berbew | b7ba3de116ed0dc1e913f2144e810f4d98557a90d877311bb32d1f080bfd1a8b

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7ba3de116ed0dc1e913f2144e810f4d98557a90d877311bb32d1f080bfd1a8bN.exe
Size

362KB
MD5

fde5b9f9dbd857f8efa2d50cc79a1cf0
SHA1

0f2f669804d736e3761868c3abf0df67b1cb4ab3
SHA256

b7ba3de116ed0dc1e913f2144e810f4d98557a90d877311bb32d1f080bfd1a8b
SHA512

9cc918cf065106e9351759f31f21e388718d2656aa4fbced1d953537b3359b3695bdfefca9956869033f6ceafd71bb1e1a6441d219fc0ab43859df2f09abc435
SSDEEP

6144:aIRXKKdDbqXWtGDuMEUrQVad7nG3mbDp2o+SsmiMyhtHEyr5psPc1aj8DOvlvuZn:ayHV2mtmuMtrQ07nGWxWSsmiMyh95r5z

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	b7ba3de116ed0dc1e913f2144e810f4d98557a90d877311bb32d1f080bfd1a8bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 38 IoCs

pid	Process
2144	Pqdqof32.exe
3724	Pfaigm32.exe
4896	Pjmehkqk.exe
3760	Qnjnnj32.exe
2388	Qcgffqei.exe
1008	Aqkgpedc.exe
4148	Ajckij32.exe
2620	Aclpap32.exe
4056	Afjlnk32.exe
4832	Anadoi32.exe
4632	Andqdh32.exe
2952	Acqimo32.exe
4708	Aadifclh.exe
5116	Bjmnoi32.exe
2176	Bganhm32.exe
3212	Bjokdipf.exe
1564	Bchomn32.exe
4920	Balpgb32.exe
1036	Bmbplc32.exe
1512	Bclhhnca.exe
5056	Bapiabak.exe
4608	Bcoenmao.exe
2976	Cenahpha.exe
4476	Cjkjpgfi.exe
3696	Chokikeb.exe
3672	Cagobalc.exe
3568	Cnkplejl.exe
1612	Ceehho32.exe
4872	Cffdpghg.exe
1684	Ddjejl32.exe
2020	Dmcibama.exe
3144	Dhhnpjmh.exe
3076	Delnin32.exe
4232	Dkifae32.exe
3292	Dhmgki32.exe
3220	Dfpgffpm.exe
1072	Dddhpjof.exe
1620	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4336	1620	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7ba3de116ed0dc1e913f2144e810f4d98557a90d877311bb32d1f080bfd1a8bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	b7ba3de116ed0dc1e913f2144e810f4d98557a90d877311bb32d1f080bfd1a8bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b7ba3de116ed0dc1e913f2144e810f4d98557a90d877311bb32d1f080bfd1a8bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	b7ba3de116ed0dc1e913f2144e810f4d98557a90d877311bb32d1f080bfd1a8bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	b7ba3de116ed0dc1e913f2144e810f4d98557a90d877311bb32d1f080bfd1a8bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cagobalc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2144	448	b7ba3de116ed0dc1e913f2144e810f4d98557a90d877311bb32d1f080bfd1a8bN.exe	83
PID 448 wrote to memory of 2144	448	b7ba3de116ed0dc1e913f2144e810f4d98557a90d877311bb32d1f080bfd1a8bN.exe	83
PID 448 wrote to memory of 2144	448	b7ba3de116ed0dc1e913f2144e810f4d98557a90d877311bb32d1f080bfd1a8bN.exe	83
PID 2144 wrote to memory of 3724	2144	Pqdqof32.exe	84
PID 2144 wrote to memory of 3724	2144	Pqdqof32.exe	84
PID 2144 wrote to memory of 3724	2144	Pqdqof32.exe	84
PID 3724 wrote to memory of 4896	3724	Pfaigm32.exe	85
PID 3724 wrote to memory of 4896	3724	Pfaigm32.exe	85
PID 3724 wrote to memory of 4896	3724	Pfaigm32.exe	85
PID 4896 wrote to memory of 3760	4896	Pjmehkqk.exe	88
PID 4896 wrote to memory of 3760	4896	Pjmehkqk.exe	88
PID 4896 wrote to memory of 3760	4896	Pjmehkqk.exe	88
PID 3760 wrote to memory of 2388	3760	Qnjnnj32.exe	90
PID 3760 wrote to memory of 2388	3760	Qnjnnj32.exe	90
PID 3760 wrote to memory of 2388	3760	Qnjnnj32.exe	90
PID 2388 wrote to memory of 1008	2388	Qcgffqei.exe	91
PID 2388 wrote to memory of 1008	2388	Qcgffqei.exe	91
PID 2388 wrote to memory of 1008	2388	Qcgffqei.exe	91
PID 1008 wrote to memory of 4148	1008	Aqkgpedc.exe	92
PID 1008 wrote to memory of 4148	1008	Aqkgpedc.exe	92
PID 1008 wrote to memory of 4148	1008	Aqkgpedc.exe	92
PID 4148 wrote to memory of 2620	4148	Ajckij32.exe	93
PID 4148 wrote to memory of 2620	4148	Ajckij32.exe	93
PID 4148 wrote to memory of 2620	4148	Ajckij32.exe	93
PID 2620 wrote to memory of 4056	2620	Aclpap32.exe	94
PID 2620 wrote to memory of 4056	2620	Aclpap32.exe	94
PID 2620 wrote to memory of 4056	2620	Aclpap32.exe	94
PID 4056 wrote to memory of 4832	4056	Afjlnk32.exe	95
PID 4056 wrote to memory of 4832	4056	Afjlnk32.exe	95
PID 4056 wrote to memory of 4832	4056	Afjlnk32.exe	95
PID 4832 wrote to memory of 4632	4832	Anadoi32.exe	96
PID 4832 wrote to memory of 4632	4832	Anadoi32.exe	96
PID 4832 wrote to memory of 4632	4832	Anadoi32.exe	96
PID 4632 wrote to memory of 2952	4632	Andqdh32.exe	97
PID 4632 wrote to memory of 2952	4632	Andqdh32.exe	97
PID 4632 wrote to memory of 2952	4632	Andqdh32.exe	97
PID 2952 wrote to memory of 4708	2952	Acqimo32.exe	98
PID 2952 wrote to memory of 4708	2952	Acqimo32.exe	98
PID 2952 wrote to memory of 4708	2952	Acqimo32.exe	98
PID 4708 wrote to memory of 5116	4708	Aadifclh.exe	99
PID 4708 wrote to memory of 5116	4708	Aadifclh.exe	99
PID 4708 wrote to memory of 5116	4708	Aadifclh.exe	99
PID 5116 wrote to memory of 2176	5116	Bjmnoi32.exe	100
PID 5116 wrote to memory of 2176	5116	Bjmnoi32.exe	100
PID 5116 wrote to memory of 2176	5116	Bjmnoi32.exe	100
PID 2176 wrote to memory of 3212	2176	Bganhm32.exe	101
PID 2176 wrote to memory of 3212	2176	Bganhm32.exe	101
PID 2176 wrote to memory of 3212	2176	Bganhm32.exe	101
PID 3212 wrote to memory of 1564	3212	Bjokdipf.exe	102
PID 3212 wrote to memory of 1564	3212	Bjokdipf.exe	102
PID 3212 wrote to memory of 1564	3212	Bjokdipf.exe	102
PID 1564 wrote to memory of 4920	1564	Bchomn32.exe	103
PID 1564 wrote to memory of 4920	1564	Bchomn32.exe	103
PID 1564 wrote to memory of 4920	1564	Bchomn32.exe	103
PID 4920 wrote to memory of 1036	4920	Balpgb32.exe	104
PID 4920 wrote to memory of 1036	4920	Balpgb32.exe	104
PID 4920 wrote to memory of 1036	4920	Balpgb32.exe	104
PID 1036 wrote to memory of 1512	1036	Bmbplc32.exe	105
PID 1036 wrote to memory of 1512	1036	Bmbplc32.exe	105
PID 1036 wrote to memory of 1512	1036	Bmbplc32.exe	105
PID 1512 wrote to memory of 5056	1512	Bclhhnca.exe	106
PID 1512 wrote to memory of 5056	1512	Bclhhnca.exe	106
PID 1512 wrote to memory of 5056	1512	Bclhhnca.exe	106
PID 5056 wrote to memory of 4608	5056	Bapiabak.exe	107

C:\Users\Admin\AppData\Local\Temp\b7ba3de116ed0dc1e913f2144e810f4d98557a90d877311bb32d1f080bfd1a8bN.exe
"C:\Users\Admin\AppData\Local\Temp\b7ba3de116ed0dc1e913f2144e810f4d98557a90d877311bb32d1f080bfd1a8bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\SysWOW64\Pqdqof32.exe
  C:\Windows\system32\Pqdqof32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\Pfaigm32.exe
    C:\Windows\system32\Pfaigm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Windows\SysWOW64\Pjmehkqk.exe
      C:\Windows\system32\Pjmehkqk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3760
      - C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 416
        40⤵
        Program crash
        
        PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1620 -ip 1620
1⤵
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
362KB

MD5
20f045c4de7c88a88e9b7d8b96b3feff

SHA1
f8d1819f3cd251f5d15656ffd6b4730818056e85

SHA256
4983843f029260638617b4e1cb5f1c4d8b73f72ad8c6bf0ffeb92970a6ca0433

SHA512
4a17fa22374484db6d16e370bdde55997e8a1ac7a15d979942f5083f1e62908fead20e2445d9f4b664b4b20e986a9df8c6412be7dc0b14841e9b13f37a1aeb8e

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
362KB

MD5
1b9956d688eed97d7b5d14aa65a3715b

SHA1
6217736cb5c3e825351b96de7182b98ab88b414f

SHA256
78ec3ad315c7d9f83c2b42c2020275945147bc0bb77163a8994ba8c55fa31cc9

SHA512
84f22bed645bfebeadea6eeb6d61a52b414ddc86c6ccefdfee947bf77401213765fb9cf0e484bec81db50ecf994e40c9c167d7b5423f3562e22b7ffc3d4dea38

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
362KB

MD5
b491d5b7fa4bea1027012e31ce792c31

SHA1
877f785a8c17f80517455ea676c6149b7f50b17e

SHA256
6ddb34997878a3035d6c31ff9cc50c8bd3d97c4d4235c8cb1e9378e4df6e9c7d

SHA512
6ebb27f25518ccf391772672f37ce950995f23a6e013dbbe496192404c52166163c5e465c8e384ba4a87881ad9290924bb52bf9e67a954a2d7edfdaa048e75be

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
362KB

MD5
02e0caa680c6630d46fdabb7232cf9c0

SHA1
16cfa7972a759dbe53de35a3256f5b50e09b7451

SHA256
d84c3742ca10c6cab20526e02f88d6f4e9db21c4157d27e562f6de1b219c385c

SHA512
67363aac166d618af32f105116a2641e47575d4fea335b35ae77343e52ea4942f958874f3144beeb5fad33d3eb81b6c6be2e9a88f309112d2998db9014746c22

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
362KB

MD5
0f9b0356b85be8570b2e126e9c4e4bf0

SHA1
5af15a8ab364241a0624e4198c72935d50f76fe4

SHA256
70fbcc7c459588e2ae84bf432cff35bddc5eb4cca6407435ab4993e6740448a8

SHA512
7d3ad16a88ab1af72af1fd37809c285d976f991f999fa2eb43c89f5d2fef701ae02a2204da1776de1a92bb3bf8f27f57e196aec27a981b195b7ee7cd94697613

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
362KB

MD5
bab879df6c3d8af017e3c9642d4aaf4a

SHA1
5de8855b1a1c6d3ef453fa73f6229f1587ef5394

SHA256
1dab927678d24fda6f5babf2f7b58d8fda828529a5c8ad61c81ac8ed6c2cef61

SHA512
d4b59d54b3c498fbe079733b6900a54eec71db0392c6eaf2125fcf8d739c4b2178c94a51528e9e20258c6590ecaf34a12ac696bad77d4b5090cb8580900d3269

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
362KB

MD5
e4fa1374440b81a8b243542a5541bdc0

SHA1
e35a2e463f82e6a65a4673739c6f6c9480efc1dd

SHA256
20ee79deb01e0213f88c25109701ef74262b657c5bbd2048251bdc8112e9a892

SHA512
6a53e11436c7d27ee68904561d4753d0a63a02a4ecbb8034a95ac3026f1a356070905c4ed1c58f40c7550031e8c403c93fb9b67ed0e61eebb8d60b4d8eba9b3d

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
362KB

MD5
ef0faf89498ce74aa98e8b3d3e2222ec

SHA1
e2dd541159f9ab62b5628c94d520e3f6a3c6fc65

SHA256
153e397afc9905a9d8c5f3c6a86146565cf4a71dacfcbb17c43540e6b4e9e9f4

SHA512
7bac97a7870fc51de479ef67738c9de9cc8890282788f0625354cb982d1bda9acb5fa03e2f079acc3911636492a189b195fe9556aeead428238c2dff6dec947e

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
362KB

MD5
ac503100148e49ca47d58dcc9a1861b0

SHA1
f6d5c78fca1928495777e1ece96e791ada228b92

SHA256
43921914a31351459b94a63ece8eda21591d4294f20d5ec48d62e0bf4cbc0c3c

SHA512
28c2bd302fcfe0f220709f0dccdb58b9864fd8bb26703af94122211b0df31f8e3c3c1a155b7ed132e022fd5b20de6bd5719e0a8e19f36c4c9b6a90b53ef62ca5

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
362KB

MD5
fa19df68c42b5273af801885ac11b62f

SHA1
6c9f176c0162a7cf2e8fbe569523183855037d69

SHA256
5c75a5e826c934482950b7268ebf5ea14fa37bf10801f28ab5a9141a52617d4d

SHA512
cdb4789fe94d4daada55a76a4b57a38f999c0b023f1ea57c59f7092ab41e1d40668f4086194ae5aa9d20a00c2e4209bd9e377f22cacda97cf2e63c3512e9feb4

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
362KB

MD5
9c1830fdc00c43719de8abb9d3e58edb

SHA1
2d3c7d336d714d8cf900efeecab6814154011617

SHA256
7f5c7958899b34f549f9d5ba32016c8890d8043cf5529742506bce66ee059617

SHA512
1fe36f42aab68f20b1bbf646c0919adfef8a265132b2f9e89bda57f082bf27173faec3ac0fbad98c9c834987f9361a0f10550d48e0fd33b240171c5fbf32b46d

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
362KB

MD5
303608a877cb974b870a1e6370a68d55

SHA1
4dc2c4adfc34a092aa47181feec210e6d6299b72

SHA256
feac5a7b04d3ac8ad05cf59500072e790f5b84200c1e93ca38316626b614966c

SHA512
aba3f7264dfbfe5a40f1b9e5b735481f68adc7600dcf8e614ec5553ccaf406e1e96a1636f5920d0d50d567898680c2698a78ab9e7d7747d97e1ec0e401e134bc

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
362KB

MD5
3a4a0f0148ae623e3debafb8c3ee6250

SHA1
e8efe172e9015134dfa91450c30ece2e393f0ad7

SHA256
68466ec21b4b24a4d91f9f653a4231609491d1e2f2f5440044c791923bf30e60

SHA512
9b59a2e510185f522e9fa65107284dd1c604567d0c2a7c77b3ff480ac450857298ed8e32c8b88ba9ab4e3a8786979acc02fe38757349e5f41587dfaaab86308f

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
362KB

MD5
9bbc2d125a6f81f16a808d69689a3906

SHA1
1540910898ef287d005b8f1206417ad29c1eff02

SHA256
42078570c4bf619d9649274738821eb244ec4021750df760e7dce6b9f18aea4d

SHA512
f2e7150dfa360ec7b197d5571f8e5a5c80929214bcc1009c877b2a978f0e47760fc618d92a59bbe5fc95733bf68dcd3f8f7763fca3f61aa02b84f832dd77ad81

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
362KB

MD5
44aa2f8dff64535c67953e4f5bf04a02

SHA1
9776b91212776b427a7f33af80ef9f5ce48e06dc

SHA256
fa893041d33115796b4fc9efceaab640cc9c6aa3eb8be6dd5500bedd4011146c

SHA512
bdddaabf08dda3da4b4aad62cae1755c01bfabb5601424c7e355d6eef5409cd3b1f2bd30beb6a9f371817549889d4790cdb4b9b7a22f5098ad6dd882ac301146

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
362KB

MD5
d6037ba07edce54d85d3d016fa9b3aec

SHA1
3006f6ffa5f690d02947a3fac2604ef5bde15396

SHA256
26df6f8edd2e85258e92c1cae5dfe62f276cd0166b7d9dab154108598c73d665

SHA512
e5a568da34d90a3c75860f37373031401d017701452aae52339cd7ac1edc6633992af83d912cce745e6943e818bb09dd4e097f1275a8112c1c104172d9f28fb7

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
362KB

MD5
39dd9b2ddec96c62b972008d4fefab81

SHA1
1dcbdb8246d4e3d7c52d3328684a1864b97fbbbc

SHA256
ab2f3f73531c0b3e3449fdba55b9ad2928be73a400486514774c2a1fbb42ba81

SHA512
3dc926f075401050819d5071416315c799993f8281957b07cb6b26d19fd7939e4f93d0d852ab432a58d592eb3a68b0383673b2462fac78035f77270c011b146b

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
362KB

MD5
1a2d940c8190abcf21baa513b77bf1aa

SHA1
76bc4c1c7ed960b2e08914140ab4dd0c2c4da324

SHA256
9243ee27a4abe799609362259d5a830a10708f6396c37e65ad5a37ee26b695b4

SHA512
b6fac61d2f250bd3cff838ed938a6eccd1a0fa08bbfe4825ba1e1bd77f3cc75cd412d1d68bda3d645d82cf0e9377cb54f0c6a8dac6d78899514a46bd7c20adeb

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
362KB

MD5
f312148489c662d545340b8f40402d73

SHA1
c0dc3d69496721cf11c4c798325c50acd360973c

SHA256
7a95bf03875ccd4f924bea5c56d905c421a7175acf0e30c0a1ec8568ca5d9e18

SHA512
aa36a4e408f49142f0248aa921050ecfd5b5766c049f125cb53a7437e070ab1bca0e945dae8a83459f1e36f49b1a190e533109b000f36af6fd0dd72350403c01

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
362KB

MD5
ac49ecd6ffc06c91ef925a3be34e4401

SHA1
2f0c3e2cd7b8b16b1fbb6c54aa18975b172c9fd5

SHA256
1f88f50a01979dd09673917ff3830fd2a676c33921686de115534268bafb7ddd

SHA512
83025bb7b0e9c0c1c9c82bb88edb08bf4a2b69a77691d582114e7ae204a4a2b72a8d2d93ffc83bf2c3ed7bcfc3fc76cd4de752f1441d4b5dc8bd505cf1104f83

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
362KB

MD5
5301b69c5aa7e62ac70b351341b7c9ce

SHA1
4aaec8a5e9686edb1889183fba118a4cc591305b

SHA256
81fb97ba150a218b15abbcaf4f7fb382ce169681e5155f0df0ca3e87bbc3b41f

SHA512
060060f9db2ec8b661f2cc9ecb98208ebebfbda69bdb603ed49d3ec74659e31158101cce533187c5ec3c36bf9b9c677e2f87492a9508ba50b102539fbfcd528d

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
362KB

MD5
e1d0a841bce711204337243e7f494cd2

SHA1
970d21b6cadd503269b2e26cb264bc0b1e369c9b

SHA256
86c0f1e3092a5983dd9395fd5ddcad60ff7c109a7e95d6836d64e00db3ac8acd

SHA512
4db71943a7e57e9fe9ec2944a8e82e4b28b706581d9cf16f033f13b446d2934bc3339170447828b2aa97704270586e423492ba53a12f738219802bb6f6e18009

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
362KB

MD5
ff31f927595636f8596f04d49b7b315d

SHA1
52114e1f69831a4ceec911a2b82a10164eac3729

SHA256
d85a3f68b25d61d4a83df65ed58929f15d00495db8534e69de7398ba83168c0a

SHA512
5a1924f154d6755b4aaf1525fbebe029faf675884c9152530c6bf73d4f895843fe62efd28a28c4b3156c7b2f36372f5fcad227198aaf83ade02067ea2abe6e8e

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
362KB

MD5
77bf325fed1a3bb06387c7dcefe2099b

SHA1
cc363cb88f2a0f370e0c7a4815c8fb58b4fbfd66

SHA256
f861b4e112a7d96f82c699c9afbb00ea804429f5c5a3bff8b63e5b69b68bfef4

SHA512
ed2e1c3eafb91108bfa91bf1aa4eeed505dfa27d3c753494f32af331217c308c8fde591e3ec6a2b5e7fee455a55b7372847297500df20f6f17245744c23d099a

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
362KB

MD5
daae8c5aa9ea28e560a8218d04c4bcf9

SHA1
6fdcac6d0e93b4642bfe65103125bdc4821729b1

SHA256
0f6c67af3a7b863c48a63ff6c754bed1cfa144680d509a5e322c6d155bdffe2c

SHA512
9d8d2da6efd86388ce951622ed56fc95afa83ddd699fb9b14a2ee1ec9760d9e2b8a75501eef492bc67783723df6d64e5bafc768da0e34cc63d4d93be9a49e77a

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
362KB

MD5
d125a9ea3e6b8b4f32c4d3b8a798f1b8

SHA1
c74b7b42c8a1b490bc9132a162dc9bb9f81f2bdd

SHA256
4814320f379f2f4100d404fc99ee8257f89ddd31e2b0d486712060bfb1bd8e55

SHA512
f5a3b121d21cf16946154d9ebdb8cfeaeec69cb3ab1ca7704e4ce815e7c2e006bfb293ac8abce25972eafd128fa2f9fcc0d91ad7254211779b4f9454cfbace91

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
362KB

MD5
0ea235716220b27a02736f6634732c7d

SHA1
fbcfe5b04e73e402b06611d6feff75ddaf65c5c5

SHA256
727fa43ea2fd9b1feb632df8c2e6dc796afb00bc45521b8f16689d2d3543c98e

SHA512
e22ea22439c164873d4408e4ec3944ba0062f7df595ea171477e06a719894529022d86e95cb6bfb52b4b62261ae067100e49eb8b434c3ffe19514451e5868a59

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
362KB

MD5
9edb174c72ec9c7dc95d2cbf45016221

SHA1
774c63bd2f1ca1eb6c8d78e756728a9da04fa4d9

SHA256
0cc92d318f3ea4b9a7a98661cb1de843c7332a31d4708dd884cf13ae731fdd3e

SHA512
37afc0442a58031d8ec07679c7faa1b5a11765f7cbf91e216b70a2207d49df6539d92a2405f90907c4e5da4b14b0c4f109283fa9487467be62a3e3cdd3c760fa

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
362KB

MD5
d542d99c350b6daddecc9da84b738b22

SHA1
94213bfad3043990e8e1a832ab3e6d22cd9784b6

SHA256
f2e927e091ff16a7dba7ab6d4cbf14907e7d45be2f8b47cccfa31842989c29e4

SHA512
7158a8660e099a4dbcf487fe57463306bf5253ed0eacc56770033b425d52dce654c7d10741175063808dead79e077f544a181a6d2151d1afd3c344e0ac9d71ee

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
362KB

MD5
1177e6e440c9e5d7543c60007a6b6407

SHA1
f2c3abc5a11000ef915e3dcf01a6f24db2dd2aed

SHA256
14fe9941d12605a940c9c2160778754941a52b6795a09cea996f86b07caae915

SHA512
cfd2bceede6534c92e0dcb7deb5d8dbc2b6bf97508ee0c1d960da97a8e1790e780d127c06b6931c1fc115b7ecc59008b175a4c2775b363a25fa165c35cefeb24

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
362KB

MD5
de445b7ca29e7bea03e00b67d2b5be62

SHA1
847e3334cd0a6991f09839f8c3a9fff034b8b229

SHA256
127ceba6dae135adeae31b5ed0e6e8e7af7c265d54e40830beb6a8438bce8b8e

SHA512
bf6e7f91522883513cc6ed71428471de164bb6454030529a98effb117703783c8d14eec62c88e5fc259a2d0b3845bde0b68ef3eee97e5b763a0bf141343578c1

Download Submit
C:\Windows\SysWOW64\Jdbnaa32.dll

Filesize
7KB

MD5
2d301c76dab1dcb4f6a49cccbf9fe34d

SHA1
8c882f72461e3831edab7b390c6fe09adb8ea23d

SHA256
d6c63c8d7fa8147292609bf373a408fbb1df6b8bc18ec74657b736c5a0716908

SHA512
3295001de751747c29db97bf7e8b422b876b6f8d70868e4ba140a86d552aecf1f1187fe00688caea100cdc893f03d4f2587860bcdc9321249a1c39d1ce5a56d1

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
362KB

MD5
4460f20f8ac4f4025724a33137b145b8

SHA1
71a8b10680b0b318dec917a666b8d01023187691

SHA256
1379d35b76fc4e94d00397baa43ee403b7ca19a281b331baba740a11626f3df4

SHA512
7e601847683132a091d7347873555f1eef8317ee8fdb89ad90822f284129657e9996742db648dea040205fd5bc8d5e064c02850d1c14349c8827e85105750089

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
362KB

MD5
3a4fb9baee7bd8e80ddbee987c9ff465

SHA1
e2734eaf9b0651f3424dbe80fe8de22d51af279f

SHA256
cacc8d4a006d5ab43f53ed1d43adb3b5fa4eb765843f28709b7d04cf9aeceb95

SHA512
bd72c9a66c4a57f338abc93b281157960c81bf47167d9c3840925dbe410ecb95328a0c671616313a89adce24ce80a83deb9204001a97ae42aa8b52e21458c5fb

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
362KB

MD5
8944536a13c107445f13f089479a4762

SHA1
5e16758286a36244369658b0a38c2485a4b23f6f

SHA256
c17a63148396a1e58d21535da8a34db48cbd51bc0bbb097a489fcf90b74553eb

SHA512
e2d5950007518a95536113e62ed51fbf866e3afa827051bbc63a88cfd522e2fb858a227ada617c75d4ad85408cf137be1e1d6725bf4f3d71ef9ed4f45d134222

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
362KB

MD5
aedb5ce7d84f22d6155a46979ec2798e

SHA1
09ef32f75561721dae89b2567ba10f974679eff4

SHA256
a3a34cf2ac9486c0e9081c89063d0c11ebe3ca5859601501d7af4753b22d14a4

SHA512
4d19e5643a18ce799372ac7c4643938974ded9d23d23495fa24cfdcad8ff9808c7d8ab31dc24e4881b68ae8951d6922daef536245f94ed079cdde163cfb468ab

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
362KB

MD5
ca1bbb612015c621f917a1b5e458c1ff

SHA1
a29477d657fb98db613f5871eaad3ad230205801

SHA256
e1afac4d12fd0e613cd3bcc615a0f871341744c7ccd1d0fed21f3680582febc0

SHA512
1f257a1fdd0c75bef3581988cd12942c56e09f90e5147dc3d2d291ee0066840db770b5a6c583dc56a3b282053c6f2d760a8ff4e9d40e54342b90ee601d6b6765

Download Submit
memory/448-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/448-331-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1008-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1008-325-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1036-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1036-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1072-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1072-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1512-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1512-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1564-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1564-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1612-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1612-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1684-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1684-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2020-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2020-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2144-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2144-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2388-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2388-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2620-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2620-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2952-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2952-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2976-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2976-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3076-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3076-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3144-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3144-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3212-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3212-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3220-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3220-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3292-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3292-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3568-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3568-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3672-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3672-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3696-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3696-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3724-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3724-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3760-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3760-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4056-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4056-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4148-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4148-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4232-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4232-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4476-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4476-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4632-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4632-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4708-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4708-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4832-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4832-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4872-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4872-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5116-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5116-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads