berbew | f54034b8c0a02a2fe1c2abca7136b914411d7ee32a1356453b2dfb5dfb58c9ac

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f54034b8c0a02a2fe1c2abca7136b914411d7ee32a1356453b2dfb5dfb58c9ac.exe
Size

384KB
MD5

a4f88196b532da4de4272e6655801e6b
SHA1

d3ecb6454134afabf701fd1e15497d6a62b32b8b
SHA256

f54034b8c0a02a2fe1c2abca7136b914411d7ee32a1356453b2dfb5dfb58c9ac
SHA512

111b0cebaea5aeb451b0e36295a5671e751be27c929c4533c30376e9b44bb39fccc8dd73f6834bede02b7cf03a71743dc334f387c738ab68306fd75cf253bb5d
SSDEEP

6144:phSBZB5njQO+zrWnAdqjeOpKfduBX2QO+zrWnAdqjsqwHlGrh/tObp:pIr/+zrWAI5KFum/+zrWAIAqWimp

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f54034b8c0a02a2fe1c2abca7136b914411d7ee32a1356453b2dfb5dfb58c9ac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f54034b8c0a02a2fe1c2abca7136b914411d7ee32a1356453b2dfb5dfb58c9ac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 33 IoCs

pid	Process
1236	Aclpap32.exe
2408	Ajfhnjhq.exe
2572	Agjhgngj.exe
1668	Aabmqd32.exe
4568	Aglemn32.exe
4828	Ajkaii32.exe
3428	Accfbokl.exe
4824	Bmkjkd32.exe
3364	Bganhm32.exe
3412	Bjokdipf.exe
3788	Bchomn32.exe
3068	Bmpcfdmg.exe
4056	Beglgani.exe
4188	Bmbplc32.exe
956	Bhhdil32.exe
324	Bmemac32.exe
2104	Bcoenmao.exe
468	Cndikf32.exe
4000	Cabfga32.exe
5020	Cfpnph32.exe
5012	Cmiflbel.exe
3208	Cnicfe32.exe
4700	Cjpckf32.exe
4492	Ceehho32.exe
3304	Cjbpaf32.exe
4620	Cegdnopg.exe
4852	Dmcibama.exe
2436	Dejacond.exe
3592	Daqbip32.exe
1936	Dkifae32.exe
3280	Dmjocp32.exe
3320	Dhocqigp.exe
4464	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	f54034b8c0a02a2fe1c2abca7136b914411d7ee32a1356453b2dfb5dfb58c9ac.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1612	4464	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f54034b8c0a02a2fe1c2abca7136b914411d7ee32a1356453b2dfb5dfb58c9ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f54034b8c0a02a2fe1c2abca7136b914411d7ee32a1356453b2dfb5dfb58c9ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f54034b8c0a02a2fe1c2abca7136b914411d7ee32a1356453b2dfb5dfb58c9ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	f54034b8c0a02a2fe1c2abca7136b914411d7ee32a1356453b2dfb5dfb58c9ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Agjhgngj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 1236	3548	f54034b8c0a02a2fe1c2abca7136b914411d7ee32a1356453b2dfb5dfb58c9ac.exe	82
PID 3548 wrote to memory of 1236	3548	f54034b8c0a02a2fe1c2abca7136b914411d7ee32a1356453b2dfb5dfb58c9ac.exe	82
PID 3548 wrote to memory of 1236	3548	f54034b8c0a02a2fe1c2abca7136b914411d7ee32a1356453b2dfb5dfb58c9ac.exe	82
PID 1236 wrote to memory of 2408	1236	Aclpap32.exe	83
PID 1236 wrote to memory of 2408	1236	Aclpap32.exe	83
PID 1236 wrote to memory of 2408	1236	Aclpap32.exe	83
PID 2408 wrote to memory of 2572	2408	Ajfhnjhq.exe	84
PID 2408 wrote to memory of 2572	2408	Ajfhnjhq.exe	84
PID 2408 wrote to memory of 2572	2408	Ajfhnjhq.exe	84
PID 2572 wrote to memory of 1668	2572	Agjhgngj.exe	85
PID 2572 wrote to memory of 1668	2572	Agjhgngj.exe	85
PID 2572 wrote to memory of 1668	2572	Agjhgngj.exe	85
PID 1668 wrote to memory of 4568	1668	Aabmqd32.exe	86
PID 1668 wrote to memory of 4568	1668	Aabmqd32.exe	86
PID 1668 wrote to memory of 4568	1668	Aabmqd32.exe	86
PID 4568 wrote to memory of 4828	4568	Aglemn32.exe	87
PID 4568 wrote to memory of 4828	4568	Aglemn32.exe	87
PID 4568 wrote to memory of 4828	4568	Aglemn32.exe	87
PID 4828 wrote to memory of 3428	4828	Ajkaii32.exe	88
PID 4828 wrote to memory of 3428	4828	Ajkaii32.exe	88
PID 4828 wrote to memory of 3428	4828	Ajkaii32.exe	88
PID 3428 wrote to memory of 4824	3428	Accfbokl.exe	89
PID 3428 wrote to memory of 4824	3428	Accfbokl.exe	89
PID 3428 wrote to memory of 4824	3428	Accfbokl.exe	89
PID 4824 wrote to memory of 3364	4824	Bmkjkd32.exe	90
PID 4824 wrote to memory of 3364	4824	Bmkjkd32.exe	90
PID 4824 wrote to memory of 3364	4824	Bmkjkd32.exe	90
PID 3364 wrote to memory of 3412	3364	Bganhm32.exe	91
PID 3364 wrote to memory of 3412	3364	Bganhm32.exe	91
PID 3364 wrote to memory of 3412	3364	Bganhm32.exe	91
PID 3412 wrote to memory of 3788	3412	Bjokdipf.exe	92
PID 3412 wrote to memory of 3788	3412	Bjokdipf.exe	92
PID 3412 wrote to memory of 3788	3412	Bjokdipf.exe	92
PID 3788 wrote to memory of 3068	3788	Bchomn32.exe	93
PID 3788 wrote to memory of 3068	3788	Bchomn32.exe	93
PID 3788 wrote to memory of 3068	3788	Bchomn32.exe	93
PID 3068 wrote to memory of 4056	3068	Bmpcfdmg.exe	94
PID 3068 wrote to memory of 4056	3068	Bmpcfdmg.exe	94
PID 3068 wrote to memory of 4056	3068	Bmpcfdmg.exe	94
PID 4056 wrote to memory of 4188	4056	Beglgani.exe	95
PID 4056 wrote to memory of 4188	4056	Beglgani.exe	95
PID 4056 wrote to memory of 4188	4056	Beglgani.exe	95
PID 4188 wrote to memory of 956	4188	Bmbplc32.exe	96
PID 4188 wrote to memory of 956	4188	Bmbplc32.exe	96
PID 4188 wrote to memory of 956	4188	Bmbplc32.exe	96
PID 956 wrote to memory of 324	956	Bhhdil32.exe	97
PID 956 wrote to memory of 324	956	Bhhdil32.exe	97
PID 956 wrote to memory of 324	956	Bhhdil32.exe	97
PID 324 wrote to memory of 2104	324	Bmemac32.exe	98
PID 324 wrote to memory of 2104	324	Bmemac32.exe	98
PID 324 wrote to memory of 2104	324	Bmemac32.exe	98
PID 2104 wrote to memory of 468	2104	Bcoenmao.exe	99
PID 2104 wrote to memory of 468	2104	Bcoenmao.exe	99
PID 2104 wrote to memory of 468	2104	Bcoenmao.exe	99
PID 468 wrote to memory of 4000	468	Cndikf32.exe	100
PID 468 wrote to memory of 4000	468	Cndikf32.exe	100
PID 468 wrote to memory of 4000	468	Cndikf32.exe	100
PID 4000 wrote to memory of 5020	4000	Cabfga32.exe	101
PID 4000 wrote to memory of 5020	4000	Cabfga32.exe	101
PID 4000 wrote to memory of 5020	4000	Cabfga32.exe	101
PID 5020 wrote to memory of 5012	5020	Cfpnph32.exe	102
PID 5020 wrote to memory of 5012	5020	Cfpnph32.exe	102
PID 5020 wrote to memory of 5012	5020	Cfpnph32.exe	102
PID 5012 wrote to memory of 3208	5012	Cmiflbel.exe	103

C:\Users\Admin\AppData\Local\Temp\f54034b8c0a02a2fe1c2abca7136b914411d7ee32a1356453b2dfb5dfb58c9ac.exe
"C:\Users\Admin\AppData\Local\Temp\f54034b8c0a02a2fe1c2abca7136b914411d7ee32a1356453b2dfb5dfb58c9ac.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Windows\SysWOW64\Aclpap32.exe
  C:\Windows\system32\Aclpap32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\SysWOW64\Ajfhnjhq.exe
    C:\Windows\system32\Ajfhnjhq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\Agjhgngj.exe
      C:\Windows\system32\Agjhgngj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 408
        35⤵
        Program crash
        
        PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4464 -ip 4464
1⤵
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
384KB

MD5
73a22be20f154058637c44c5f7fac3e4

SHA1
b0549c14f26d1deff5bca83539731d45f2ce7e03

SHA256
223e7012f034c2cd04349ec59bd1567ac85117fba47f8a38d57607893907bba4

SHA512
0e260746e7079be687b6e89034f77458fa4efa8bb5fd97d971b55a4d2990b5cf176a9609dd7f0c12b159a180b1b2560d1e26b5f89b39452df780349be3660fae

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
384KB

MD5
d2676b342f768892383a052a5fb80b21

SHA1
43989280ea77dff0db25491a941d9a82db930dc1

SHA256
151dd479ae39d3cb7c22775d9000267cd029868fd3794b4bc09274faec26345a

SHA512
a0b4d413f8e8848bd608aa6c5b849c8366a14b5eb6c2efa35793fc36ecae38a1baec83c41037173ac041f0c8e780a5b1d3ed17a7c864e446f34fcea3307c33ca

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
384KB

MD5
99f46c9c22fdea1c93e2584447a73c49

SHA1
80032500560c406c6c6157f3492623bab6ca8323

SHA256
76026c147fb1ef1134b429ea19d48df5125cc187a1502d73f8fc573cf51e41e2

SHA512
d2be42f18f6b1ab2002b037b494cc5f0b2cc13cc2b3c47238ac9c1c2cb73ea04725b8fcbaf20a9d76b04725cf8350fcf5e9b619e45aacbed7dd49ae146020211

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
384KB

MD5
954b7a35f3a466b14d84992e2de1633d

SHA1
1beac9fc7b9c63e4e787b98adf42d494823e5a37

SHA256
363e04bacf0f92bdf96872d53be70647e07733bf9340458ab4b8281f4c9cef71

SHA512
ffbdca05d5462f221225da7b4304e1cec7e6aec16a831fdbb40ffc00d409fae5a3f178e2b4e74e1085b706101525b0e8cf1487ab098c8bf387e713230ac62cfe

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
384KB

MD5
c50226dd94d9176b1d22ac2856fd2d5f

SHA1
9828ca9237b6acbb59d8196524fa8869a76a534a

SHA256
b4e1647bbb547d963d12a6ad768805ad35747a0bb6a918bae0fce86add9d23c0

SHA512
e03e09d287251b013b5b4a405a6bec004678b9a280d96dcc595f9edca78cc9e8d499603502df3eb3e6e73f13977c23476409b5fd49e73496aad6985586e075d9

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
384KB

MD5
04639fff89fce59bbb592839bd3c480c

SHA1
6340211adc62e6dca6c4df6ef2e6aec91fe58507

SHA256
2e310fa8cc34ba73429d57741effe3fae4de44f08ae19fb1ee1b7e43a627a219

SHA512
a412d1abd455f00b06e0fc65fce1b4cd18a7521fd6ea50861da33d41f00e69d0a6e665cdb7cac9b482d2575532601bcacec713159e6950da6d43d3885b031ea5

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
384KB

MD5
cbdad6e5ea9409a47300f317d74a3b45

SHA1
36f94061596c78e84bdeb8ca0f6871b0add835c9

SHA256
04483af4206b9c48bbfa2ec39d4d0a859db9f4699d75b8880384295f46827b1d

SHA512
b25f20befe3450d979c74ad26977185401e4ceec4434c52aeac50f2d6cacd66550863955bf894725ac5d94a1ae63bcd89109e5544c17413793094ab864e06b42

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
384KB

MD5
6f7d072a7cbc32a82de44e4c233791a0

SHA1
bdd82089b32e1e762bf64c62e90fcd68d90c3f93

SHA256
a2c39cb0f762d23a44a69b3ff2eac6ec90943ff216e883577dd86e3dd76b9110

SHA512
e6ad7ad5e7635389b81ee67557defa63e0e1cbbde85ccfe81f9b9a340c83b0337cb6dc04cf88123e784326d7369e3dafc37a3720581648f414059c87a0a5771c

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
384KB

MD5
5695f262db7f37faa62d1fb82eec54f8

SHA1
46bcd3ccf635316a8d01b208277da6fd3d5aaf03

SHA256
1a62a364e9eb212ebc1d8052a525b14e1f491a51cfcbe6c6e075100455c25c0e

SHA512
45ac58377c79e0856ec8b542921564fb3f8b0ff3e310f5b6b350de3b8551e5fea1a0760ee57bdf5920765d017cb89f19d8e4cc57c1a04fe674beb6f6a83cd690

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
384KB

MD5
06d5ae801be01ade6b16c7a01ad31547

SHA1
09e83c122f34701b2d21e26b6aa1ad168a0cda00

SHA256
0229e5e3c8e86ec36f31ab792f08140796d817c08e3ea6d280a16a2cec26353f

SHA512
82e3bdaab3990e58a1e94c50f3b71dad9353953540704b4e475b091a11da39eb5282ca330834ea4e0e040fb9e7b9190656e2d2897dad2b7b0f44c5b336c3104b

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
384KB

MD5
e77d4e942dfe9b7254c156e8e26edc27

SHA1
75239126f44ad92d23ee7c115ba0df62a4b9439c

SHA256
f9811da87c924ebd9541e544e2a8124494dea17b5fd3fa2e23e0a451ebd2fd5e

SHA512
a957e4ccef850b7034af169b5c9e99703c35d303fb91ba6f4c51a008ee3dfb3f564d4edafbfb261c74818afcd24fc8125dcfe20bc225cb513256f1cb9b4c516c

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
256KB

MD5
88166a3ec8662c6f88aab1a542a9112d

SHA1
c26a3b8978f3c2bbde54f7113314a8e6ce4df355

SHA256
cf09c8e2484848f6d16fd7c13954cd334892c0f3080323bc4878cf1d06ee3e89

SHA512
d0a21b474f254af0fca33183d7cc4c2d8cec722a06943e7c3391593ad9b1955f82029e049719be99377b0b3a6ef805b8a8a35f122fb47c73e9ccc57d57bcf98f

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
384KB

MD5
e5c81e878575351bdcf76d0b9809ee9e

SHA1
2a95f0c9a9910dd59b015a107e52a5e2bd09c4af

SHA256
d8f32ae46fa1548073299235539ae2e9019e8243934a46f7a2c6023ef937d86e

SHA512
3ba9d4b4c5eb16b541816996a9ed288423423af807692fbe27fe3c007403c0752db7c8879ecf34f3711857dac85376b83c1ffde251dd0f0695322685108cb89b

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
384KB

MD5
93ef9d219403e11231e2f80a18dee69d

SHA1
f0e072a910e5d56b7af5d9859d10185927145570

SHA256
7462283a23b58eaac486b25a3b4131851c4f549c5db49a1c26b3c9af514a721d

SHA512
97308220a1742e5014b423cdbea0a9fe459d2d120bea38d6780671b976540e01e9560885dc94b430a0e844c77affb8d92f851bef501105a25665481c6cba3b15

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
384KB

MD5
4fa67598a48049ea7563071eea8f3127

SHA1
1f0af6d5110c25b61237a886129aa4b1423e475f

SHA256
10c9de91602dfe7f108391771c1190c476c5b4412e5c670435268701519b370e

SHA512
d240a1be52671a54accfb4495922b4cfb0c414fd0715ad4496b710a95906aee4eb55bba96661199eea028ba51287f62ab306303d5bcc9cebd5890cf367cfba88

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
384KB

MD5
97308dad8495d3acbd53e7c3266189e9

SHA1
db43c9483f23f429ae063092d52a43c7c7da2acd

SHA256
13b181fc9b255f1b642d1f372653dd76d5e39df42b9a1b98a2e5411ebc5d2460

SHA512
18c3543edbb41b5c67d17ce9ba7750785f8f885a961514428ea1f965412577fdc6ea338dcfa9f71c09304d2b13b93d1b6af3930e82c4af1dca413b37853b742c

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
384KB

MD5
90dc80ad09026680d65fb253663db78b

SHA1
528f66f89fe02e58b1428fda1642551b478fa2fe

SHA256
a0c11a6be5019237d114d73df94017c7193b6751977c8533574fe1f1776ee099

SHA512
72c38212e0f243919a6d7665bf1b82b27c6f32acc91221c9dc54ca08b5afc8ba0296c8bd55bc32669359b483de06a312161c3f004c49f6bef19539a3ed5f0588

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
384KB

MD5
40fbd7cb4acfabf5e9be48a8d3d4850a

SHA1
c8ec5173703a7b04c8717f0bc510a7adee8de525

SHA256
9f5b19f224b4c635c759326fe9b0a94df0ab2c4a0c8aacdcbc7506ef94a63ab5

SHA512
993c23933dcf76a605409562dc51fe3878200e21572b08f6f0da3d0a70a60c7baa3d6fcb3f9a448098fcb0cf046a01d53c26d0dec1db7c4afe5b50dbd732475f

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
384KB

MD5
c44bb64f0dfe30e63cf087ca93c01b30

SHA1
f11e159492363a0ccb7027af5d17b6f4f0ed9c46

SHA256
2a719bad6e88d7e4a3747fb543e96498dbc724a7877fbf9bb9ea26bff3302ff1

SHA512
3dfe67f10452b7266b678fed0fee5eb076e1a6a8360fd31a1cf06f1663374216065719ed6b0479ecf6762363143699c48446ee12fbcb30eb2bf0b52f24c70138

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
384KB

MD5
2d2b93275349ff323785000776f78f9d

SHA1
7b8c846c1feae7aa1266a5143ca3f35b8af6bd69

SHA256
5d9bbf96cef49d5d5794cc224dc73a59cbbcd79301d66b38f7d14baf5b1c01c0

SHA512
98f5b3a4c791ca1ab7f937fe164a2b847a1f6a3fa972c304ed402fa63cabae0e23e5e9c09c8ef05e2d10b2a445d8b5817015c25f8120c28b3f20fc6c5e882175

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
384KB

MD5
47ce812ed5499c82939164f1f2f75380

SHA1
cebe0e75e3bf1c841a8fa965f7f89026e43fdb56

SHA256
51cb76fddeea76f6258383211e5b07b4b24d37a8528d539cbd61069ecb917424

SHA512
9ffac1a9ed3e13c30735d6bfec697c3cc51fdb8c8414cc6383a3311797013077a0a5d11ffd8d0d2f3f46bd4d34ff6fbc178b705ab90c7e73b1802fd11725d1fa

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
384KB

MD5
5911f985280b7462fd8c1c29e2980702

SHA1
f34b413b8ec0982f936f30a2d2dd5ea973497d2d

SHA256
6547b27c69e81e8891aa4232742ced18737a7d2fe5603952ba11f1021c3a78d9

SHA512
fad2ce86add5c5e846777dea73fee149a7bb0a6241039494041b61d8a56aa9d93391a70d913f517ba150ea9ee9bc9c6e7366249090845d8ae0931ef935b5ceb1

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
384KB

MD5
93914b238446a39b76e460a0e33ffc41

SHA1
b0dfefee17042a8fe6cac11dc01165c10c0410f2

SHA256
79c2a10e10bd6e74cdcf79e14534280cc00c98400ebe5fd25b2b6d2e7006d6fb

SHA512
8b6e02351bcbd9d17e7ae9f5d3bab6c6ad73d4de0a994afa917a92b3a14a68bcdeb696acae5c535cd34ad6caeff92161dca187e030f3a6630a30cdc983340f84

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
384KB

MD5
3ac66aff044bf9ca10de545a4c53b583

SHA1
1e75108ec0635d333dffde8862c2f0ef357ad774

SHA256
43ddade22c8cfc0495c6a82e3a01e1970d6b2367d65f9103759137c7a5f0b1bd

SHA512
773c25aef0ff1a99d294e996621fa45634592a6e14fb8531cb21084046af9822862fde39e1eb132b7c47a032894fb4659ad08a08f0b0021fbca149194bec393b

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
384KB

MD5
11e05b5f3b6e1c7a0ac271d1928c8f4f

SHA1
c42adf9261ae2b419a10259b2192ba6fd6ec5d8f

SHA256
d38e478d17900f50558e610c1ea9d3ebb0627f76bc6274ca7b2adb0f1509899f

SHA512
767e73acb5c20af9be335d6b2db4a4eef150274f529bed6fdffb32c0b8477cab4e9c381e6fdd985dc4b6bf36741d0e48845e2a84726d58caf3a66f7f8017d87b

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
384KB

MD5
78f659d7c9f9f1a0823f47ee04ed8dd9

SHA1
ba3508d8ca1bb19319c5bf2565a72c277962f341

SHA256
c96beb9a07cf619ef1e3a6547f3a8fff7884fff143d2096e89d28904b243b1f7

SHA512
43ca959f6f99e5eee59a819eb478b5c69c8133a2b68e8be9266da71484562cdbb0622fe50d2742f278158e4cc455ccffabfe5a4e7afa321ea7069beee49093ec

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
384KB

MD5
d7f243e6175af2f3e0958b1cd35451ed

SHA1
9afb8424ba0be395a95f8f5277ee0d9e90ef808c

SHA256
6622e406940b465cdead96c1e97b8a1dd816360f12456699018280e0ae4d36f9

SHA512
5f590f7524a07cc0381a8869ff7b5ffe18d13411581276725296afffaa7a0298359cb4588f75730d01d8af93499b8c2bf6d6c1b544cf97bfca8db6cbd305b2af

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
384KB

MD5
8b3540b9f1ed43542f8116db78e0000e

SHA1
948c9dc48d664a4bd70c3e39ec1f2a703c92c5de

SHA256
bbad03968b83ed6b2484b47208d248f8796bb63c51a94f37260a0032cd454429

SHA512
d100ca87d46c34b1548cd57d11b5ccd7af62bcc352cd271df4e8a9fba505a376434e92e4264e84b65e2b63afc922e2b21dfc6f165e17a4a1e80e1b44f8f88992

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
384KB

MD5
7861f4d565435af119258b28906d0cd2

SHA1
5d68b850a5487b6e51b6eecdaa8a11fa7f7a0a50

SHA256
c9c9f00d08e658f9e69f664d6c91b10636aedd5f302e8ef7e760f98df93c72cd

SHA512
7c08fdadb5898c88f7d97ed6c740f4aa896079fba62bba119dbad1eaeeb2153186eec9478477b326871c81bff545a5de5b0f52228059308faeb8df09d52aeb2c

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
384KB

MD5
ceadcb2e54e60b93551edc1fc33b42e4

SHA1
d3c54c3a7852fdc8aa5a2316acc19420a4dd436a

SHA256
1a3082357b7757fb56e58fbd40416cb242bede02b0b3c470cc6e3e410c74df54

SHA512
2d1a18fa9776a7a433bdedb78f70e6cd8f312c1f589dbe51c822139a9ac4a0917c2ed5acebd6d703d913ca723b7bee3b0b1e69c5e6a918f2e195e096721888a0

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
384KB

MD5
c7ee3346d7c58e874cf371535360fe3d

SHA1
e61ef13ceaf39e853301dccb5e32096341314b93

SHA256
ef30c968638cab10e4224a3c40d979ace5310f0bf5005c82aa39c347a8f0391f

SHA512
e2aaa232e99360d1a0fbf9f9ff25cdf35cf9ad01c366544efad407411382293b933bb05351387090cf175abb9ffdc96060a5c0a54e14051dbe2bd2cd174931c9

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
384KB

MD5
d448dc0cba6dd8dd108d6c89ccbc79a5

SHA1
0a747119ac840228318cc732caa48d634f9d537e

SHA256
c11379810c6accb7f116e04a996702ee90e58bf9f20cfcc4896048866a2de8c8

SHA512
cb09a980ab1f3b13a0cbf471ef57ca220959cf1656c22696ed0773d10def947c0386e3bfade47e1f3bfecafefef355574dbacd2869920f2b6226da8c36bef6a8

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
384KB

MD5
4c3a098b60033a4e3eb0590b1f285eef

SHA1
3f52a1ba5f0da38e26feaa4f6b91cf8a2007b1ce

SHA256
8c68714bbade2c098145e1c7bf9fcd878a4ae59fde235cb9ce92f6e26f051c37

SHA512
c11c749d3d7437be47f85fca3f50969f946218bd7324d69dacda12dc830b2bf22487339d2b28c755e86e0329d9b5a775daa4ab56e2e36b27f57ad2e228be06b7

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
384KB

MD5
37a9422140b26cd413c670162249663d

SHA1
dbc42ae26f223fe56ed844b22510aca817cc424c

SHA256
60234d98d3b872dd0287e467ca64f2115772c9c324533d0365b21955a00e6b94

SHA512
121c2c59e305b8f37523d2df80a9d21a58b50e64c8d26df8c560abe8c768b275fe5ef68fddb43c757052cdaa812d162ae19a1a9e1ba6e6e8d0bdd03b1ed3490b

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
384KB

MD5
0bf17658f387b53242e96ac2124c7a74

SHA1
84f71a4e471d4d0da79ed21d079f144beb507db3

SHA256
0f579a27b8279be82f2c75432b5bd63c38c3ddd0599c015d36135ce9a52d94de

SHA512
bd185ecad475852fbebc193fe9bd9e8df70c3cb9989f8a09b0d9ea4f918d930164decce45e73554e496da5d571c34fed170be62c4c69be44233d42b6af830420

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
384KB

MD5
38418bfea3680bf46a5b0eb8387a02e3

SHA1
ba6f3cb4edf9d20ac73d81fa989b60639c059d45

SHA256
341218965d3087bacbb5abd6f3b5cb420ec85cab84447ef3ac63094256d977ee

SHA512
d251c7795140f272bc15d06f8e538080ba6e5e4e06a07fbfc72ca43a4a7852fc7ca46d7885d5d5ba66ec5324f643d1b5579a9f90b8a6e720b26623ad167b92f2

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
384KB

MD5
e9ed6ba6300c45de4fe60d1cf6fb98f0

SHA1
4e00ccebe946ccf068d5900ecadf4fd77b51a4e3

SHA256
fc99cbd6c0e343301777eaf2bf2ff0e8835da16ef75eb54607d0ee592e3dd673

SHA512
64ef73a4d2e1d8a2aa124b0df515269b7951711adfd6f606e160f184f329fead668e8887cc940c6463859011f0c6a7c891218b2897479c3129884aa147c4e31f

Download Submit
C:\Windows\SysWOW64\Mnjgghdi.dll

Filesize
7KB

MD5
cbbc43ac31026e1f9051df35aada68fb

SHA1
4009587f5490a204ba17ee45251732b2282cf86a

SHA256
1816cd10a71cd2843541789deb0e8c9a17df02ea2eefb141787ac78b4a5ccf09

SHA512
b35ed53279b590199cec50cc07ce12924480c5b8850ff84104e80632e1acc2b0ef8ed0d4d345e6732319ebdde8dc45ffa4b6aa907d1d8e622cfa94f03a81bf5c

Download Submit
memory/324-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/324-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/468-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/956-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/956-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1236-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1236-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1668-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1668-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-266-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2408-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2408-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2436-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2436-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2572-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2572-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3068-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3068-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3208-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3208-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3280-265-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3280-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3304-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3304-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3320-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3320-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3364-76-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3364-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3412-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3412-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3428-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3428-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3548-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3548-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3592-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3592-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3788-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3788-283-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4000-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4188-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4188-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-289-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4620-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4620-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4700-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4700-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4824-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4824-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4828-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4828-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4852-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4852-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads