berbew | 6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe
Size

72KB
MD5

b36187631c432d18ce668338a5a9f47b
SHA1

45f112a6c4cebacfb8b505101ebd9b5371e0dc36
SHA256

6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1
SHA512

3b9bca38d5838fb19d6405028962a8efb917b2756fdfcc2309664b806e489f9607b74c09e83108a9ef8ebb19cfdaa6d785b603df0cae94b11c1005c3aaabcb6d
SSDEEP

1536:Vcp+9C0xk5cO3dxu0HhIQbDkCHzYu0HJJAmCMoUYsIWkAMoUw8YEgsI0Qc4kAMok:Vcp+9CokCO3dxu0HhIUDP0HJ6xMoUYs6

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akcomepg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 27 IoCs

pid	Process
2256	Ajpepm32.exe
1804	Aomnhd32.exe
2028	Aakjdo32.exe
2696	Akcomepg.exe
2832	Aficjnpm.exe
2844	Akfkbd32.exe
3068	Bkhhhd32.exe
1860	Bqeqqk32.exe
2752	Bkjdndjo.exe
832	Bniajoic.exe
1440	Bfdenafn.exe
2964	Bnknoogp.exe
2424	Bieopm32.exe
2212	Boogmgkl.exe
2244	Bkegah32.exe
768	Cfkloq32.exe
1720	Ckhdggom.exe
1556	Cepipm32.exe
308	Ckjamgmk.exe
3024	Cagienkb.exe
2480	Cgaaah32.exe
2328	Cjonncab.exe
2036	Cgcnghpl.exe
2688	Clojhf32.exe
2668	Ccjoli32.exe
2580	Cgfkmgnj.exe
2564	Dpapaj32.exe

Loads dropped DLL 57 IoCs

pid	Process
2312	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe
2312	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe
2256	Ajpepm32.exe
2256	Ajpepm32.exe
1804	Aomnhd32.exe
1804	Aomnhd32.exe
2028	Aakjdo32.exe
2028	Aakjdo32.exe
2696	Akcomepg.exe
2696	Akcomepg.exe
2832	Aficjnpm.exe
2832	Aficjnpm.exe
2844	Akfkbd32.exe
2844	Akfkbd32.exe
3068	Bkhhhd32.exe
3068	Bkhhhd32.exe
1860	Bqeqqk32.exe
1860	Bqeqqk32.exe
2752	Bkjdndjo.exe
2752	Bkjdndjo.exe
832	Bniajoic.exe
832	Bniajoic.exe
1440	Bfdenafn.exe
1440	Bfdenafn.exe
2964	Bnknoogp.exe
2964	Bnknoogp.exe
2424	Bieopm32.exe
2424	Bieopm32.exe
2212	Boogmgkl.exe
2212	Boogmgkl.exe
2244	Bkegah32.exe
2244	Bkegah32.exe
768	Cfkloq32.exe
768	Cfkloq32.exe
1720	Ckhdggom.exe
1720	Ckhdggom.exe
1556	Cepipm32.exe
1556	Cepipm32.exe
308	Ckjamgmk.exe
308	Ckjamgmk.exe
3024	Cagienkb.exe
3024	Cagienkb.exe
2480	Cgaaah32.exe
2480	Cgaaah32.exe
2328	Cjonncab.exe
2328	Cjonncab.exe
2036	Cgcnghpl.exe
2036	Cgcnghpl.exe
2688	Clojhf32.exe
2688	Clojhf32.exe
2668	Ccjoli32.exe
2668	Ccjoli32.exe
2580	Cgfkmgnj.exe
2580	Cgfkmgnj.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Opobfpee.dll	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Aomnhd32.exe	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Akcomepg.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Akfkbd32.exe	Aficjnpm.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Ajpepm32.exe	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe
File created	C:\Windows\SysWOW64\Pmmgmc32.dll	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Binbknik.dll	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Alppmhnm.dll	Akcomepg.exe
File created	C:\Windows\SysWOW64\Bqeqqk32.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Akcomepg.exe	Aakjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	Aficjnpm.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bniajoic.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Bniajoic.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Aakjdo32.exe	Aomnhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Aakjdo32.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Qcamkjba.dll	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Bkhhhd32.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Hdaehcom.dll	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe
File created	C:\Windows\SysWOW64\Aomnhd32.exe	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Akcomepg.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Akcomepg.exe
File created	C:\Windows\SysWOW64\Gggpgo32.dll	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bkjdndjo.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dfkhndca.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dfkhndca.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2548	2564	WerFault.exe	57

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akcomepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akcomepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll"	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajpepm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2256	2312	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe	31
PID 2312 wrote to memory of 2256	2312	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe	31
PID 2312 wrote to memory of 2256	2312	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe	31
PID 2312 wrote to memory of 2256	2312	6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe	31
PID 2256 wrote to memory of 1804	2256	Ajpepm32.exe	32
PID 2256 wrote to memory of 1804	2256	Ajpepm32.exe	32
PID 2256 wrote to memory of 1804	2256	Ajpepm32.exe	32
PID 2256 wrote to memory of 1804	2256	Ajpepm32.exe	32
PID 1804 wrote to memory of 2028	1804	Aomnhd32.exe	33
PID 1804 wrote to memory of 2028	1804	Aomnhd32.exe	33
PID 1804 wrote to memory of 2028	1804	Aomnhd32.exe	33
PID 1804 wrote to memory of 2028	1804	Aomnhd32.exe	33
PID 2028 wrote to memory of 2696	2028	Aakjdo32.exe	34
PID 2028 wrote to memory of 2696	2028	Aakjdo32.exe	34
PID 2028 wrote to memory of 2696	2028	Aakjdo32.exe	34
PID 2028 wrote to memory of 2696	2028	Aakjdo32.exe	34
PID 2696 wrote to memory of 2832	2696	Akcomepg.exe	35
PID 2696 wrote to memory of 2832	2696	Akcomepg.exe	35
PID 2696 wrote to memory of 2832	2696	Akcomepg.exe	35
PID 2696 wrote to memory of 2832	2696	Akcomepg.exe	35
PID 2832 wrote to memory of 2844	2832	Aficjnpm.exe	36
PID 2832 wrote to memory of 2844	2832	Aficjnpm.exe	36
PID 2832 wrote to memory of 2844	2832	Aficjnpm.exe	36
PID 2832 wrote to memory of 2844	2832	Aficjnpm.exe	36
PID 2844 wrote to memory of 3068	2844	Akfkbd32.exe	37
PID 2844 wrote to memory of 3068	2844	Akfkbd32.exe	37
PID 2844 wrote to memory of 3068	2844	Akfkbd32.exe	37
PID 2844 wrote to memory of 3068	2844	Akfkbd32.exe	37
PID 3068 wrote to memory of 1860	3068	Bkhhhd32.exe	38
PID 3068 wrote to memory of 1860	3068	Bkhhhd32.exe	38
PID 3068 wrote to memory of 1860	3068	Bkhhhd32.exe	38
PID 3068 wrote to memory of 1860	3068	Bkhhhd32.exe	38
PID 1860 wrote to memory of 2752	1860	Bqeqqk32.exe	39
PID 1860 wrote to memory of 2752	1860	Bqeqqk32.exe	39
PID 1860 wrote to memory of 2752	1860	Bqeqqk32.exe	39
PID 1860 wrote to memory of 2752	1860	Bqeqqk32.exe	39
PID 2752 wrote to memory of 832	2752	Bkjdndjo.exe	40
PID 2752 wrote to memory of 832	2752	Bkjdndjo.exe	40
PID 2752 wrote to memory of 832	2752	Bkjdndjo.exe	40
PID 2752 wrote to memory of 832	2752	Bkjdndjo.exe	40
PID 832 wrote to memory of 1440	832	Bniajoic.exe	41
PID 832 wrote to memory of 1440	832	Bniajoic.exe	41
PID 832 wrote to memory of 1440	832	Bniajoic.exe	41
PID 832 wrote to memory of 1440	832	Bniajoic.exe	41
PID 1440 wrote to memory of 2964	1440	Bfdenafn.exe	42
PID 1440 wrote to memory of 2964	1440	Bfdenafn.exe	42
PID 1440 wrote to memory of 2964	1440	Bfdenafn.exe	42
PID 1440 wrote to memory of 2964	1440	Bfdenafn.exe	42
PID 2964 wrote to memory of 2424	2964	Bnknoogp.exe	43
PID 2964 wrote to memory of 2424	2964	Bnknoogp.exe	43
PID 2964 wrote to memory of 2424	2964	Bnknoogp.exe	43
PID 2964 wrote to memory of 2424	2964	Bnknoogp.exe	43
PID 2424 wrote to memory of 2212	2424	Bieopm32.exe	44
PID 2424 wrote to memory of 2212	2424	Bieopm32.exe	44
PID 2424 wrote to memory of 2212	2424	Bieopm32.exe	44
PID 2424 wrote to memory of 2212	2424	Bieopm32.exe	44
PID 2212 wrote to memory of 2244	2212	Boogmgkl.exe	45
PID 2212 wrote to memory of 2244	2212	Boogmgkl.exe	45
PID 2212 wrote to memory of 2244	2212	Boogmgkl.exe	45
PID 2212 wrote to memory of 2244	2212	Boogmgkl.exe	45
PID 2244 wrote to memory of 768	2244	Bkegah32.exe	46
PID 2244 wrote to memory of 768	2244	Bkegah32.exe	46
PID 2244 wrote to memory of 768	2244	Bkegah32.exe	46
PID 2244 wrote to memory of 768	2244	Bkegah32.exe	46

C:\Users\Admin\AppData\Local\Temp\6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe
"C:\Users\Admin\AppData\Local\Temp\6a55ce0833053d2c3e79805d50f6a666582cf148c86b05503160fb71773029e1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\Ajpepm32.exe
  C:\Windows\system32\Ajpepm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\Aomnhd32.exe
    C:\Windows\system32\Aomnhd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\Aakjdo32.exe
      C:\Windows\system32\Aakjdo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\Akcomepg.exe
        
        C:\Windows\system32\Akcomepg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:308
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 144
        29⤵
        Loads dropped DLL
        Program crash
        
        PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
72KB

MD5
95e557b68a3f602ef3e8fa9c515a192f

SHA1
e3021ed268aa21e5ed6c4d8910959e30d662697e

SHA256
9425378fde9a814c9c9d1682307a276eb142635fd7b8f3bd06c95251d7fbd908

SHA512
8c96a81c17d2af97b7307b23bf100d19174bcbd0d3ab46209980af090694a4185bb8b743cfdfd0d1aa0a129ff0a84b1181b2cf50e76f333f5747ebbeb91afdc1

Download Submit
C:\Windows\SysWOW64\Akcomepg.exe

Filesize
72KB

MD5
da2acd0f64c0cf961fee96ef6165edbd

SHA1
8ff16619208bfb36e1071ce48663edba2f54f385

SHA256
9adae195f6db63f4fe84de02b38962ec592a429ff269c317f0f02d85ed6b8d17

SHA512
ee31108cc0e93ba23ced7a75d82f930ddce5bcc04e3ce3e11b5ea617d9eb2577b82a0d073f248d0aaf8cf847610a84bf146fe0eb7e263bc064aa3fc59fafa99a

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
72KB

MD5
2d1328a37568abcdb6d8a06fc250c74e

SHA1
9dc80f599bb60b52cbf6d95a37de5aca6d74dcd8

SHA256
80d24f526b9fab9c04de74c0d65ce1fc5b337c64f3e5fdb1e4b9126286400d15

SHA512
74b497928db2469a9256a1b1e08fb0629bd72f43393fd72f7e3e5ae8500bcc0122f7a36780f695a7d56aec1cd504b3375189b972a8bfe659293bc97e33ace44d

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
72KB

MD5
50c1d8819a8e2de52c0b81200aa332d3

SHA1
752d3ce73d1ad5e635715fcbc3c931c774f28de3

SHA256
32161bbadf2b5dc9f95f9ac361e0056ade336de825f24f7c58c9e25ebf21f29f

SHA512
5ecfea13b566f953681fd028a6281df4d0ddbb75647d95309d793404b51c8d764d44421006dd2ef6556fc814188496130bc2bf521ae17b564992ad664d20a814

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
72KB

MD5
a5276b3ea807e7179257774d16d5c9ca

SHA1
29c19bc713d6e6b671701a8db9280a4fd4f46b17

SHA256
d20c156c41b9e920d184dd558ec423223891f78b91fde08f99a5726e20dbc9ee

SHA512
7f55efb045b4d3f2b4f7cf843906b7cc00feeb1bbf196b1d5465b190399c74189a21ae2c15a9469ba9a67788f5c16e2f426de2588f8d98d0945065de537e6607

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
72KB

MD5
b86488d75ffca97cd12cbd41cd8a9bab

SHA1
b9ad09920e26be9b8b45fbcbac04b408ab9a71a0

SHA256
cd0582a3245c74539662f85a36a8caad5fa7800ede1af1a9a31b95103e282232

SHA512
b6a7701cdf5765a3af3c34fd9c58246a74ad8edba6d182d2f20835b01779b601cf44e0fb73cab0ac545c92b134cd052ac35251d9f0b2f843f74b8706700b0696

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
72KB

MD5
1035b750beda27af20483739e52bd997

SHA1
923ad932c305ded63a808dfea9648c0ff85e23fd

SHA256
9145995af48bbd793f8e26f0a176d66e7ac7b8dd7649c67dfc2d20dd2d47a322

SHA512
faab5b1333e1afe96ef4cec9b12ec03e47e87db5d844f0edc41cae4feb282a28ce2400c69122e29b532369351235bb50ebfb21b84d30d695e38fdb472859c352

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
72KB

MD5
ebe8b170f08a30322777e4689ed541b8

SHA1
f27100c914865bf400f15e5b202fc0227b59e6a1

SHA256
4b83d21fd7ab88fce974319d8bf7027226853386611ad1ca87669beb3e7b2403

SHA512
27f539900a455f7e45377b42c0e91daf03c2f4eed88ffdf7762fd14e78455887d011a625f785e8a78bd64646afc180eef8d5bb1de8d9cac21400ee6630b146b6

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
72KB

MD5
0deeac075a4e120a54354038cfda2558

SHA1
0ea02f9c879ffd6c58ba926c2daab634ada6aa1c

SHA256
7a66943ea44082c5431e5e76bb7334e4dec9d079a34dc0254fe8c58873f65c75

SHA512
a3403cf3e2fd15d521306e3a917960957e6367ee1bb3c13091662e34b00d8db46a8f01b44007a8af874dc086455847b7506663cab5868771b47e1e921aa540fe

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
72KB

MD5
97472c9d0cef80cab71b84841c122d68

SHA1
4640b3a074d0a2e824825be6fb4de8988bf7b0b9

SHA256
76c7dc928dc615aa174022c529eed81530dce8a7313539659d7fb1149fe2df81

SHA512
6dd61613bfdddf184da0cdba55ddef71f1ac5019cd572124415cebc9ab383737163c76415010e883fd2e3dc5e8e8bbbb0aa98ab1aa42d152282b4cb962dc5154

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
72KB

MD5
a63d2f31c3f5fccd609c560aee2d4eaf

SHA1
930d078b9d7c180f03e37ead80cec12342ae9af4

SHA256
624273f3ed2f17ada60f313a51fb7392dcf8e8fb2bee3a206660d498b328cda2

SHA512
8395b59aa66e1826dbbc6201d2daff2fc43d35a734881e72a98656315f4e5f5e0a574e7073601773f005350260fab5f8153070f8b712ea36699719681dd5bf01

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
72KB

MD5
e1a78b1cbe7f4bbec355deed4d4f14a1

SHA1
502be5e8337274001328c65aae525035d2a43c22

SHA256
27caed3309864d9715df2cf2be710f5621e2154564bef95888e32a1f62276092

SHA512
fc551ae6a798db6efe8916bb928845e590351bc5e174f5b664d3cb9788ad5a689d0fc4e49ec3e361c9724db1c56ef68dd03e4f44907acb8d3a47f44a120e7164

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
72KB

MD5
1156ca0231e6f04b8c58580807556a64

SHA1
30a9ee94d9cded277b72c6c3b1db6386c39cd570

SHA256
83062eee7d41b115a640e395238ed99dab2b51930b2b3b83d692c08f066e2174

SHA512
78a73208a5965b600f37060547848e302e01197be7ffd79020674db78e51892a309460a2dced653a8609db7fe2cd08f95a7babc8275a4be56c0fb596812c4743

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
72KB

MD5
373b03658bcb8528918dea04c5fe014a

SHA1
8de5a523c613842f01555a5a9b3830c6150b2110

SHA256
4aacb03a90f7328c303ebecd278933a16217fc62f6ae17aa44dfc869ed920d55

SHA512
8ca4fe68645eba945fb1d69978603efe736cc60c864f9fc1cc9f7982cd4c1028b58ee5d6e37758c44647d72fcf7f12b53d1b8da11f86044d34fabddcaaf290ae

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
72KB

MD5
d8dbc2a2ed7c94027bcb25da5b99eacf

SHA1
b02b47a0eed1d777526ace10a96215e12b5eac04

SHA256
e8beaf3bd0c40a3fd1f5810b05c9ac25b910d7cdf92180795499fb3a84d9f6af

SHA512
c85725b71cda241dc9668e0ac2da35d9aa910bbb9e62f3407b94137492b06472d81fa39e2d9334ebee07f95bf35335dba76065f6c3eb584728b70ce9672690c1

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
72KB

MD5
6861e97f122a4d86e55f069484b8e4f2

SHA1
1ff78e75ec3103fee28e1b5e22c60dd344ae2d98

SHA256
357a58cacc30898a8f52a9779ef18266e5632ccc0f8fcc51971a85bb8dc1881f

SHA512
35a00464fac3406fdb58132050f08422d8b19061e84041ef71b8d1c4371cdeadb90cda3ba03afeb3a17fe8a5aee0fcf7aa0807a8d5daa7e846839d7a0b1bb746

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
72KB

MD5
c0d0fc07b337011972a883a328839ed2

SHA1
9fd8703caf4c34cc664cfb0561442676722dbf61

SHA256
dec24df17a6139c5439cdbdb1be9175a9e5df6627df404c9882d056657155bb7

SHA512
51647c10343232375a803601fa2ecfdb67fa25c99db7e5d58152308b884de8cbcf28df17b99ed3d5a0743babd6948effe4d39f710b8ae86cee0b45fd01cc3ab4

Download Submit
\Windows\SysWOW64\Aficjnpm.exe

Filesize
72KB

MD5
a01699b114ff721f523554b0145e8364

SHA1
8a4109147c9c685590be5deee15000a6b81a10e6

SHA256
75675689f88e7a5503d2c9b1a427c6419313e867802d80c3cdeecae955b91a1c

SHA512
5d9d4c223889aac0b7d7f2e68d3ced3a143670e101a8138f2dc37ac3917ea69fe09ad53df8de279c29dbe135e6dcb11bbaaab6460aa444810e135796ea6352fe

Download Submit
\Windows\SysWOW64\Ajpepm32.exe

Filesize
72KB

MD5
63dffe7a4c7a190a24743d0b3abe754c

SHA1
7ebe4a8d924063453adaa74ba6cf0ab155514bf3

SHA256
c9cec68e17574206b2d31d708f7f407fc2b01cc70c76fd5cbd077c0030d9c438

SHA512
ace0f6a52fc35e25c0ee11a42dd409d03a50d41f10fda61dd2518c122e1dbceb1e67448101b48fa7774e2684b0de324bde6dac2d02645220abb79d9b75ef1107

Download Submit
\Windows\SysWOW64\Aomnhd32.exe

Filesize
72KB

MD5
8ed283e25702b6617abbc3cfae5fcca0

SHA1
47ac41a716ee1fd9eb75e312b0539b0129483757

SHA256
3444bed99e73d3284eacb3f14e932570614639dfcfb605a38c7609507063f3c3

SHA512
e4f74d97fb8ef38980f8b1f8db2517c9dd092292ebd8e5f455158bcccfe6ef76accd8bb1ea0c7a65f1cf1e6c8ae9e4921f5395c9abfd87628aa849996718e46c

Download Submit
\Windows\SysWOW64\Bfdenafn.exe

Filesize
72KB

MD5
50fbca3511c1d09a316f3f84b7e47268

SHA1
b72376477bb3b1ad256e53b033eaf3890b7b91ea

SHA256
05a65bb0e8913342a6f779ddbeab85807cef9304eca21aec36465e2bcdac0982

SHA512
370b0bdb1ccfb9c13112724f789bd86c4ffa720f19d884f8e08c162f8cfd11de1b26964e3724bbecce62fdaae23b18af586ac72a3b1da9c5150fbb5f97bb0af6

Download Submit
\Windows\SysWOW64\Bieopm32.exe

Filesize
72KB

MD5
4d14dbfe6a31d61f5c21f47b2e591c2d

SHA1
5f9372fb0761c99023915494936b3bc0b025e70d

SHA256
976a4075b9552032d977bda4da164ec86fbe8d3ce68823992c96a6a0dd4f2367

SHA512
25de10e9edea42de88e8d5054102ea337608ba39abd7530ad778a885d6147352b8c3fe215db6c99b568818009f42fd3c9558275cd86192bfb369e574fd274fa2

Download Submit
\Windows\SysWOW64\Bkegah32.exe

Filesize
72KB

MD5
3429edd179ca8dad1f9155ef58ff80f8

SHA1
d0f5920e7a19076ae7aa262584ea4a9e4e2efd25

SHA256
d5899033bb384065c0c12c554bfda4cf9c751c1cb726fdd34f0af71a6a9dc9f3

SHA512
3df13f891d3eceeaa103f0ee4accbe6fed2aa53d1439aceab6dc21d16c8eb2dfa04a6aa45aaf52e650b31735c61673ce8d507079fbe9ed01d1fc7ba32e1fd735

Download Submit
\Windows\SysWOW64\Bkhhhd32.exe

Filesize
72KB

MD5
178d964a52220528bbf536d0a561f78a

SHA1
22d79122a0fd3bf5c2d9eb87f833c4388bdb6069

SHA256
6925079c78a7a1d3c04b6d409cebfb6f21d97590280471c11f265e22ece56483

SHA512
90357e827b33f57a620616cb93d549273305d32b7e3a238dffa34e37786080a5877e37d05af3a8067c530651d854cf9e98cd3ccc3b5763faeaf072ad8fe99430

Download Submit
\Windows\SysWOW64\Bkjdndjo.exe

Filesize
72KB

MD5
5c37eea9944c68ff2642d5824ab9cebf

SHA1
be90573432436da6401b5d0eab0e3335b2e73a2c

SHA256
81936ce7b7df3a417a3f903af1cdfab26e0e5798e4e4e93bc26d61ef3415c2a9

SHA512
65f5869fe6fd387910eb4e904b85988bbf7202f9af10712a8eea4c5ddc4429be956ccbd6507021264cac1fe0f08d89a473d90addcb3e6de0c7d1eb8427e49e55

Download Submit
\Windows\SysWOW64\Bniajoic.exe

Filesize
72KB

MD5
1150491a6ced64563b5318f481d9394a

SHA1
495ab532c955a62bf8829249fad60546dece4321

SHA256
f66fef8e606b643a69b36b590770dc7c439f9276db6d5e7c8ebd2716e5b0e84a

SHA512
820bec2420c3120d20bb04c792c7c7b84cffaa27deb86afd03464f7e06435b76f3177d4735a3cc4fa417bb0872b0b9e7918b26a6e4305f92c69ab37d816fc151

Download Submit
\Windows\SysWOW64\Bqeqqk32.exe

Filesize
72KB

MD5
ffbe767dadcf7a62d6e8197c9772028e

SHA1
e5612b5902e619f3904233ed340e7e3665628279

SHA256
c38a3bb1b894acf76114c08509315b82cfe6e9db81c859ad1d408a934afefbf7

SHA512
dea62e96c5ea9facb1e943c7939c274a8445809a2e7b1974ff78960d0fc920b32742151acb4307cd5cdb8db086b5730c239701eeecfeb347077deebf3e5395bd

Download Submit
memory/308-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/308-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/768-249-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/768-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/768-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/832-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/832-155-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/832-195-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1440-165-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1440-177-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1440-218-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1440-225-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1440-176-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1556-271-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1556-264-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1556-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-263-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1720-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-298-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1804-34-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/1804-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1804-26-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1860-163-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1860-124-0x0000000001F30000-0x0000000001F6C000-memory.dmp

Filesize
240KB

Download
memory/1860-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2028-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2028-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2036-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2036-324-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2036-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2212-211-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2212-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2212-220-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/2212-269-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/2244-285-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2244-239-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2244-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2256-75-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2256-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2256-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2312-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2312-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2312-11-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2328-350-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2328-349-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2328-318-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2328-308-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2328-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2424-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2424-253-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2424-209-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2424-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2424-208-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2480-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2564-367-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2564-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2580-351-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2580-368-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2580-358-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2668-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2668-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2688-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-54-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-68-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/2696-63-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/2696-126-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/2752-190-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2752-145-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2752-186-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2832-143-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download
memory/2832-82-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download
memory/2832-77-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2832-86-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download
memory/2832-131-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download
memory/2844-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2844-95-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/2844-102-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/2844-147-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/2844-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-238-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-188-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/3024-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-293-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/3068-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads