berbew | 698399e3896ff9889b84928ac80cc1db9b57c31aaa93919a52ed731892eee634

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

698399e3896ff9889b84928ac80cc1db9b57c31aaa93919a52ed731892eee634N.exe
Size

91KB
MD5

d52de8e4a75de0360568f65c178e4cf0
SHA1

349c1c653ccc869e2bc781eecb55cf1a4566f216
SHA256

698399e3896ff9889b84928ac80cc1db9b57c31aaa93919a52ed731892eee634
SHA512

d74d259755e6197e309355102e07f634001bf37ccef98f45ba98a7a7278cfce6c5fa77f6bb41681f1e312151dd3171b5b6f04bef4bd667408add97793a9dafa4
SSDEEP

1536:xI5lrsHuZHaquRbqyB+SCCKGXriC3FSr7TiwkU6joqqIVLgq:xYCuZHaquRWMfJKCvFSr7TSUurUq

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	698399e3896ff9889b84928ac80cc1db9b57c31aaa93919a52ed731892eee634N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 40 IoCs

pid	Process
5036	Ajkaii32.exe
4496	Aadifclh.exe
3068	Agoabn32.exe
3964	Bnhjohkb.exe
4232	Bebblb32.exe
3608	Bfdodjhm.exe
4212	Bnkgeg32.exe
3948	Beeoaapl.exe
2944	Bffkij32.exe
1992	Bnmcjg32.exe
3112	Beglgani.exe
1088	Bfhhoi32.exe
2292	Bnpppgdj.exe
4860	Bmbplc32.exe
2300	Bclhhnca.exe
112	Belebq32.exe
556	Cmgjgcgo.exe
4476	Cmiflbel.exe
2332	Cdcoim32.exe
4200	Cfbkeh32.exe
3648	Cmlcbbcj.exe
2028	Ceckcp32.exe
3124	Chagok32.exe
3176	Cjpckf32.exe
2752	Cajlhqjp.exe
3200	Cdhhdlid.exe
3372	Cjbpaf32.exe
1532	Cmqmma32.exe
968	Ddjejl32.exe
4932	Dfiafg32.exe
3876	Djdmffnn.exe
3508	Dejacond.exe
3280	Dmefhako.exe
3248	Ddonekbl.exe
4500	Dodbbdbb.exe
2132	Dmjocp32.exe
4056	Dddhpjof.exe
3496	Dgbdlf32.exe
2228	Dknpmdfc.exe
1680	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	698399e3896ff9889b84928ac80cc1db9b57c31aaa93919a52ed731892eee634N.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1952	1680	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	698399e3896ff9889b84928ac80cc1db9b57c31aaa93919a52ed731892eee634N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	698399e3896ff9889b84928ac80cc1db9b57c31aaa93919a52ed731892eee634N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 5036	2588	698399e3896ff9889b84928ac80cc1db9b57c31aaa93919a52ed731892eee634N.exe	82
PID 2588 wrote to memory of 5036	2588	698399e3896ff9889b84928ac80cc1db9b57c31aaa93919a52ed731892eee634N.exe	82
PID 2588 wrote to memory of 5036	2588	698399e3896ff9889b84928ac80cc1db9b57c31aaa93919a52ed731892eee634N.exe	82
PID 5036 wrote to memory of 4496	5036	Ajkaii32.exe	83
PID 5036 wrote to memory of 4496	5036	Ajkaii32.exe	83
PID 5036 wrote to memory of 4496	5036	Ajkaii32.exe	83
PID 4496 wrote to memory of 3068	4496	Aadifclh.exe	84
PID 4496 wrote to memory of 3068	4496	Aadifclh.exe	84
PID 4496 wrote to memory of 3068	4496	Aadifclh.exe	84
PID 3068 wrote to memory of 3964	3068	Agoabn32.exe	85
PID 3068 wrote to memory of 3964	3068	Agoabn32.exe	85
PID 3068 wrote to memory of 3964	3068	Agoabn32.exe	85
PID 3964 wrote to memory of 4232	3964	Bnhjohkb.exe	86
PID 3964 wrote to memory of 4232	3964	Bnhjohkb.exe	86
PID 3964 wrote to memory of 4232	3964	Bnhjohkb.exe	86
PID 4232 wrote to memory of 3608	4232	Bebblb32.exe	87
PID 4232 wrote to memory of 3608	4232	Bebblb32.exe	87
PID 4232 wrote to memory of 3608	4232	Bebblb32.exe	87
PID 3608 wrote to memory of 4212	3608	Bfdodjhm.exe	88
PID 3608 wrote to memory of 4212	3608	Bfdodjhm.exe	88
PID 3608 wrote to memory of 4212	3608	Bfdodjhm.exe	88
PID 4212 wrote to memory of 3948	4212	Bnkgeg32.exe	89
PID 4212 wrote to memory of 3948	4212	Bnkgeg32.exe	89
PID 4212 wrote to memory of 3948	4212	Bnkgeg32.exe	89
PID 3948 wrote to memory of 2944	3948	Beeoaapl.exe	90
PID 3948 wrote to memory of 2944	3948	Beeoaapl.exe	90
PID 3948 wrote to memory of 2944	3948	Beeoaapl.exe	90
PID 2944 wrote to memory of 1992	2944	Bffkij32.exe	91
PID 2944 wrote to memory of 1992	2944	Bffkij32.exe	91
PID 2944 wrote to memory of 1992	2944	Bffkij32.exe	91
PID 1992 wrote to memory of 3112	1992	Bnmcjg32.exe	92
PID 1992 wrote to memory of 3112	1992	Bnmcjg32.exe	92
PID 1992 wrote to memory of 3112	1992	Bnmcjg32.exe	92
PID 3112 wrote to memory of 1088	3112	Beglgani.exe	93
PID 3112 wrote to memory of 1088	3112	Beglgani.exe	93
PID 3112 wrote to memory of 1088	3112	Beglgani.exe	93
PID 1088 wrote to memory of 2292	1088	Bfhhoi32.exe	94
PID 1088 wrote to memory of 2292	1088	Bfhhoi32.exe	94
PID 1088 wrote to memory of 2292	1088	Bfhhoi32.exe	94
PID 2292 wrote to memory of 4860	2292	Bnpppgdj.exe	95
PID 2292 wrote to memory of 4860	2292	Bnpppgdj.exe	95
PID 2292 wrote to memory of 4860	2292	Bnpppgdj.exe	95
PID 4860 wrote to memory of 2300	4860	Bmbplc32.exe	96
PID 4860 wrote to memory of 2300	4860	Bmbplc32.exe	96
PID 4860 wrote to memory of 2300	4860	Bmbplc32.exe	96
PID 2300 wrote to memory of 112	2300	Bclhhnca.exe	97
PID 2300 wrote to memory of 112	2300	Bclhhnca.exe	97
PID 2300 wrote to memory of 112	2300	Bclhhnca.exe	97
PID 112 wrote to memory of 556	112	Belebq32.exe	98
PID 112 wrote to memory of 556	112	Belebq32.exe	98
PID 112 wrote to memory of 556	112	Belebq32.exe	98
PID 556 wrote to memory of 4476	556	Cmgjgcgo.exe	99
PID 556 wrote to memory of 4476	556	Cmgjgcgo.exe	99
PID 556 wrote to memory of 4476	556	Cmgjgcgo.exe	99
PID 4476 wrote to memory of 2332	4476	Cmiflbel.exe	100
PID 4476 wrote to memory of 2332	4476	Cmiflbel.exe	100
PID 4476 wrote to memory of 2332	4476	Cmiflbel.exe	100
PID 2332 wrote to memory of 4200	2332	Cdcoim32.exe	101
PID 2332 wrote to memory of 4200	2332	Cdcoim32.exe	101
PID 2332 wrote to memory of 4200	2332	Cdcoim32.exe	101
PID 4200 wrote to memory of 3648	4200	Cfbkeh32.exe	102
PID 4200 wrote to memory of 3648	4200	Cfbkeh32.exe	102
PID 4200 wrote to memory of 3648	4200	Cfbkeh32.exe	102
PID 3648 wrote to memory of 2028	3648	Cmlcbbcj.exe	103

C:\Users\Admin\AppData\Local\Temp\698399e3896ff9889b84928ac80cc1db9b57c31aaa93919a52ed731892eee634N.exe
"C:\Users\Admin\AppData\Local\Temp\698399e3896ff9889b84928ac80cc1db9b57c31aaa93919a52ed731892eee634N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\Ajkaii32.exe
  C:\Windows\system32\Ajkaii32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\Aadifclh.exe
    C:\Windows\system32\Aadifclh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\SysWOW64\Agoabn32.exe
      C:\Windows\system32\Agoabn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
      - C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 408
        42⤵
        Program crash
        
        PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1680 -ip 1680
1⤵
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
91KB

MD5
699705fffc42718046a3c4034284e414

SHA1
22a0d74c64f4357f7828ca0bb69d7cf064b07ffb

SHA256
fe306d5082ce4cfdcaf6186eff0d06227ab5732d8a78dbc0fd14bbf6f551964f

SHA512
450c86d51659a452e98bd27dc5f00dd09bc49a2ff5c33945336ac74d35078d7b6c4185d6b03b8c1ec96df3f4357c9a3297c6f6accd36c6e5d2adfde5272b8cd4

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
91KB

MD5
924ab0705d2734560d91106ed557708c

SHA1
eff5d182a5cbd1c48e53b221359820282ee48557

SHA256
ea17af076ea6726b8dd4217ebce55286ca9bc67d72c50e036a1916843a287c79

SHA512
da940b0fdf235aeb0a092b1fd12716dd3772abbfc0cfd84d5cefddc31597ec0428d0cc7893b15a2559f7e863270fd747452e1d2a95cce4ef63613e128c1b2a0b

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
91KB

MD5
43431c4663aa253170142842ea353384

SHA1
1c95101652b9a9bea408cba39da5d257d15349b5

SHA256
8df8d1ea6aff2834e200ff53a37d5013de567506ed8b10da1cf125db214c9973

SHA512
e1d43b15f73000a55734b7e2db75a19f8322e6a1212bda3d423aaed4cdbcb109388f752b74331c0ac7bcd97f8b68af7b19f6a4011c183ddc93d117940e9fbf0b

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
91KB

MD5
c8fad7dc97292e073465491ebb01d9e6

SHA1
4feadf34fa0294279800648c921c59c3e8afd07d

SHA256
4c735b1ef19e8188cf5bf33624ebd8a308023e1af286ba81218aa9d1d7264cc4

SHA512
5d09862d736b2e298a03daad5ffcdb5db15e43daff7db1965bd77549c290da33e1281bb574acd8771b2e55323d1b5c2141ddef4e97fd880c684071b7c4cb652c

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
91KB

MD5
4bcda4bb557a4871a894e24d89e7a6b7

SHA1
fc5bfa5ac293b169c74fb907e5dd91630654d4c2

SHA256
6ea9bec676233c4a8c573fda312a53609a64a117ee243500c93c2ad9270a9df8

SHA512
f4823e08ea6e64199fe000a88b7ea912edf6f072b80058a8e25f913dd441444e0cdbd4bc7135caeeb3f23a48a0e339d57b4272afeaa801839dfc95fb0f6cf1ab

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
91KB

MD5
d75bd2c7aee10b7bdf995f0ac62472d7

SHA1
e4b72ca48b7f643c9390c6b74cab84c9f4671c01

SHA256
4bca8953a22be1f9a18aa524d0450a51246811b2ea1e2a37a7ba9c7815d3e325

SHA512
9c748b8f5bab66f68a58bb1fa1ea77855422d182f96f1f8f70a449888f5d7e00fb99ce3a0a1dbda991d99330690c9f258e34f5efdb443992fc5c593df94d2fc8

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
91KB

MD5
de04f40fe2f8f1aab51b3a4917a74460

SHA1
b6fd312c05f43d082e00760f1ffdcc09b37704ac

SHA256
a2616a785559466cfb87b62c4d926d8e841b021d24aa46e28f01f1749adc8bfc

SHA512
aa68e5b830ad8fd730ebf2324c975fc8d3eb10d8e694c01df0926d8329f9f7d6e36e7398e89c5053dd970f331b0c6aa918ce7cc314c5ef36189e383337087144

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
91KB

MD5
4adf779440e0883849edd5838e700466

SHA1
631aceb41d4dde1ce8d74b2e997cfcf6b9ec04c1

SHA256
61f23b22cbf5275498f7f38553ef9dc4b18ac9e409d14ba3ba45f9da28e60c8f

SHA512
3047c67806d17598a1d93108ec4959b157a4a0a2f06b0f96c40fee17a83cdcaefaf3ca4573b54baa812bcdcb7b2c522e9e5b67aa430c66cdecd81a0d41c04299

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
91KB

MD5
cb4135543ddad327d51236e61b248b20

SHA1
f8d136b8f1801ea7cceea046f33166b7dae8b2db

SHA256
65d1088a263435500cdfbd99ee4ff7de94625e6787d1bcaa9d4978be054d8b66

SHA512
7e665cfbc8c4106aabdcc886f6effa9a5e1c474ad5c771a5e065edaff319cd9f245b7ea779a188ab848a4030314a9f58b1721f0e7f400d2ced7f22531847b86b

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
91KB

MD5
005da6bec2a941e0051306dd7bc0c0c6

SHA1
d8a56d0ae1667b0de336d09b704ddb1addc793f0

SHA256
84549890d43b180266e130da333293d16abfbf5c8afdfb54c74708d1252a598f

SHA512
47dac88b2d1174639b1a820e71f451117ae1325b8eb18678a341bb7051bdd4a902dcf66c5eab6c6749028495ea8c18b00065696b8c72e4398179d33f5bf392eb

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
91KB

MD5
ca7c32a1c79125ec20b7cd0ad8f03ec4

SHA1
d955fd2e3afc8db3553f2b23a9ef2c3471fce63d

SHA256
0809d4312c0ffc4773649a31e06aaed84696f56c524c2f825ee4c58e7611faa0

SHA512
3cb9eef22886b45de8aea8eb66c8b58653333810def658c33bad89ae496c35ddb4356dae61c0c613ce0a3a7bea0e7897eb59540d5ff56803d63a57bf5cc06c65

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
91KB

MD5
3bbbd0dac25038933658d90d8c65be1f

SHA1
6f2a34d4f553f353b49b1a385c224f50fdae8064

SHA256
4c48d13482cb92d017bcf5ebe4b96ee04c01e62658b25263b089d6307af63b78

SHA512
1813e79e62087e8f90bf7ecb90bba87223fadc31f53f638e31ad5df8d4bcc9cd263f6304380e70792981685e534d5a9467e50fce781894fc097f103f877da178

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
91KB

MD5
8878d089eaf089205c3313c5b67af14a

SHA1
e3d80746d55ed4e355d096d8b3c1b63e33164f37

SHA256
ddb50e322618f9ebf9b82d74db3fdf5a1d867d54337ebf5febb3ef359492d915

SHA512
f725f9756b9e086e72e65f3c9f6b82059c50b3ec5910a103852c72888ecee59f9a8272bce005bb682de1a3507a1d0828b27d2abb69065af0e9f7fab033ec95fb

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
91KB

MD5
8873d9cb021f3ee344be95974098b9db

SHA1
2985e2873b0dcd9ea9f92f23befb7af37868919c

SHA256
32a0f984c2624462e80898a15e83b9187dd45a6b6717b6e9f29acf32b3323d2a

SHA512
f7e58c992515e0f10affba40004ddfaa44b5dcc31b00342e1a7d51eb54afa4456952e8c695ed7fae9c720e68b28c97b25c86367c218dc5b76f89cb82dcf642e1

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
91KB

MD5
f8dfd21c2f31170fb711bcc4ff2fe4c7

SHA1
5b46bea9a87f046ec52433a2229a4bbf122b6d6a

SHA256
8201ebed7a227f10a5757aa651e2ee027c9c5d94b00aae14b55057921b2ecc42

SHA512
beb75ed88e58461edaf761291ab7ccf35c4cdc239abfdd5cb5648dff14c7b8c11c05dcd284cf222d146698afb38350429875beab0b89de71b6a74135b9ae1e04

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
91KB

MD5
5d96c6762aed29587d9e873142d1e8ce

SHA1
f6c721e2d1121dbfbe457dccb32936ebe8add12f

SHA256
b5174dbc472ae0483aba05ba9862cf542915f708c248ec5ca2ef5529b1ff5f01

SHA512
cd37efa5b218d4d758c4993d33a0eb19b336ecfd343f1991b0df67ce2d865c40e78b5419d0c196358e629e0023d24aa7f0a87604fdc8666c022b0dd26193dec8

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
91KB

MD5
24d9f18fb6593d873cf65cc8b7eaa03b

SHA1
44073ef0f72ebe0da8c7f92576786097fb20c378

SHA256
4c99544f5386c7b0d70a7d5a9ac7577d41b47d396f34636f2c74a867d58c48ca

SHA512
f1a8386e857d9a1801425e24e97ccc0eca882575ef80bd35c520ee07a3e2a3b7fe030164964e45f3fff6319e1292284d84d452b0adefb40210c79c529c58030c

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
91KB

MD5
a014aea4147ee4692ed08f38d6e0ae08

SHA1
9a64308ff8a5bf823abdcec81f33ff910b18b370

SHA256
c82d58d72018e8d59013809a64780b5ad2d2d6b8c65354deecf9a57ce466c4b2

SHA512
d6ea010acf3094a28121e1fecdc37527447277f60ba7a4c6238951e56fc188c4cc20e8e0dce83ae07a9007fa4c6a34b17dc5b2f07140628cfbe2a50102140006

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
91KB

MD5
c5f637b89241bbb57cede652067bf879

SHA1
125522508ae268de034162eb9565b5ae5b4dfe3c

SHA256
f7a1216690c9c8f0ecbac15b746120de98eef39cee2b2445dc470632bb5b28f1

SHA512
3bb551f67776afb9957ff29fac61d5f24a59b035997063876cc2ac614d2a21165d120caacc384f6b3b2ba994a348a2e3aefc831d73dbe7055f3927bab5029f1f

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
91KB

MD5
b861f4fcd06937286e74ba79df156ba4

SHA1
3beebe2121660fc422c1261e33c373c19d871fea

SHA256
cf2307b412549dd2e26b0010ec8b91200e082c0f32d4b7641fc22a6c4a2eb493

SHA512
0e9ed6e0483de05eccb6220ca8d56ee283e06c65ae3d3fbc98e6abb5ab5c19be5a5e3b16e03de6f6078f138567cbde43d4d32c86fb3c47707390dc1327917aa8

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
91KB

MD5
6c4916432b794e02f730d2e2a6702849

SHA1
580478670461b965733a6f27f1b558121c7b09a3

SHA256
bb16cc82d55c31c82ee8ff1120d07f351a01ce2181ab253cce389c21e3fb2984

SHA512
f657a39066d40e44a24c4e38d83fc4fbaff99d928aeb9f1ea8fcaec2fab6e0f942b966b1f1098251c3e6809753d76779c45a0d5415160b9f5117096c9716c166

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
91KB

MD5
249f410b2ac12fa3399249212ced5188

SHA1
4f73e74addcbdc3290263b680e70221bbdd7d531

SHA256
8e69b848807eac65bda9524dd89bdbf0880434c2129cf73ca8d2e76d4be87c71

SHA512
bcfd1f3d9b84fadc7834bd48018f4a7d88f9e21c39a58ad1db89e3bfc78e1f800b99cba1a53a5084498cd1072edb43c49284c05a661280cd784d4f48c9c944b9

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
91KB

MD5
9016c25a23aa8b43b3cb003a01e9559c

SHA1
3d3e9addbead1e3fca51331e23b704adccb920e0

SHA256
108fcdc4407667d4d1f63c79ace876aa29ceca833df23bd0f16b946d71f8004f

SHA512
53c3b17cea7e6d9ed3fcaa91ee84a6b5ff77c47288324d9a4137cce87d4b2ff151919845ab9667d6ba5d68a31560cf950f08debab62ab5b6cc03d5f8e7415270

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
91KB

MD5
c31bedc48b759a414ee21bdb441b592b

SHA1
384854f94b35c378c7e1c328ba703a7b2a91de1b

SHA256
09b810701d7c3ae064261a2b3379daf4b42b81fd623085a8e543ae7dc6dfab91

SHA512
7f3d5ddfec8092a70e1e94b20f1dd81ee04e5508d298a41a824c9698acbd28bc413d52b9865c0e318c73d4cc0ac5526f0aea4cf594734b609d5c24018622784e

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
91KB

MD5
d0eb336c5a783572c1ae9637fc8c8bc3

SHA1
e7ab16408d4bd7dc8f43ac450c11c6236dc4554c

SHA256
1092bb50f9ffb789fbbd9deb079a0710d2e0bb34088ffef09b2e9b8e6011cc2b

SHA512
a4e13b2e098867566b182fb5cc575c415b19bf3015d915210acefff13dca90facd88303d070e6a47ae0dc047522367deef7e329a3bc136d4bbd6e8274124b663

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
91KB

MD5
9b8cc5495aba0a472e2a9f3c2b8deaa4

SHA1
7443eb20a9d7bda859782149dd8496e0ddd4306e

SHA256
32de1f52a052a00cf3618e06d2b4be1bacd49739a0223572c727d177da773b36

SHA512
c00fa13ddf63d3ccc0c670a94dffe7a0e8861070fa1cb7dd04966500dff6ed27ca96715b9d53767f5f5b1caf709634ceb9bcdf2c8855cc815e452d7e17420bcf

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
91KB

MD5
b4fa6f8766fe9c407909f94b2165f7cc

SHA1
aea53bd6fab2084a50bebcdafbac705168b743a3

SHA256
6c6e060398fcacb07edf0cb1ee95764aec37a3abd9073da6e90aa1818aef8de8

SHA512
4addf22874b3854acf75d9aea10f3eca74c743331f78482242ddbc9eb3977a6d5609908cd22e299be8252d0a814ef22696db6a2549f92a93fe32cd3171ff9034

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
91KB

MD5
51f4ec4aa388aaf583bb10a4f1b0bcee

SHA1
f2d1ac19c8a97e8ccdf8e3182a1aadf02a0e2f91

SHA256
e7b0614907c0a40f74e8293b8516ed6c25e1441266a7d3d3e96c1745da21763a

SHA512
b5d72e7def723d9a2502649cde932370d7f779afc6907f02ff7583b0160994cacb88b25da45e516eaf83a1445216b347b928fba385c2578d9a85744479fbf106

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
91KB

MD5
ccee24b3b97a9ee873e08432e5c6b428

SHA1
1fb582521e31d48d4912a1aff2caa0a660378793

SHA256
caab14ec1a0ba2499abd8997a24ff8db7faea4d6ab99f0029e1bcd4e5356e383

SHA512
ab17a8d1ec6d50183c7ba5d0f2a85e01d88014cab985847c8aacb719b2a56f5885fa22e58dda389ec918f5090514e53fcd2c83349cd8ec988f459a9fa37dc81f

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
91KB

MD5
1f4b0fa729d99206af22ad6bee420555

SHA1
d7f79231971570dbc7cdb3f1f73e602c8aeb7602

SHA256
ec7645af0d599bc00e97fa97731b223db62e834ba602cc00674fd35b518c6488

SHA512
bf19f37ced69665e526e6ebad9ad72bce5900adfcb5ccddc7a8220f9c5fd9946fa92743b003468ddb4a78966137e6cfd9f2de1bb38e9149c3658fd7539c1c3c9

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
91KB

MD5
5d56d7d6e2a1928dfd75eff94f0a50e9

SHA1
205afac8722177a4289faf519fb2d225b13988f0

SHA256
f50b2b72be0d6454fad732cb3db7730caa969406002537996cf0be66a6eba5d5

SHA512
4390e6ae5707bdaac12b84a50700242f751eda1da47d9a2b176407035aee5e4035851757669e084674f8a5b5ac8ee627f62454e8e7010f1e735c53634d69a438

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
91KB

MD5
eee8258d57eddddc4c7d37e2780ddbc0

SHA1
9fec54a9b32b46136880568aa8254f28e1570710

SHA256
bdb808b0d86b58bb4c7a6865ea48131f246ef68ab8f980ba6a31d362eb8c59d3

SHA512
a3105a964d59f41fd8a0d85a21a542c4ad9aed5aea811af697431ce739ba6c8bb690e70492427ecfde3b76a48c3e3a1dabad61aea11aacd3ee53257a23de8655

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
91KB

MD5
17d195d376b5491027aa75a17a2d96b5

SHA1
1f5a9234d1658a5d0324bbadc1e33549e592f14a

SHA256
7d58cea14074d967208a6b38cf836a6eac1bc4e36dcfe17996e45d060b7dfd9c

SHA512
fe494f64eec2c98879e413cf870c21bfb68b1db77e6ebbcb9a8bda66955917d8ae2ed2c77d252bc27ebe459acb6b795358c001830d088e09d7b5798a78d6995d

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
91KB

MD5
372bfd64e0b32bd9f539d5a8f9b3bc1f

SHA1
e261e3edf285caed744ad7bd7270f865f1b30317

SHA256
ef67096f272fdeec92a46272385eb8e8ce13e7368dc884a620f1c5ec8702940d

SHA512
0b75389cb10568ea40167cdc9670018af4bdf50758d1174ca49bad9f43caa6d5be7d9c958bc48c225a0818c2603fc6ffed7c8da98730a71dd17e668db9ff116c

Download Submit
memory/112-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/112-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/968-327-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/968-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-307-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-203-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-337-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3200-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3200-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3248-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3248-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3280-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3280-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3372-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3372-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3608-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3608-373-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3648-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3648-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3876-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3876-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3948-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3948-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4056-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4056-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4200-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4200-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4476-349-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4476-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4500-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4500-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads