berbew | 2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227.exe
Size

97KB
MD5

753275d968dd769bdd1644fdff82edb4
SHA1

8385da50caa9d92e3dc3e1c20d7ca2d216e83ee7
SHA256

2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227
SHA512

7bc558749230ae1e090b558b6f62e878ea098d6d2c7f3895468602e157d71a6121a60ce16ce70344211ef0926c0875199e545a2a254f0729a86992603889af38
SSDEEP

1536:gny5UIwjSi6BeGHr/f3k0bVLgaUXUwXfzwE57pvJXeYZE:Ey5UzjBsbHrnkaVLgBPzwm7pJXeKE

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 42 IoCs

pid	Process
2260	Bjmnoi32.exe
3420	Bebblb32.exe
4048	Bganhm32.exe
4120	Bjokdipf.exe
3372	Beeoaapl.exe
1896	Bgcknmop.exe
1008	Bmpcfdmg.exe
4528	Beglgani.exe
968	Bcjlcn32.exe
2864	Bjddphlq.exe
2468	Beihma32.exe
3284	Bhhdil32.exe
548	Bnbmefbg.exe
3228	Bapiabak.exe
4640	Chjaol32.exe
3216	Cjinkg32.exe
868	Cabfga32.exe
2436	Chmndlge.exe
1204	Cjkjpgfi.exe
3384	Cnffqf32.exe
2836	Caebma32.exe
4268	Cfbkeh32.exe
2144	Cjmgfgdf.exe
3272	Cmlcbbcj.exe
3648	Cdfkolkf.exe
3800	Cjpckf32.exe
2256	Cnkplejl.exe
2324	Cajlhqjp.exe
5032	Cdhhdlid.exe
3948	Cjbpaf32.exe
2024	Cegdnopg.exe
4596	Dhfajjoj.exe
3300	Dmcibama.exe
1992	Dhhnpjmh.exe
4304	Dmefhako.exe
1244	Dfnjafap.exe
2992	Dmgbnq32.exe
3984	Dhmgki32.exe
5024	Dkkcge32.exe
4608	Daekdooc.exe
3724	Dgbdlf32.exe
1088	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
232	1088	WerFault.exe	124

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2260	2380	2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227.exe	83
PID 2380 wrote to memory of 2260	2380	2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227.exe	83
PID 2380 wrote to memory of 2260	2380	2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227.exe	83
PID 2260 wrote to memory of 3420	2260	Bjmnoi32.exe	84
PID 2260 wrote to memory of 3420	2260	Bjmnoi32.exe	84
PID 2260 wrote to memory of 3420	2260	Bjmnoi32.exe	84
PID 3420 wrote to memory of 4048	3420	Bebblb32.exe	85
PID 3420 wrote to memory of 4048	3420	Bebblb32.exe	85
PID 3420 wrote to memory of 4048	3420	Bebblb32.exe	85
PID 4048 wrote to memory of 4120	4048	Bganhm32.exe	86
PID 4048 wrote to memory of 4120	4048	Bganhm32.exe	86
PID 4048 wrote to memory of 4120	4048	Bganhm32.exe	86
PID 4120 wrote to memory of 3372	4120	Bjokdipf.exe	87
PID 4120 wrote to memory of 3372	4120	Bjokdipf.exe	87
PID 4120 wrote to memory of 3372	4120	Bjokdipf.exe	87
PID 3372 wrote to memory of 1896	3372	Beeoaapl.exe	88
PID 3372 wrote to memory of 1896	3372	Beeoaapl.exe	88
PID 3372 wrote to memory of 1896	3372	Beeoaapl.exe	88
PID 1896 wrote to memory of 1008	1896	Bgcknmop.exe	89
PID 1896 wrote to memory of 1008	1896	Bgcknmop.exe	89
PID 1896 wrote to memory of 1008	1896	Bgcknmop.exe	89
PID 1008 wrote to memory of 4528	1008	Bmpcfdmg.exe	90
PID 1008 wrote to memory of 4528	1008	Bmpcfdmg.exe	90
PID 1008 wrote to memory of 4528	1008	Bmpcfdmg.exe	90
PID 4528 wrote to memory of 968	4528	Beglgani.exe	91
PID 4528 wrote to memory of 968	4528	Beglgani.exe	91
PID 4528 wrote to memory of 968	4528	Beglgani.exe	91
PID 968 wrote to memory of 2864	968	Bcjlcn32.exe	92
PID 968 wrote to memory of 2864	968	Bcjlcn32.exe	92
PID 968 wrote to memory of 2864	968	Bcjlcn32.exe	92
PID 2864 wrote to memory of 2468	2864	Bjddphlq.exe	93
PID 2864 wrote to memory of 2468	2864	Bjddphlq.exe	93
PID 2864 wrote to memory of 2468	2864	Bjddphlq.exe	93
PID 2468 wrote to memory of 3284	2468	Beihma32.exe	94
PID 2468 wrote to memory of 3284	2468	Beihma32.exe	94
PID 2468 wrote to memory of 3284	2468	Beihma32.exe	94
PID 3284 wrote to memory of 548	3284	Bhhdil32.exe	95
PID 3284 wrote to memory of 548	3284	Bhhdil32.exe	95
PID 3284 wrote to memory of 548	3284	Bhhdil32.exe	95
PID 548 wrote to memory of 3228	548	Bnbmefbg.exe	96
PID 548 wrote to memory of 3228	548	Bnbmefbg.exe	96
PID 548 wrote to memory of 3228	548	Bnbmefbg.exe	96
PID 3228 wrote to memory of 4640	3228	Bapiabak.exe	97
PID 3228 wrote to memory of 4640	3228	Bapiabak.exe	97
PID 3228 wrote to memory of 4640	3228	Bapiabak.exe	97
PID 4640 wrote to memory of 3216	4640	Chjaol32.exe	98
PID 4640 wrote to memory of 3216	4640	Chjaol32.exe	98
PID 4640 wrote to memory of 3216	4640	Chjaol32.exe	98
PID 3216 wrote to memory of 868	3216	Cjinkg32.exe	99
PID 3216 wrote to memory of 868	3216	Cjinkg32.exe	99
PID 3216 wrote to memory of 868	3216	Cjinkg32.exe	99
PID 868 wrote to memory of 2436	868	Cabfga32.exe	100
PID 868 wrote to memory of 2436	868	Cabfga32.exe	100
PID 868 wrote to memory of 2436	868	Cabfga32.exe	100
PID 2436 wrote to memory of 1204	2436	Chmndlge.exe	101
PID 2436 wrote to memory of 1204	2436	Chmndlge.exe	101
PID 2436 wrote to memory of 1204	2436	Chmndlge.exe	101
PID 1204 wrote to memory of 3384	1204	Cjkjpgfi.exe	102
PID 1204 wrote to memory of 3384	1204	Cjkjpgfi.exe	102
PID 1204 wrote to memory of 3384	1204	Cjkjpgfi.exe	102
PID 3384 wrote to memory of 2836	3384	Cnffqf32.exe	103
PID 3384 wrote to memory of 2836	3384	Cnffqf32.exe	103
PID 3384 wrote to memory of 2836	3384	Cnffqf32.exe	103
PID 2836 wrote to memory of 4268	2836	Caebma32.exe	104

C:\Users\Admin\AppData\Local\Temp\2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227.exe
"C:\Users\Admin\AppData\Local\Temp\2805decd8b6ca71e274459a3987183effc551d6278c45ad4955e4f7dce2b8227.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\Bjmnoi32.exe
  C:\Windows\system32\Bjmnoi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\Bebblb32.exe
    C:\Windows\system32\Bebblb32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\SysWOW64\Bganhm32.exe
      C:\Windows\system32\Bganhm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
      - C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 396
        44⤵
        Program crash
        
        PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1088 -ip 1088
1⤵
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
97KB

MD5
b93d4d0b9e5d1bcfcd0c160451fc4aa7

SHA1
eb480167213bba103fd9488d5dfbe85ff1f06855

SHA256
491ee70a211e10c75bdf76cc7c7c57f464cf7315eec47a27333e81ae47bbdb75

SHA512
334bbf454a908d8057d333d52c87b52d474c632b077d7cb0b2036192b488154c48e6f0f8711ac69be1d2727f3af19e91ba4fc310c546d1391d3a30d4e43ee111

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
97KB

MD5
88f3a60135845aeca43b8dd79f74e496

SHA1
2a9f617750c57396add19c99fdd90fea5974ba1f

SHA256
d93a003b58c4713cd1b5063cffa29be43559e5860650d840c99eab4458f8d3c9

SHA512
f81b2cfeb767e8886a405a8f1bbdc5536ff9d7c1c758f609905553f26d99cb155c69cb20873aec47d9924a2baefee554eb9e8955a7c7a24dbbbad03bb6b517c8

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
97KB

MD5
874a4c9cd0af3fa8ed40fe9097212aee

SHA1
7ceaf0dcff35d01aeffc66343cc847bc172c9f47

SHA256
71c0cec5793be06364f25e19ba8bd33c2c717c347b1c2856cd02451c8e0587ce

SHA512
12be66692ac99f029ffab4c2049d45fefddb14b1aed1485f28e7bcb0b8ea45384bc3a86243353c679a5b37a713dc0afe5ee58ce919e9e2834fbe3ac785f1da00

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
97KB

MD5
76c7a5df87cca57d0828b43980c64257

SHA1
deed7f7469480e494b3abfa1281d59e8286cef31

SHA256
bc0b38f6896ea13ae61cecd2163d92682d32b5296e8f9ce93b0a99903768c8e7

SHA512
22b2061eff2fae7c6fbf530e7397b7f4c9b8922fa2912f268f16a29d25a8979388d045c963c6b06944f586ff07c4d857444068285fea6deb87e34dd308e5cfac

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
97KB

MD5
501eaab096a04605300e81e3883f0394

SHA1
f3b879dc750e21fe287a3fb04bc3d9883f2590ba

SHA256
e8fad51981474c98cbf31dcad75ad322a117788e0e167b547fce7b797dd18199

SHA512
6b7856bd16a5f9e4588fb8a48e79da5a05fe26ef318d8da141e711fdc34131927437ba9bc7f1bacc83a2083864c8d9437c43e3a4d4f14c85af7fb5d496cffc4a

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
97KB

MD5
49d528a48aee776c6ba6342e0456e516

SHA1
58fbf152634ddcbcb91a272f10d78555134ca842

SHA256
6e9d24bea654d7bd12cca4f39afc106ab2fd6f1ed39a96e4dd46ecfc835e3c2a

SHA512
87650c114ec95f05ec71646b1878f2ed5f38b132aea3c79a424f7df29d4981d9ce1ad45fcfda83e805465979eb5d7b993bc2a085e929b6abb8156a163f847bf9

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
97KB

MD5
46ca83835996c210b01bfe229bfc0030

SHA1
24dba82dee02cedf0a15f8951b7e93e96cc21fbf

SHA256
8423f06beeebae903fb62b3008a32d8dd6f560801922aef5faf90c0f64520a3e

SHA512
b62c835278eb05653debe84ca93c36efcff660445eea6ccd894bbd57b92f24a057d3e7e41d76955131cf22214013c182f09c7b20c4b7e0429bcd7c97bf7431b3

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
97KB

MD5
0538f4bb200e09174335f3cc27f65cdd

SHA1
3d297d87ce7328f23988260f993dc16b16d6be50

SHA256
edc0c9c5d037e3a8b68755e2e41fd40ce8b09314dbed69a4c374f62d88ed5f4e

SHA512
44dd2105786c55b06303d00dbbfcb5b61f9374827f5fe0a40c491971aa762c84e112f819afedff4f974dc902043e085fea3244a47b337448371d9f8c67732894

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
97KB

MD5
a5387ca22e0b9d6425f922c3e9cae50c

SHA1
9bbeff2b0b12ee769869b631ea01d58a0e58aab2

SHA256
132b9dd20f48b388481f75320909ef8f7ba9d5eb82438ec06b3356cfee36445d

SHA512
b18aed215ab0379aefedc309160b62f64671c231718f8e51f5e0452fbee0a78513b1e217964a395d720236ca47895baa4089ac6bb25f1fb7e198b82e3492dd88

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
97KB

MD5
4682b969d25cc3c45782cfc57d1e0fb4

SHA1
e5abba19903ddc5f1da69f974aa0e7a1451c9709

SHA256
f0ae66b526dd713facf2338336163f6651b240ddd9f4b74af6589ac3363087a7

SHA512
529722f3ac2c5aaa63105eb2cdb359580ba72fa3a067afc08a915ef057bad2a050a596c4add284718fa19a66e514a603798cb0caf36a105c479b17995673985a

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
97KB

MD5
1f1b3d2a4cf630b2bb9f835532d1fed5

SHA1
8c76bd1e48f07c97e5a0e73c75fb60ae5acbfbc7

SHA256
dfa89558624828451dd070feeb9749a7d653112dccfd13a18aa45718458720f1

SHA512
d78c8d25cd496409c27c28fd7354dee9aa782c76c4f31e2892b8fdc0f1becbd3e938d010f8bca31b70f7038cdcd3f120b037e8f478a5af9f419264c0e1cd0cdd

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
97KB

MD5
4a6f94f1484cef03459323ff8f992af6

SHA1
83239e9751de3ba4f80d39ac7a5170316f13f727

SHA256
eb0ed267e83014777a658101074a9c2d5e9c690797010b9fc69dbf1fb30dd126

SHA512
1abd544ca447f894f79fd01cc1dda72ef7ecb85910ac7d5aca02f5ab737e8a16bc87eedb5af1105f2dd35214d10879b449e899ba172c01b6c64cf50109f7be5e

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
97KB

MD5
80dabf97e093c32a4f893c127c1306f6

SHA1
46a60031075d92f093d30a5dc424a041f611eaa1

SHA256
2cfc1c6627ca86b75b831f7994284152eb1f883bcaac961636c88d7b719607cd

SHA512
4f50c47f5d9283e55695254c2b3c7996092cb50afcc4b080b14243acfd504241cf22fcbb6212e83e91a4d81e20c504e22b5d1b7abff6bec367ed67b5cb84e021

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
97KB

MD5
9199d8af8c6c41697ad03e7a62ae4504

SHA1
8d36a0b9a9ba6801c38b3bd984b029a4c8e9a677

SHA256
93144c50383ae7f3475041940eaf1b0b75ed5f5b51e819c14fc2e9b5b57a69b4

SHA512
f7d1e99abe22f10134c01ff464d5c0c99b445e1150c11b270db58eaf31e823ff12c8ea3f785db3f271d4edeccaad734af0cb494e22a640bcace44753e5cfe8e2

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
97KB

MD5
dbbb8d31dfaaee852d48796a11b9d8e1

SHA1
a28b21f88d70d5743942b1cab4f96c82ac67886f

SHA256
b4b990098b4c3886b70c1acb325fe9fc29200f11537cffba2de488f01d632fb3

SHA512
5d8413817acf46f1e8364d269da1c646acf3430bc2936f529ec8ec8b2fbf0a151b9ca7281da943a99bd139405854860a0ebe6f0843b638e9d096d9d16c414b05

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
97KB

MD5
16934519ed3a5f9f3f7c262da595b7a3

SHA1
cb7fd57af0c95ad737bdc74391d30af733610a61

SHA256
36f607b5355d2c319b8e76679688b36187645c3e9f668e8e7dca28f643c48559

SHA512
77516d2b30b8f5057b18964e7f56183f7926da08c0c615578048064adadafff7eb3e61ca71ab9059206f9dfdc3eb7f849e43123e3f380c73fedc99c6f6d44793

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
97KB

MD5
e94fc507c8525d37a89fe46bc6bd25bb

SHA1
0e2485d5fe828d526a393b2129e6c23d012a99ba

SHA256
ddbd39eda0a3f7815fad8e85bda6f61b7e700848dce89f7b5f3e668063825779

SHA512
15bbed75732cfc7a4dd3a8662871967806d7a252acdcc9b28a9bbb9e968ea1ef2d83840a3693aba8aae37b5dd10a184d6539cd9faa46210557cb93b66eac6320

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
97KB

MD5
f30df9dcf19b981d2883d8a1510b9320

SHA1
df220ca1c718c3366b48fc496dc7c1bccb6df06a

SHA256
61d1cab032ebdd9711ca524dee7f7481cc55a6609945f5475ead8726a5dafabd

SHA512
1b4ac3b71cd93f6efcee42f5a2c4ca8938ee6d324819d66a8f1b08ac34e0b78d97ffc74e3d02bad94783f171002d8c1c8e44360532cbf26306285bb123f484d7

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
97KB

MD5
22a866cf873c2cb95c5c0a63747f195a

SHA1
23260e4d6ae9e7d005e0f4c9c115eddc5322f00b

SHA256
a20b7e110ef63086e263a50ddde73045b77f814c5cf260800786c751fdf8371b

SHA512
861b79e17445c8f93aa73b587070890eff49f5aec69df91362d363d3d223694584f0f85072d24f532aeaa32779c41c636c2d85178539ce815eb9e1102576906a

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
97KB

MD5
bc2ed72af62b52f62c0fc1fc7997976f

SHA1
76d4c8f646308bc4041b47b0e614fc7174950c97

SHA256
f5220eed71b05090757858a72108cbfc766dadbacb3fd588cf21f98f8f9b8b8d

SHA512
4aa76c0c8e50abfe3e0b3112d00fb26ead3d6a03f21e617e29441aa059a061aafacdf215d146c727fc78380b0ce6e84775fe63f508d156b24641d5bc644972c0

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
97KB

MD5
2d0c94dc0f9d719ac2e87f193c546b0e

SHA1
fbb300a98d70f8813ff09f2fc8bc1a1fdf42c4b1

SHA256
2e0f22f1870765c78b9ac4b4e8ebd24b330d4a9adf00f585c601cd332b29da89

SHA512
d2ce6a203b8accc5b7a1570e49d9b5d759abab7942ce4df6c96fc0db744d295225e6e11a8dab65cf43ef2b17ef92e2d8fad22e36bc9915c2a96c8a7855c2327f

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
97KB

MD5
8eab9decc7b90fc9455a8027eba557ea

SHA1
730c8a28d4e6a90b5a0186c86c96e3ca537f2f91

SHA256
7a176915e8e46a8c0945e9feba3b6901d8e3fa28ed624bd40a292ba2d19242c5

SHA512
cf8fff784c6ce6365fc1f1f685606425e2d0c8a953b2df71a637c637215c5f680a7a7ec7ffd6e35a4fdfaaf6acf5e5a5f2c69e1b74e289dd0ccc7a5b280448d1

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
97KB

MD5
7f21ea63b7c235a79be44cc4c4a0e904

SHA1
ea21c44c88ba9ae42bffe37de37d509a582fe294

SHA256
108d662f649c1b8e06ae8a746b98a573e2989eff18ad2c7d1a9fbb2ef59e8226

SHA512
4a82462f14d9f3eee37e1a10b6de69e6e4a1e5b00ffa3c8eb51cb91100f0042c5ab3e18ef7661b8401eaf874fece88274065a757f793c9d83e87c45b82bbd64d

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
97KB

MD5
5e7fcb08e181f34430e6586bf46f0f73

SHA1
99b8cb34b34f43a43fcd15c129e2c74f8f0d699c

SHA256
f4363e0a7cf19385148b2a155e4e7242d1594837652bbe5ecffef3041f309e93

SHA512
6f070b929f447d3f8e97b4b36110c0f7ef17d1a8b2f1cb19730e292d822d1529f25dd40a3320d251c20dd4d00cbff3f25fdfb56b71fa2446f43a7f7c25fd0fa5

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
97KB

MD5
f7aa90ad6feaac51304dc25a7964a069

SHA1
3f04bb90eabfa2112c511a680e9c14fe5b8c39fc

SHA256
be7d61a659ab33e531569f50ac949011c6b793f00a7791e1d6bc485d80b71a25

SHA512
604da7f3fcd09712fd5a53cacfa674fab329f0f6a2dd1cc781cb3d0b8accf7ff53d23431c2fa7cc2d4d77335b1bf27a551e1129da6c2dd9ffd37a0fbad4ee97e

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
97KB

MD5
cf8b28c569fbd36b56cfb6f5507d1de5

SHA1
76241d77028b87da6edaaf8a0d053ce89331f0a9

SHA256
af38c7bc92c62dee399441a6b6ce09cdd03484cda5f2f348528e843605b22d3f

SHA512
6b54b8a4c6b8da4e05dc189535e348bee14d547ae725fcda0cedf9e9699cb41acb8255f70363f04ef9cafd7c5d3ff6461c6ff72fea2990db35bb089a00abb44a

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
97KB

MD5
05169988180b967f62a7e80b5949e44d

SHA1
4e8646f49423da0baa4859de1d37cc630f6361f6

SHA256
441fc3f636125d6b5aaeacb2a2b14ceff992f8f49e0ed60ad04251ae8a9474be

SHA512
0123aafdaed161258ce3f2346cb11a3f9d1a526bffc05149c90881baabf8d194c6e0381ee8faeadbf00be7345235d8ef1751ccd8a6d58e49dd1b51913d2de67f

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
97KB

MD5
8791bc57341514a58bc498cd222874dd

SHA1
8470366f45af4da892fbd296e26939e0d3700079

SHA256
0e02eb0c2f4e250cbd9bb697e79a49b61c4f9f0363fb3e8e36ddba9de841c452

SHA512
d45de8917cb4a1ce6d2fe2dc5b925ff89f45e23b94e476da5fb63758136af545e005faea691110301ba11e01d1a72b339106cdfabff3260b0bbc8a56b428f0f1

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
97KB

MD5
1beed631f088e1cb229d2a7f15e51e86

SHA1
e395f287ca2db790cf117695e92a042a78c89c2b

SHA256
d144350fa76f16cbbd062467841e40b5a4870d695a4ad2d3178c07e61e1a0bd3

SHA512
6f280914d645221b27918c9eda65ef1ff90b8891d15b4b69901a8e7d30a0316bdab856769e47f0b5739f726fec825e99fbfd354d464f0e11fa4005b6eb1e0ea2

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
97KB

MD5
451777b8c092676ffbdc1a997e712765

SHA1
45959e30ef360babd499a3767e5806a378c6c588

SHA256
91166757c3c545d28c2c0962dd46a3af270e879fa0e2aa63a7873ebbf2fa72bb

SHA512
33b39868e072121ad44b13aef7574c327820ed541b5f351e32cb23fa5507d482cbae3909c1c144ab381a6422f28b6fa5ed339495019fde09ee6b59abf3803efe

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
97KB

MD5
1100b1ad6efc20d5ff28c8c5bcceef5b

SHA1
6e47cbc5d09b3aca29b4937beb972bc570b84689

SHA256
ddecf011c3d85ec106739162084d4800eeb9129fe967a2f324a04b2037cca554

SHA512
95c049eb5997e97e764334146be18431490336e8e95823789c33e2e95fb3c3a4a314486eb4ed91f2361091993828c86faee63047f7d319ad9d3534e3171cb118

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
97KB

MD5
6c9f6cc2f84c89207529fe8aafd48272

SHA1
b15c770d33894ec3e13693c4ededc5c338d3916f

SHA256
9b4495312ae54d9c2e2ab90d77766f2d72863716873630805de1a456dbea14ac

SHA512
c10a6211e903f173374cd7dc22a4bed5a6be1c7c03aa92c71e22c16eb2a0732648fcaf94ba46336f90ff9b3ae0e634145fea53ecb50e6855d2c4ad69aa9b1a21

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
97KB

MD5
1cef2a3cbfd04e318deccfc34ecd0fce

SHA1
e236855ae314de254b982466d7bee589115f9d46

SHA256
f7ab6f650336328bf61f2390495981bf2f1abc74818e187626cda1d39c464712

SHA512
be5916b1e25079c4e5582fe15b057afa82f1f64e748505fd5dd206a9853e61801dafd6669d694974a4cd6cc99aa7c056fd260b447a149792792001682288a250

Download Submit
memory/548-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-373-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/968-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/968-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1008-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1008-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2256-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2256-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-397-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2836-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2836-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-327-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3216-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3216-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3228-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3228-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3272-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3300-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3300-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3372-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3372-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3384-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3384-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3420-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3420-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3648-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3648-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3724-319-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3724-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3800-349-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3800-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3948-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3948-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3984-325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3984-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4048-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4048-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-391-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4304-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4304-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-337-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4640-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4640-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5024-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5024-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads