-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2652-345-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2652-354-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2668-12-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2668-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2728-117-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2728-440-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2740-401-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2740-343-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2740-344-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2740-334-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2740-404-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2760-323-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2760-314-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2760-441-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2764-18-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2844-437-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2844-138-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2844-130-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2864-39-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2864-450-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2864-47-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2916-434-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2916-157-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2916-156-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2916-144-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2916-438-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2952-443-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2952-159-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2952-171-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/3044-371-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3044-402-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3044-398-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3060-406-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3060-376-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3060-385-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads