berbew | 3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 20:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe
Size

352KB
MD5

d2d6778b59eceea4bc367ccf881e54e2
SHA1

477a40d54dde5510b1af79b2ee599046fd6e4fed
SHA256

3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb
SHA512

de6c87707511d43c6fef3da60e2502aef7003e5e0e94598b8217a18aa9654bb9cc321632188cad92d073e9ce2ed4620519d974e314fd910a75283b11dc22784c
SSDEEP

6144:UPRk1+4IbxHTpr1ItvLUErOU7amYBAYpd0ucyEWJrj1mKZHPSv/rpwMBhpNFdFfX:crvxFrCZYE6YYBHpd0uD319ZvSntnhpn

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pckoam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmeimhdj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 27 IoCs

pid	Process
2708	Pkdgpo32.exe
2636	Pckoam32.exe
2648	Qbplbi32.exe
2720	Qkhpkoen.exe
692	Qgoapp32.exe
1964	Aniimjbo.exe
2232	Akmjfn32.exe
2380	Amnfnfgg.exe
1748	Amqccfed.exe
1968	Ackkppma.exe
2292	Apalea32.exe
1728	Ajgpbj32.exe
2492	Acpdko32.exe
2480	Aeqabgoj.exe
1352	Biojif32.exe
3036	Bphbeplm.exe
2220	Bonoflae.exe
2548	Behgcf32.exe
2308	Bdkgocpm.exe
868	Boplllob.exe
2544	Baohhgnf.exe
696	Bdmddc32.exe
1488	Bmeimhdj.exe
1508	Baadng32.exe
2748	Cfnmfn32.exe
3052	Cilibi32.exe
2904	Cacacg32.exe

Loads dropped DLL 58 IoCs

pid	Process
2848	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe
2848	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe
2708	Pkdgpo32.exe
2708	Pkdgpo32.exe
2636	Pckoam32.exe
2636	Pckoam32.exe
2648	Qbplbi32.exe
2648	Qbplbi32.exe
2720	Qkhpkoen.exe
2720	Qkhpkoen.exe
692	Qgoapp32.exe
692	Qgoapp32.exe
1964	Aniimjbo.exe
1964	Aniimjbo.exe
2232	Akmjfn32.exe
2232	Akmjfn32.exe
2380	Amnfnfgg.exe
2380	Amnfnfgg.exe
1748	Amqccfed.exe
1748	Amqccfed.exe
1968	Ackkppma.exe
1968	Ackkppma.exe
2292	Apalea32.exe
2292	Apalea32.exe
1728	Ajgpbj32.exe
1728	Ajgpbj32.exe
2492	Acpdko32.exe
2492	Acpdko32.exe
2480	Aeqabgoj.exe
2480	Aeqabgoj.exe
1352	Biojif32.exe
1352	Biojif32.exe
3036	Bphbeplm.exe
3036	Bphbeplm.exe
2220	Bonoflae.exe
2220	Bonoflae.exe
2548	Behgcf32.exe
2548	Behgcf32.exe
2308	Bdkgocpm.exe
2308	Bdkgocpm.exe
868	Boplllob.exe
868	Boplllob.exe
2544	Baohhgnf.exe
2544	Baohhgnf.exe
696	Bdmddc32.exe
696	Bdmddc32.exe
1488	Bmeimhdj.exe
1488	Bmeimhdj.exe
1508	Baadng32.exe
1508	Baadng32.exe
2748	Cfnmfn32.exe
2748	Cfnmfn32.exe
3052	Cilibi32.exe
3052	Cilibi32.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ackkppma.exe	Amqccfed.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cilibi32.exe
File created	C:\Windows\SysWOW64\Akmjfn32.exe	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Ajgpbj32.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Bmnbjfam.dll	Apalea32.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	Behgcf32.exe
File created	C:\Windows\SysWOW64\Aeqmqeba.dll	Pckoam32.exe
File opened for modification	C:\Windows\SysWOW64\Amqccfed.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Pckoam32.exe	Pkdgpo32.exe
File opened for modification	C:\Windows\SysWOW64\Akmjfn32.exe	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Aeqabgoj.exe	Acpdko32.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Qgoapp32.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Jmogdj32.dll	Qgoapp32.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Bonoflae.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Qbplbi32.exe	Pckoam32.exe
File created	C:\Windows\SysWOW64\Qgoapp32.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Hbappj32.dll	Ackkppma.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	Biojif32.exe
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Baadng32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Hjojco32.dll	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Acpdko32.exe	Ajgpbj32.exe
File opened for modification	C:\Windows\SysWOW64\Acpdko32.exe	Ajgpbj32.exe
File opened for modification	C:\Windows\SysWOW64\Biojif32.exe	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Biojif32.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Ldeamlkj.dll	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe
File opened for modification	C:\Windows\SysWOW64\Pckoam32.exe	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Pmmani32.dll	Amqccfed.exe
File opened for modification	C:\Windows\SysWOW64\Apalea32.exe	Ackkppma.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Pkdgpo32.exe	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe
File created	C:\Windows\SysWOW64\Elmnchif.dll	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Amnfnfgg.exe	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Amqccfed.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Apalea32.exe	Ackkppma.exe
File created	C:\Windows\SysWOW64\Ecjdib32.dll	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Pkdgpo32.exe	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe
File created	C:\Windows\SysWOW64\Aniimjbo.exe	Qgoapp32.exe
File opened for modification	C:\Windows\SysWOW64\Amnfnfgg.exe	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Qniedg32.dll	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Ajgpbj32.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Pqfjpj32.dll	Acpdko32.exe
File created	C:\Windows\SysWOW64\Ldhfglad.dll	Biojif32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2812	2904	WerFault.exe	56

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkdgpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aniimjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnfnfgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmnchif.dll"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmogdj32.dll"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnbjfam.dll"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll"	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmani32.dll"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apalea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbappj32.dll"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll"	Boplllob.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2708	2848	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe	30
PID 2848 wrote to memory of 2708	2848	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe	30
PID 2848 wrote to memory of 2708	2848	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe	30
PID 2848 wrote to memory of 2708	2848	3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe	30
PID 2708 wrote to memory of 2636	2708	Pkdgpo32.exe	31
PID 2708 wrote to memory of 2636	2708	Pkdgpo32.exe	31
PID 2708 wrote to memory of 2636	2708	Pkdgpo32.exe	31
PID 2708 wrote to memory of 2636	2708	Pkdgpo32.exe	31
PID 2636 wrote to memory of 2648	2636	Pckoam32.exe	32
PID 2636 wrote to memory of 2648	2636	Pckoam32.exe	32
PID 2636 wrote to memory of 2648	2636	Pckoam32.exe	32
PID 2636 wrote to memory of 2648	2636	Pckoam32.exe	32
PID 2648 wrote to memory of 2720	2648	Qbplbi32.exe	33
PID 2648 wrote to memory of 2720	2648	Qbplbi32.exe	33
PID 2648 wrote to memory of 2720	2648	Qbplbi32.exe	33
PID 2648 wrote to memory of 2720	2648	Qbplbi32.exe	33
PID 2720 wrote to memory of 692	2720	Qkhpkoen.exe	34
PID 2720 wrote to memory of 692	2720	Qkhpkoen.exe	34
PID 2720 wrote to memory of 692	2720	Qkhpkoen.exe	34
PID 2720 wrote to memory of 692	2720	Qkhpkoen.exe	34
PID 692 wrote to memory of 1964	692	Qgoapp32.exe	35
PID 692 wrote to memory of 1964	692	Qgoapp32.exe	35
PID 692 wrote to memory of 1964	692	Qgoapp32.exe	35
PID 692 wrote to memory of 1964	692	Qgoapp32.exe	35
PID 1964 wrote to memory of 2232	1964	Aniimjbo.exe	36
PID 1964 wrote to memory of 2232	1964	Aniimjbo.exe	36
PID 1964 wrote to memory of 2232	1964	Aniimjbo.exe	36
PID 1964 wrote to memory of 2232	1964	Aniimjbo.exe	36
PID 2232 wrote to memory of 2380	2232	Akmjfn32.exe	37
PID 2232 wrote to memory of 2380	2232	Akmjfn32.exe	37
PID 2232 wrote to memory of 2380	2232	Akmjfn32.exe	37
PID 2232 wrote to memory of 2380	2232	Akmjfn32.exe	37
PID 2380 wrote to memory of 1748	2380	Amnfnfgg.exe	38
PID 2380 wrote to memory of 1748	2380	Amnfnfgg.exe	38
PID 2380 wrote to memory of 1748	2380	Amnfnfgg.exe	38
PID 2380 wrote to memory of 1748	2380	Amnfnfgg.exe	38
PID 1748 wrote to memory of 1968	1748	Amqccfed.exe	39
PID 1748 wrote to memory of 1968	1748	Amqccfed.exe	39
PID 1748 wrote to memory of 1968	1748	Amqccfed.exe	39
PID 1748 wrote to memory of 1968	1748	Amqccfed.exe	39
PID 1968 wrote to memory of 2292	1968	Ackkppma.exe	40
PID 1968 wrote to memory of 2292	1968	Ackkppma.exe	40
PID 1968 wrote to memory of 2292	1968	Ackkppma.exe	40
PID 1968 wrote to memory of 2292	1968	Ackkppma.exe	40
PID 2292 wrote to memory of 1728	2292	Apalea32.exe	41
PID 2292 wrote to memory of 1728	2292	Apalea32.exe	41
PID 2292 wrote to memory of 1728	2292	Apalea32.exe	41
PID 2292 wrote to memory of 1728	2292	Apalea32.exe	41
PID 1728 wrote to memory of 2492	1728	Ajgpbj32.exe	42
PID 1728 wrote to memory of 2492	1728	Ajgpbj32.exe	42
PID 1728 wrote to memory of 2492	1728	Ajgpbj32.exe	42
PID 1728 wrote to memory of 2492	1728	Ajgpbj32.exe	42
PID 2492 wrote to memory of 2480	2492	Acpdko32.exe	43
PID 2492 wrote to memory of 2480	2492	Acpdko32.exe	43
PID 2492 wrote to memory of 2480	2492	Acpdko32.exe	43
PID 2492 wrote to memory of 2480	2492	Acpdko32.exe	43
PID 2480 wrote to memory of 1352	2480	Aeqabgoj.exe	44
PID 2480 wrote to memory of 1352	2480	Aeqabgoj.exe	44
PID 2480 wrote to memory of 1352	2480	Aeqabgoj.exe	44
PID 2480 wrote to memory of 1352	2480	Aeqabgoj.exe	44
PID 1352 wrote to memory of 3036	1352	Biojif32.exe	45
PID 1352 wrote to memory of 3036	1352	Biojif32.exe	45
PID 1352 wrote to memory of 3036	1352	Biojif32.exe	45
PID 1352 wrote to memory of 3036	1352	Biojif32.exe	45

C:\Users\Admin\AppData\Local\Temp\3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe
"C:\Users\Admin\AppData\Local\Temp\3a92ab4d34d0ad7361a06e538e31d1fa592353193f0bdad56b63ebe21099c4bb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\Pkdgpo32.exe
  C:\Windows\system32\Pkdgpo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\Pckoam32.exe
    C:\Windows\system32\Pckoam32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\Qbplbi32.exe
      C:\Windows\system32\Qbplbi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 140
        29⤵
        Loads dropped DLL
        Program crash
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ackkppma.exe

Filesize
352KB

MD5
d3306d83238a997bb2027ce05e3acbda

SHA1
209cb172971aa2085d2f1b02b290a469d835365c

SHA256
b576b7d26d3f8c72021a5cb60a85b2bbda63bdc2bf9e76d6e491dd8ea606f94c

SHA512
f9b40349a49b65c1eed302550205aa475bb03b0882e98022fa3fc9c5677564fabe8923a67fa5d54d51a65088e8eb495de5d736877c27c448e7dcf108062a6fab

Download Submit
C:\Windows\SysWOW64\Aniimjbo.exe

Filesize
352KB

MD5
10367818d56de4a86db8b038c9eefa59

SHA1
0ddf94a64915223c6d891ed9db4fcc5005021cde

SHA256
7b6cdc60348778e52d0b61b30c171ed25f8239faedbd27f8390f355eae7cee3d

SHA512
c17df3e42430b519e41d5e60e93e7dd65c48556123cde347d74c34b82955bc69987c6aad1845e6e8d058d6333d7feb6dafea1dd52f8baaec89564f82c5b7fc16

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
352KB

MD5
51dfed443f0c7448a0c5503e909bbc0a

SHA1
c0d86cea3b15cf86d2bd48367fd31f8c3ca5b70b

SHA256
c9c5f2a2e8e0eb4777b18df1d021ce2c844a87f7c15f335a444f4bf4e50f50ad

SHA512
2a137adf52d243055e29b6799d179eabdce3c6c43aa71f2e9767b50563a6eaa7dbcb9ea25b6360eb739c4a4cf0b72389d5d4856db5ca6c12309e921985b0465a

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
352KB

MD5
27d231ebb580608427d664fe5ed7704d

SHA1
e12adf7d5e16ae87f5b3bcfcf79befd4f357ad25

SHA256
fb9023e42f20c2080cac3ec9735da064e8abc44f8c17e5450e75916c812222f1

SHA512
aad4ba011d5e175f24bf0e919e0ea8ac93fa491eeb7b022105a59e9cc767bdb3e4b5fa272d50f4523575937f2405ebc66a6db8aaa95b81b2d8fbd4ae5f84954b

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
352KB

MD5
e6f1761d7214737938ed881ac03ff3a2

SHA1
8876fb79855f5ec9d2a318a3a4e7d8c64d6d869d

SHA256
95556cc456aa72777a72b55208269a3795165d773c8c3c3aa8eb7b9d963fb5ae

SHA512
581a69751e598ddb97a694cdd155641fa8a9390d2b2d97b9be0f4f5246c47e13eed288cc6313a077088cfb13863e1ff0be058f33843949908a79250b36157f92

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
352KB

MD5
39a09ac33138cace95417f87b0bf3b2a

SHA1
f4b69198b5bc4d14c0e707962dc3da73c0739082

SHA256
9e9a076b3d0952ea8f8847dc976184a2208da1ec36f47e19e521ec47b2f183d3

SHA512
89439c51dcd7183721b17577698dac513bcfd515e21e9608f9cd3203097438e96ddc5206ed9a6281090f35fc2b6e279cf1450099ff82273866abb64ad571bd7d

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
352KB

MD5
d6c46d61f9b0a1c874d688199146b498

SHA1
523ae06544689f8df957ae8eddf6faada0372149

SHA256
b3a96c4c9bb189e8a706c049f85506cd27aa5bb668a6014ffad26bc6b9cc8c7e

SHA512
3de7204757b053520b16e04b51924c3129afa7152fd7f5d9c70bf3c1bebb15eecd8d1b37339ef2c6ef20a0708d3cbf7716e62aa5e40d1ec124cf1c9d29531645

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
352KB

MD5
3fd077c9def1be0920ed6f8bb8887877

SHA1
c3ae61a71f8b1a31532600a318719aeec5af9d9c

SHA256
191d8f40c5895eef5691b314fe467912008177fb18f2e6c59829b09e95c68aee

SHA512
3a4113e0f421752923f1b5e8b4b77f24de9eed2f71faa5dbe2b423ebae81b195cfa4673a77d7ca328f15460d2368b2df5072283fc2d94e661120dd9775e9ac89

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
352KB

MD5
760fe8f73bc7b1907257d38ed47fc14e

SHA1
e0a2c150021400b32637d6785af69e976141188b

SHA256
5495b7bd579c6ca4ba94b1cf32527e5c6db317347f27f525ab686e58743a0b1c

SHA512
b42b9aa17c74419d156e77c1da0b22836ac493611b6082331beadf598a9dcca77893eccf9182df4a388e54066c1b095781dee7e9d65d417bed67166eac8af179

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
352KB

MD5
d7b5eda5052d5a5443059134063c22d8

SHA1
528744d6e491a490fbeb423c7a4be6ed3f07b7e4

SHA256
d1324a940ff1bea70abfd77d05baccb1e33d954d5a80af4f082deb12f0be39a1

SHA512
d7c55740bb5646803f74cd026dc2504a8e1c216a85e6bdd8626d09372ad88c1e52a69ee70ee5b6a5d10f1e1f9d17ee716684ef46b94f2320ddd5af4be83c5b62

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
352KB

MD5
440c9e0fc06473b09c65b9046153bec3

SHA1
1b65e8edc69509aaf93c8cca62ecd52eba30f6bb

SHA256
fccf742a8dc89bf85937524d1cfcbb06f621e13b0c58133866f0b72ff986c5e3

SHA512
5aa4a7112ba19a9942dd50d5aa3f6f5d5ed35a9f701b5bcd1c45b00e0e6a4b1539cdae272f8c9fe15d4026bd546e77a5aeca0e4bcf3a27287d36556d626e274f

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
352KB

MD5
27bbdb4ead28cfe0b7ff9d900c42abeb

SHA1
dc9e687f46e46665a82c38e1fd9adc7701f0d8f7

SHA256
4da91b79967a72e6e04c3d18c787ed702675203d816f9dbffb4d75b5f7e80cc4

SHA512
2048bbdfffb54ca337888dd35bc84ff3ff176888ba327087da97fe50595282744c76dcf98f111a91f5b863d88723c364acc31fa4637e6433c228ef733ce066e4

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
352KB

MD5
b9b17c9a769ac6dd641ff0e0ce9ad41a

SHA1
c8c74cefec50414d65693eb06fff5daca233519b

SHA256
9d521e6c6b496167c1ad799c56ed00f289f61c89bae6f890db9b2a4275b4d7e2

SHA512
9e9d5250725070ec29a57c2638b0fe010207e66e6b94898c6b2485d13099e1a2c1c4cc69e111ed4b40f1834d07d2098f9846a65b9a8a7fa9ca72899747837ab5

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
352KB

MD5
21334ac8259628d081aa10bc620e6460

SHA1
22eed236e6ec72019d7152824a5a511ed7b37883

SHA256
ef63491de8c4f204e937651b80fa74318de748e631815f7fc86db9f72e6fd176

SHA512
8e4efd71e965f17e98cffe9ffa86f5a79d0bdb595ffbef851941ed9710baf76a767057e35f2a47d7e69617bcb02526b7839bfb4dbf0f1ec24166b055784c664c

Download Submit
C:\Windows\SysWOW64\Hjojco32.dll

Filesize
7KB

MD5
15848c5ccd2d3af05610f3712e380f9c

SHA1
f9fac4ab583bd0dfb2e0b7df62892b33e642ce79

SHA256
9858266189c70382e6198fc6f7ced711cc7f389982525838e70ad3d94a9661eb

SHA512
51149c55f4f23066a44ce73f7dbf65caa9f53e4f150632790932bec51057a5dc974f8d0293c08f84835fe91c830b6ac8cd034b9f5495bb2677c1bb828cc20488

Download Submit
C:\Windows\SysWOW64\Pckoam32.exe

Filesize
352KB

MD5
016ebd463938ed2cb983cbd7577cf79d

SHA1
0334cc1df33badefb99aee7b9171bef01ec47b0e

SHA256
c621799a27ff39660d49008d822d804cd19d72fb3d26c91c5b2f68017f3a51db

SHA512
3c72777d84b6d4511aea9fcce13c68b553ae373f3e6d50e26642915680e286e70af5fd3792402ff023970b3dc9806f6e4b82799f57fe33de366f655106880a9d

Download Submit
C:\Windows\SysWOW64\Pkdgpo32.exe

Filesize
352KB

MD5
ebbc5687afb42b766dc69d2fa570b2c1

SHA1
32bd4e33b1c026e00cc7b67e641ed6d46b501adb

SHA256
f636de138fb4aa9bacf23debfc1933158d7f5610e6d2575a9bfd205587a6e47f

SHA512
ac9af1c9de4e12aa16b2c33d8d82ac48767568955199c4369b98f4679f2c8847613c5bce3eb1eee241c2ca29d27a6389a444bb11435c1e5102c096fd347b72a2

Download Submit
\Windows\SysWOW64\Acpdko32.exe

Filesize
352KB

MD5
aafd4d55ab1c55e2faf51ab8ca41b665

SHA1
cf436c2a612cec5aaf701cfc1ed926dfde2e375f

SHA256
ed9925b9520224e96adf651d64499d443bb57ff8d0d510104a7e9f7ae42ca927

SHA512
d18003024d6b36fbdcffc4e06adee624289ce84395fd2b34707bbdb0656e5b28ec3ce40c8ce624a2b6719a30fbb1ccd964a57e1f26c2e952e63a500ff0762729

Download Submit
\Windows\SysWOW64\Aeqabgoj.exe

Filesize
352KB

MD5
05be994a7431d43aa43931e9958f3892

SHA1
5db378088d99a651f1ca623270a1a05982158307

SHA256
fcbc36aa993012256d35f0ddd35db66ce84eb8587c973dab5a4d089f49efcedb

SHA512
3eb6c3ba82d0d0e8aab755dfead1b679bc5dd81a43f6774ec42d97be091de527220adcd38a682641fbab603db6430dedef020fa5f0b4596048fc94883c1bc930

Download Submit
\Windows\SysWOW64\Ajgpbj32.exe

Filesize
352KB

MD5
311dd27e09b662badbae0ec1f0746613

SHA1
75654f2bd348fa2e5d3656cbdc9c251fd9417879

SHA256
5c7c9ee82a8f903262e0410f3454ce4ef40a202b2b7cdf089126759af9f6103c

SHA512
272544f22ae5d198031c86b0a462ea9609b14b451445029da48e4df31b468ae484cb278293be4e61af757e7c67a7a7be0344c99ced03c56c038c282ee3f6026d

Download Submit
\Windows\SysWOW64\Akmjfn32.exe

Filesize
352KB

MD5
ac17e78cd0db28effa0f8f12232be802

SHA1
a8145c699f124450c3089129ef40a663eb076e36

SHA256
a08a778592e41f95e0f5b1d4df3a1eb03196da50eacb969efa36dc315b6cf9dc

SHA512
b8db8912c03ebc021172173ca9ea8a5b65af19ddfe32580a5ebfbbf074f8f2edef5dde5160a1aff36280c2475197d6653fb0de287d3d10f34957093b70db49a3

Download Submit
\Windows\SysWOW64\Amnfnfgg.exe

Filesize
352KB

MD5
d959df64017675118522b7307d2066e6

SHA1
2c6f5e92a1885f4fed2deb73831f8cae6531db50

SHA256
319905ee15e44aa47e2a0dfe2b12246ca0a3328d80442ae4047286405a7d5a8e

SHA512
18138a8df27457f11b996df53c9ca34654c09483dded265d4ad40e6876289c69613690a3cf973d28df55f590757c5f03282640c06377afe89fc74591f559fc12

Download Submit
\Windows\SysWOW64\Amqccfed.exe

Filesize
352KB

MD5
efd70610255e0996cbdf77bd67801112

SHA1
1194719c5cf19b9da44fdcb08bbdebae00e7d845

SHA256
f659a8437967262a5903edd52d1c28f16f96692f71bc9c69b552f85b50ac1f19

SHA512
05a715bb1a10c5e73d8a1a0b607890056504f71a3bbb58cde10539a0c5ca7073cddd77385fd645399bfd55d1e6ab3f67429ff56154684d8cc1ee2db26f22bd57

Download Submit
\Windows\SysWOW64\Apalea32.exe

Filesize
352KB

MD5
bff940345312ffa889229583e2678f57

SHA1
7f583d6dab04251f2bf4bec6f22aa45d786d69f3

SHA256
62d3f626dcfa6427264b54d0ca03db98c86c7c15a7b617bcc5eba284e240699f

SHA512
badd79db3e13a58e705f56a4cf596a93500e29a8fa521443464372dbd86df13932735b3e94df6dea0ec013c1951fdb7a8f10d6fa513ffd7319997111c87673ee

Download Submit
\Windows\SysWOW64\Biojif32.exe

Filesize
352KB

MD5
62eaf3689963de853c36f841d00c98c0

SHA1
8b175d546f3610c2d492b5cd7d411f3dcfe32f36

SHA256
72f7cd83f9062fe82ba60a08d90d19c49f6de7b4c449a664ecb6f44b65e5bd69

SHA512
972fe3c45d05b74aa44652a2cf71c611cdab4cd0833006938f2c97b94104651660b35dca4298ad005a026adb55179edc0530826589d9cc1059b491ea322d3789

Download Submit
\Windows\SysWOW64\Qbplbi32.exe

Filesize
352KB

MD5
faa66be3b29a94c488026bf12986cc5b

SHA1
0858d7774308b25f01d08d0b0e1e3a5e2d7fe111

SHA256
05d6456ba4f9aad39beb995bf4174405072b048d8e92a07f64e8486b475d9c3b

SHA512
d52ad15b4e5e300e3b05e907caef9ede3124beeaf5df3870764f330c77f29e9a90fc0dd6b865276f6e298113f7d8f21b624b44871946f3526ad499eff95d5332

Download Submit
\Windows\SysWOW64\Qgoapp32.exe

Filesize
352KB

MD5
01513c350ab76812acb4872aa9cf2631

SHA1
13e8cb59419324552fa0e3101b3466fa2fe448a7

SHA256
1bae0cad25890cdc0e7e1c31f99790fa9b586873ff7d6e8401d192b3a41af9dd

SHA512
c4f6a079a27e2cb5bd1162f0b1467cf915720d612dfacbc05b4f90c162ba4920c61bcc17b1aeb26022c8937b2c5a055ede0b8e49fdfbda1a0ab8c40cfce1952a

Download Submit
\Windows\SysWOW64\Qkhpkoen.exe

Filesize
352KB

MD5
be35548b9fc1d3536da77d351f241ddd

SHA1
1b6e966f672def6092d358d6ee0cb4c062037fb8

SHA256
1f3c5d06c944931c357f2276c1a6ac445d7f35af4ccff1f1073f122ec24f99d1

SHA512
fab132ec83897d1d8a7af0f551af9e4c9cf1fc130d02e94e5562884bd7d15bf80c91e1fede42ac314967be34b189dd8ccf18975dd8a69f7990795e2ab59d8feb

Download Submit
memory/692-345-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/692-80-0x0000000000340000-0x0000000000376000-memory.dmp

Filesize
216KB

Download
memory/692-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/696-336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/696-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/696-290-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/696-289-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/868-268-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/868-354-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1352-339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1352-206-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1352-218-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1488-335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1488-294-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1488-301-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1488-297-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1508-357-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1508-302-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1508-308-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1728-171-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/1728-341-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1728-163-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1748-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1748-135-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/1964-344-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1964-82-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1964-89-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1968-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1968-351-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1968-144-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2220-239-0x0000000000330000-0x0000000000366000-memory.dmp

Filesize
216KB

Download
memory/2220-353-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-349-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-108-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2292-342-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-161-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2308-259-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2308-250-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2308-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2380-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2380-117-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2380-109-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2480-191-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2480-204-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2480-203-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2480-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2492-189-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2492-343-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2492-184-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2544-279-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2544-269-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2544-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2544-278-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2548-246-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2548-240-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2548-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2636-35-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2636-348-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2636-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2648-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2648-49-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2708-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-61-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2720-347-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-337-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-318-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2848-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2848-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2848-18-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2848-17-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2904-333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3036-355-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3036-227-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/3036-220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3052-331-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/3052-332-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/3052-338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3052-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads