berbew | 690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe
Size

187KB
MD5

527d9130292a9898df4c726bcc8c5a70
SHA1

02bcf2de35bc360f62e8a3eb4c15865da852abef
SHA256

690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432
SHA512

64e28d401f5986aa3b726cc17bc78cf1ed0064b75df78c1f16be62704c87ca22326b0a37ce6a6e0db41fd5b58bc69325ea2d5f34d88de316a6eca55ab1326df7
SSDEEP

3072:gmGT8ewMz74A4J5ersey4Nqxk27xVgtRQ2c+tlB5xpWJLM77OkeCK2+hDueH:etzQerzyxkmxV+tbFOLM77OLLt

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akabgebj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 29 IoCs

pid	Process
1084	Akabgebj.exe
2896	Achjibcl.exe
2636	Adifpk32.exe
2656	Adlcfjgh.exe
2648	Adnpkjde.exe
2668	Bkhhhd32.exe
2324	Bccmmf32.exe
2996	Bjmeiq32.exe
1876	Bceibfgj.exe
1940	Bjpaop32.exe
1676	Bchfhfeh.exe
1412	Bffbdadk.exe
336	Boogmgkl.exe
2860	Bmbgfkje.exe
2416	Cbppnbhm.exe
1456	Ciihklpj.exe
2828	Cbblda32.exe
956	Cileqlmg.exe
1672	Cpfmmf32.exe
824	Cnimiblo.exe
2228	Cinafkkd.exe
1360	Ckmnbg32.exe
3052	Cchbgi32.exe
1260	Cgcnghpl.exe
2044	Cmpgpond.exe
2960	Cegoqlof.exe
1540	Djdgic32.exe
2132	Dmbcen32.exe
2680	Dpapaj32.exe

Loads dropped DLL 61 IoCs

pid	Process
1980	690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe
1980	690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe
1084	Akabgebj.exe
1084	Akabgebj.exe
2896	Achjibcl.exe
2896	Achjibcl.exe
2636	Adifpk32.exe
2636	Adifpk32.exe
2656	Adlcfjgh.exe
2656	Adlcfjgh.exe
2648	Adnpkjde.exe
2648	Adnpkjde.exe
2668	Bkhhhd32.exe
2668	Bkhhhd32.exe
2324	Bccmmf32.exe
2324	Bccmmf32.exe
2996	Bjmeiq32.exe
2996	Bjmeiq32.exe
1876	Bceibfgj.exe
1876	Bceibfgj.exe
1940	Bjpaop32.exe
1940	Bjpaop32.exe
1676	Bchfhfeh.exe
1676	Bchfhfeh.exe
1412	Bffbdadk.exe
1412	Bffbdadk.exe
336	Boogmgkl.exe
336	Boogmgkl.exe
2860	Bmbgfkje.exe
2860	Bmbgfkje.exe
2416	Cbppnbhm.exe
2416	Cbppnbhm.exe
1456	Ciihklpj.exe
1456	Ciihklpj.exe
2828	Cbblda32.exe
2828	Cbblda32.exe
956	Cileqlmg.exe
956	Cileqlmg.exe
1672	Cpfmmf32.exe
1672	Cpfmmf32.exe
824	Cnimiblo.exe
824	Cnimiblo.exe
2228	Cinafkkd.exe
2228	Cinafkkd.exe
1360	Ckmnbg32.exe
1360	Ckmnbg32.exe
3052	Cchbgi32.exe
3052	Cchbgi32.exe
1260	Cgcnghpl.exe
1260	Cgcnghpl.exe
2044	Cmpgpond.exe
2044	Cmpgpond.exe
2960	Cegoqlof.exe
2960	Cegoqlof.exe
1540	Djdgic32.exe
1540	Djdgic32.exe
2132	Dmbcen32.exe
2132	Dmbcen32.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Adifpk32.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Fiqhbk32.dll	Adifpk32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Adpqglen.dll	690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe
File created	C:\Windows\SysWOW64\Achjibcl.exe	Akabgebj.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Adlcfjgh.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Akabgebj.exe	690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Adnpkjde.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Adlcfjgh.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Bkhhhd32.exe	Adnpkjde.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bjpaop32.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Mfhmmndi.dll	Akabgebj.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Akabgebj.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Adifpk32.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Boogmgkl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2920	2680	WerFault.exe	59

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Achjibcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll"	690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1084	1980	690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe	31
PID 1980 wrote to memory of 1084	1980	690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe	31
PID 1980 wrote to memory of 1084	1980	690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe	31
PID 1980 wrote to memory of 1084	1980	690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe	31
PID 1084 wrote to memory of 2896	1084	Akabgebj.exe	32
PID 1084 wrote to memory of 2896	1084	Akabgebj.exe	32
PID 1084 wrote to memory of 2896	1084	Akabgebj.exe	32
PID 1084 wrote to memory of 2896	1084	Akabgebj.exe	32
PID 2896 wrote to memory of 2636	2896	Achjibcl.exe	33
PID 2896 wrote to memory of 2636	2896	Achjibcl.exe	33
PID 2896 wrote to memory of 2636	2896	Achjibcl.exe	33
PID 2896 wrote to memory of 2636	2896	Achjibcl.exe	33
PID 2636 wrote to memory of 2656	2636	Adifpk32.exe	34
PID 2636 wrote to memory of 2656	2636	Adifpk32.exe	34
PID 2636 wrote to memory of 2656	2636	Adifpk32.exe	34
PID 2636 wrote to memory of 2656	2636	Adifpk32.exe	34
PID 2656 wrote to memory of 2648	2656	Adlcfjgh.exe	35
PID 2656 wrote to memory of 2648	2656	Adlcfjgh.exe	35
PID 2656 wrote to memory of 2648	2656	Adlcfjgh.exe	35
PID 2656 wrote to memory of 2648	2656	Adlcfjgh.exe	35
PID 2648 wrote to memory of 2668	2648	Adnpkjde.exe	36
PID 2648 wrote to memory of 2668	2648	Adnpkjde.exe	36
PID 2648 wrote to memory of 2668	2648	Adnpkjde.exe	36
PID 2648 wrote to memory of 2668	2648	Adnpkjde.exe	36
PID 2668 wrote to memory of 2324	2668	Bkhhhd32.exe	37
PID 2668 wrote to memory of 2324	2668	Bkhhhd32.exe	37
PID 2668 wrote to memory of 2324	2668	Bkhhhd32.exe	37
PID 2668 wrote to memory of 2324	2668	Bkhhhd32.exe	37
PID 2324 wrote to memory of 2996	2324	Bccmmf32.exe	38
PID 2324 wrote to memory of 2996	2324	Bccmmf32.exe	38
PID 2324 wrote to memory of 2996	2324	Bccmmf32.exe	38
PID 2324 wrote to memory of 2996	2324	Bccmmf32.exe	38
PID 2996 wrote to memory of 1876	2996	Bjmeiq32.exe	39
PID 2996 wrote to memory of 1876	2996	Bjmeiq32.exe	39
PID 2996 wrote to memory of 1876	2996	Bjmeiq32.exe	39
PID 2996 wrote to memory of 1876	2996	Bjmeiq32.exe	39
PID 1876 wrote to memory of 1940	1876	Bceibfgj.exe	40
PID 1876 wrote to memory of 1940	1876	Bceibfgj.exe	40
PID 1876 wrote to memory of 1940	1876	Bceibfgj.exe	40
PID 1876 wrote to memory of 1940	1876	Bceibfgj.exe	40
PID 1940 wrote to memory of 1676	1940	Bjpaop32.exe	41
PID 1940 wrote to memory of 1676	1940	Bjpaop32.exe	41
PID 1940 wrote to memory of 1676	1940	Bjpaop32.exe	41
PID 1940 wrote to memory of 1676	1940	Bjpaop32.exe	41
PID 1676 wrote to memory of 1412	1676	Bchfhfeh.exe	42
PID 1676 wrote to memory of 1412	1676	Bchfhfeh.exe	42
PID 1676 wrote to memory of 1412	1676	Bchfhfeh.exe	42
PID 1676 wrote to memory of 1412	1676	Bchfhfeh.exe	42
PID 1412 wrote to memory of 336	1412	Bffbdadk.exe	43
PID 1412 wrote to memory of 336	1412	Bffbdadk.exe	43
PID 1412 wrote to memory of 336	1412	Bffbdadk.exe	43
PID 1412 wrote to memory of 336	1412	Bffbdadk.exe	43
PID 336 wrote to memory of 2860	336	Boogmgkl.exe	44
PID 336 wrote to memory of 2860	336	Boogmgkl.exe	44
PID 336 wrote to memory of 2860	336	Boogmgkl.exe	44
PID 336 wrote to memory of 2860	336	Boogmgkl.exe	44
PID 2860 wrote to memory of 2416	2860	Bmbgfkje.exe	45
PID 2860 wrote to memory of 2416	2860	Bmbgfkje.exe	45
PID 2860 wrote to memory of 2416	2860	Bmbgfkje.exe	45
PID 2860 wrote to memory of 2416	2860	Bmbgfkje.exe	45
PID 2416 wrote to memory of 1456	2416	Cbppnbhm.exe	46
PID 2416 wrote to memory of 1456	2416	Cbppnbhm.exe	46
PID 2416 wrote to memory of 1456	2416	Cbppnbhm.exe	46
PID 2416 wrote to memory of 1456	2416	Cbppnbhm.exe	46

C:\Users\Admin\AppData\Local\Temp\690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe
"C:\Users\Admin\AppData\Local\Temp\690131bb4ad1d16e6a7e6c9c631138a015537d55fdaa9d87b0ab31d143ce2432.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\Akabgebj.exe
  C:\Windows\system32\Akabgebj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\Achjibcl.exe
    C:\Windows\system32\Achjibcl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\Adifpk32.exe
      C:\Windows\system32\Adifpk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 144
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Achjibcl.exe

Filesize
187KB

MD5
7a2b178af3719bdfdbeb2c0f70746052

SHA1
b76460065f2800eaa1b15c984c484d3960ccd8ca

SHA256
2ab627f39d62fd92e61f4b2c81c0f02e456b4c80f75e423662c5129d4aa0ae92

SHA512
07e9c6d0d5f991e7fc44fa88e581617a230f833480952b9139a6ceb824194e7e7c54ebbf8af4c7b113c57b86f597fe2dfe2bce2b9f178d6235574d94b6edde05

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
187KB

MD5
7d0c0c8f41fdf44c528b0f433415c68c

SHA1
2987d265480665048ff31f62b2c95c022fd09ec9

SHA256
cb4afec33ceec65376124c5a5cfed5e087bc7ce88b15e19b848166660cf2f981

SHA512
c882cd098236d5e36b2294d87969aa1c45daf3232f0c8259598352200cc1c36a2bb648ff97d22da6e87672f04fd6be3793fad4f68b929cfcbddce037a89dc3aa

Download Submit
C:\Windows\SysWOW64\Aglfmjon.dll

Filesize
7KB

MD5
c2f95cd7ca54e6e094ba7fe62e5a777d

SHA1
6c31844f8de9cb815c919c5b8bde3bf93cf5d768

SHA256
0542b10bfdbf00d0acec6ad6e7b6e2c0c403e8dc002a2b0ada6801430a18d9f2

SHA512
1e10deebbd1d10d9622c9f9973c3081a9d5fce19cf55247e7b56d3ed2b3cfae46510e26c415038a43e964f135297153ac1069a4e9b2016b14be0de657068b198

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
187KB

MD5
d940d52521fe4bcab068bce5fea3bb90

SHA1
a0ec726e90bd18d5f5b0b6837e00f9abeff0da33

SHA256
87c98dc172999d0703af09d23e93950cb9ac07fc462f9e90b34695ae5354eb0a

SHA512
dd5451bc23c29030a38800260365ae96f89d666afb91c632fb12bdf856c70ba373fe69c71b998c4ffe5edfc028a936246f36c4b8aad6c4c438e616aa85776c44

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
187KB

MD5
7b1ca8a1a07f9b8a79c5fcaf3bcc7e05

SHA1
312a1affd2d21024e1f168ca6fb0f45e3b08fbd6

SHA256
5cd08265801c791cb4a95658946b2c1004b42c33646bf56a9b526cfae257a44a

SHA512
d98454af984405cc3369233006df665337ffcc909dbb6528821e68783d09e6605ba8c83b3374d0bc0bae31c5b107f4d4965d5e55e1d5e2b84d1b5be79703f3af

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
187KB

MD5
57bd7d6ed5facde54bf379f3dbe1868f

SHA1
0656da9b117c89f30d709ec4de36ee7c0cf91d14

SHA256
30c29b2ee04408888dbd467ea2bbd1060ac9fe4072d10a76d1c1c3865966239e

SHA512
e330f8cc4103b0408ffc6f96035b2ae1466effdcc6ac59f615075fa37fd7f784833078c7acdf785448c377a46538c934d7eeef70ff4a52475de55807e6d99439

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
187KB

MD5
f8878b3b4b14e582133d6f6337643501

SHA1
d8ba78a6efce5f66fe7714f49ef60b1b3a79e500

SHA256
7607a6305ad5c616aa7b69b99b22e2582d0dbc3446fc4456b19add9f23227784

SHA512
170148629caeb1749944eee06cf23f47fce1391e9a68a76175629fadcded258db2818d8026807aa79a082f7e06ad309cb4aeadfa9b80c8517460660c5aefa4a8

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
187KB

MD5
b8f0ed655676edfbe78ce86d48024a48

SHA1
9ba1a76dd203c7c3b7da1174a017e00434663661

SHA256
7dd053484e9847dd9ece776d0b7f214fc978f5c5d7c45ba3f5f9d313ea164d1e

SHA512
5819e4f0227da5b527192553f3fdb69db5a202d4a71f4407302b304135eb532d910d327351942f3d3e3d2507eee931e74cd0ea178447b23e4e6be3ea45e657b8

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
187KB

MD5
b95d6b74f94e2b34c2479a1bcd24408b

SHA1
25e2871dbb7b6a546c2e14066deca3f84dd371f6

SHA256
a9d482c7db607e002f2a86a3223c65bed903d79980abd4a7e19fbb87e268b712

SHA512
35c309cc9f7b287691fd16b1bfad0717388fa524879b3ad39f3dac5dcc45f38463c52f2d6dea475f058decff4fac26dda4fc7b45f120b1f8252a7e721317fc04

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
187KB

MD5
e1730a6274443a072fec28c5e1150ce0

SHA1
3af3488deffc8dcfa06c394d3d3a8bac25a5129f

SHA256
68cb19cb47110366fff238adeb113e9be58d93413a9c36fd5504df2c193092a7

SHA512
2e19f3afbb4c4bd22ed720f63d1e68660a31d34910407fda140af19139dd5925b9cc7ed0337916d402f1101be1f2cdbbdb7aa0867e617714572fe207263b6eb5

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
187KB

MD5
337a935d2f6dd9776447a24cbc903e4b

SHA1
deba00c8abbcff684d5e3c9012e774c538d61e75

SHA256
bcb415d48406e37e0aa0396c74bc926ae3cede992ff3075d0a46ee20e939e57e

SHA512
d73d1898a055880b2cfb9e3996c2f0c90d17d5728155bdb540c4b485decf420e4236c5a9a079afe98f15bd3d210ee5ca7cf0650ed6b925d6caaa3240978f228c

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
187KB

MD5
e2e14240f5750b9ef8660fc42bf736a5

SHA1
fd3e9105b2c5ce0a41675235ca6b28db41f5a24c

SHA256
9f9db6b5cad9d1736b0f291a421177d50d18a22beb274daeac14e86bca70795a

SHA512
a3d7d0a38e02ec22251f19c18e4002f38af03a9057323c39b74dd410d6fae938569fbbe334d59d79dab974bc6255f58c5603293d6fc61b362398b61b730a30e7

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
187KB

MD5
55336e4c3602931430d333295995ac24

SHA1
5523a7ec946801db1ec147c9003668feca0890d2

SHA256
8580d0b207a989369d9aaf7ba03ec3674a3810ee4a1425f65892b0646e58c811

SHA512
79603c17f26510960b6ffa16fd559180dd00925f5abdbbd71b75d9a321b01e07d15ac68dee933a6a496235fb2f0257eb946f4f5a945a18bb8baec6d6b95be856

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
187KB

MD5
47e8dc62b907f980e77006bfe1e64529

SHA1
4b34131ff56c12317ad7aa51e0149512d12b86b4

SHA256
957cee0cf3e57e2e24965b7be9482d22471187914a671e1b02c76f4dda5c28c4

SHA512
54e45345e399feba8afe50acc671d4e294ba25543175c64e5878da8f215adb8bef195e47465bf58a1e4e39a9db8d895d0537bf5bc323d1e74feb63f3440b36a8

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
187KB

MD5
c6c4eb1ec2c98d768b1eddcc23795753

SHA1
5fdd7d23dbeacfef535fb5f2a3e75dc39f3384c7

SHA256
d66efea143d19219c2a821f04e97d9dd7a8c456bd57d5f8c74c9b1e441221074

SHA512
8f8411084ce300565e20a949524226d805ab6d97c4d664ab4d49f8b6ea923dc9f7a699b714dc9b1db8402379bbb7798d26103d800b71d4d8514e684b21d2ec71

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
187KB

MD5
3517dbb9cccea391ed39d84829636022

SHA1
79dbb088359962e9c19f2a80d57d186a7119fcdd

SHA256
11faec5743a9a7a2fcbc0201423960a7e284ae8828b31493fd1b5d10214056fc

SHA512
95dc75f50f07ed5a11d75442f5278724af912625aae32d4eacf8aac36ecfb4aad24f7af50516034b20c4324e73aec9b3fa9655e4a50b5a4de633706f3058f852

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
187KB

MD5
dab53429928ff50bc68702962a30396e

SHA1
729f49e104bbbdcea37971f630632114be64d2d0

SHA256
d238b84c96d4662e0d9397a87161e52fb1d3c934c27aaa97ab0a9375e6956114

SHA512
a4ccdcc86acca7f8045e35c16da5001a2b4e16bceabd02dc94f27a3d673affce72dfeb6faf044de02f1ed4813cfc06ab895ac3a1baca64162d324e8f0f86d429

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
187KB

MD5
d12f6646adfbc0b9ab0aa672648cfc88

SHA1
de6c4a49192721add4b43101e504686944c81740

SHA256
3c3de3349436926880564b7e1f7d0e3d245d0f8a033c1a874b2a6076f8be17ee

SHA512
78c23bc7090f0d642ac94a421d26a9415dda2122a4a8ca375e3b0df5174788f502acdfdb530ad14f40576bc5063c846fc98371a972bb2ac5b8a3f68c49bca819

Download Submit
\Windows\SysWOW64\Adifpk32.exe

Filesize
187KB

MD5
5b30e89db17cecd410ffffa648ab8bda

SHA1
a1983afc9b52c6d98fe332138a55b7140d7f6255

SHA256
18c91a9ea757c8352f83f17f627b12ca35096b96fca44f46cb8125b7f233797e

SHA512
2c17c0358ce52c44c58e83ee85f4b44bad3b421b7dc5abbee7dc6ba678de5c23f440115ec87981e930e3e21b3fcf94a03b2681185355df0815e5d5e903bb34d5

Download Submit
\Windows\SysWOW64\Adnpkjde.exe

Filesize
187KB

MD5
3ec446b2bedf4ba7aa39243dcfb06ac6

SHA1
8e6edb58139672d3cbf56c52c15229e0f6df68f8

SHA256
63f38f72640ab43a9f70b78da6405ce6cb36055ff84a6ca12d8bf3e1aa9145f2

SHA512
21f08674f51b5b8fb086fb37dc5c7220c22840ea95e1ddc6c92da2b387c7522d7b220d7c9abb169678a8aea6e817d6d3a50d6722e509d8d070f850eef255f0ee

Download Submit
\Windows\SysWOW64\Akabgebj.exe

Filesize
187KB

MD5
82f0a43ea5018244b5ad1cd164b4dcf0

SHA1
f6c96aba341c0002cb9e4ab28f757c46b5ae02f4

SHA256
13f92082e16de9ade2de296927f920e10fe593e1dd2816bc1d1c70532ca911c6

SHA512
4765f4e72fedd00be9a4cec6e80575f84c0abcb0c64b5ce9e292bdb7bb0ac4d792982628c2bda9c1ca1ce550b9b07f81d146f7243578115d5467ce42056a95f8

Download Submit
\Windows\SysWOW64\Bccmmf32.exe

Filesize
187KB

MD5
f764683da6cb0e05388b584c04a7631c

SHA1
f2cdc3de93872c8da0aef872751aae1368710013

SHA256
05858aa35b75b21026ff6f691f8ed4779a124a2292bed1a07cfe0b0fe78406ac

SHA512
08c3b785c9c100931f17f10b5c2d5ed4d6e2461d58809128e95b91f76be5a9236311c268a3e1a32e2e5f7960e968b14be2dc62605e81579aad40ced42b3a3468

Download Submit
\Windows\SysWOW64\Bceibfgj.exe

Filesize
187KB

MD5
2a97375db6d19c75e540aadfc68b1bbf

SHA1
9888c3792af4cf1f4781c6070b5c70026fe96f8a

SHA256
7fd793608b21540d0e5566c67a47205b35c485b211ec4d17f6b96b62725a6b3d

SHA512
ac94c2f7a334b2b0521ebaa1bbf99af9539d393904ca22af5bc82095a9a998b8a17797e84ff743fe3ce32a063cebf3067940488f5ef6c130bd435f54f583c5ca

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
187KB

MD5
a7dd4fd3dbeb7ba8b383bb4eef16a916

SHA1
a381b02721533cc5f6fa89bbcc8d6584e1661f17

SHA256
a6baf027e424674870528b84c9254b3c071c60e2ac36b812a3b34cd274366c0d

SHA512
8454bfea0875150b13ccb5c51a5b01f1ae432df6944c69d034c626c1500f4bdfa0e329d845f68231f98d13fc07a8a3ae501dc022865e922508d29ae3356817c5

Download Submit
\Windows\SysWOW64\Bjmeiq32.exe

Filesize
187KB

MD5
4f04cafe8a0d564f8ef01a0f45fd8016

SHA1
f1c82cde4bda9dcc01b4607e9d58b2ef84e0f023

SHA256
c461b08e5be37b5196d2c9a226f009d11cd6f99117a73bbdbc0cb1dd57287d44

SHA512
0f09fe2f97afa83fa76f8be18fb31b2f83f17a5fe204052d49af11a8d4dd369a37ebebe651d815e8dc61ba7864b543c466e8713f2b01001125474ccef446722b

Download Submit
\Windows\SysWOW64\Bjpaop32.exe

Filesize
187KB

MD5
370cb67578f9ee6bd73cdb64fba833d9

SHA1
fcffa06ae98f6d5bd44ac3299e6a1ca6a0a1497e

SHA256
b2e76a1e7b2f2c2644d25321698c5b2f602b8b87a15572991e28aa243d793371

SHA512
360eedbc41096318e77bdc816b58409676fc22131b822b0154e30653ad9b9dc257a3fcd8e050bfa0948c30adf636d8540845a2ccc0fe825f80c52986a552f8af

Download Submit
\Windows\SysWOW64\Bkhhhd32.exe

Filesize
187KB

MD5
3a9ea560cae0632558fe66bff3163284

SHA1
998cf778a29ca0571bb2908bb52aca6390093a7e

SHA256
957b2ce8ba3cf6e140b4aef6096a4b2823d4f875afa725a9c14328d6486ca862

SHA512
6667dc81415d2322a24c6211c677df5ea1c9bb471b6055b6bf3575f177df8f072372cbd1702ce99453686bcb12f52eb006dffe534b5b56ce8bdb93298d67c3e2

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
187KB

MD5
600c05155fbf76b94aa9f2a4850074e6

SHA1
edc5d67754311ed1853e5541dac5f55acfd3bf6e

SHA256
016e959eb7e217858a1b522552ef5d30e0f1d11642926d00855e303c7159275f

SHA512
579f2eb180b1208850b2bf0f15c0a71f19de08a6c55379cc1c83ecda865b8c751a40879e2d7012ced9959081ad7992023ada87ba572293de78aff8415301e5d5

Download Submit
\Windows\SysWOW64\Cbppnbhm.exe

Filesize
187KB

MD5
185cf0c005b278e66f5756d959a9430e

SHA1
17a8911d66c0453c313a704c525c39fad262c920

SHA256
9e9e1ea3e2ef5b2ee660a1b190049dab997185d0bf7143560304084bdc92b60e

SHA512
29771569f8da9a389b33eb36e2140f2777a76fd42375c3e45c2092ffc82935f99d88c0b6538b36f581c40a011039a163d7fce9dd394fe8ddb7534123d7bda5eb

Download Submit
\Windows\SysWOW64\Ciihklpj.exe

Filesize
187KB

MD5
7ddba697d6db7f772b4bc7629200cc89

SHA1
91999d4adf16fe36c7f86b5541c903ffff755351

SHA256
4647621e8b4cb5333d8acbbfc6bfa701aed80d106cbf826aa896d7984ca67826

SHA512
d599789798cdfd8fe162abde90701567c9065c2316cbfe4a7bb4e3e82bd466e656750f9a82878b411ccaf6f95202893b57703e0b04d8aa49d4e62bf9e08b9562

Download Submit
memory/336-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/336-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/336-183-0x0000000000490000-0x00000000004C4000-memory.dmp

Filesize
208KB

Download
memory/824-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-238-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/956-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-302-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1260-301-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1260-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-280-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1412-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-169-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1412-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-219-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1540-334-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1540-336-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1540-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-248-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1676-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-126-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1940-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-17-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1980-12-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1980-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-346-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2044-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-313-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2044-312-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2132-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-270-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2228-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-269-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2324-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-60-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2656-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-86-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2668-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-193-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2860-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-351-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2896-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-34-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2896-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-324-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2960-323-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2960-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-112-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/3052-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-290-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/3052-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-291-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads