berbew | 7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999cc

Analysis

max time kernel
87s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe
Size

376KB
MD5

b3e28fa0f45a54e44ce9cd0974ae8c10
SHA1

f2a594be921e40e6b976f1d059eed7dd33e153ca
SHA256

7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999cc
SHA512

c290414f5cd3557e0cd2fdf653ec8b3fe4b26c60883e06dcde5484c1f4b0a292d5b689b8efbc2eed061e1709eb3cfba7f008ebc4638be399fbe100bb9b192c8e
SSDEEP

6144:mk0VedFC7oQ0IV/Atl/AtW1OE43V1+25CzRoQ0Ibl4HdE43V1+2D:x0Vh50I2mi4lCzb0IF4n

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pebpkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alihaioe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pifbjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pebpkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agolnbok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agolnbok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pifbjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pohhna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgfjhcge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgfjhcge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 26 IoCs

pid	Process
1052	Pohhna32.exe
2712	Pebpkk32.exe
2728	Pgfjhcge.exe
2916	Pifbjn32.exe
2876	Qcogbdkg.exe
2704	Alihaioe.exe
2992	Agolnbok.exe
1676	Alnalh32.exe
2260	Achjibcl.exe
320	Aficjnpm.exe
1708	Ahgofi32.exe
1772	Adnpkjde.exe
2200	Bhjlli32.exe
2356	Bkhhhd32.exe
816	Bqgmfkhg.exe
992	Bqlfaj32.exe
2144	Bcjcme32.exe
1752	Ciihklpj.exe
888	Ckhdggom.exe
2216	Cepipm32.exe
3028	Cgoelh32.exe
2252	Cjonncab.exe
2488	Cbffoabe.exe
1756	Cnmfdb32.exe
1160	Calcpm32.exe
1592	Dpapaj32.exe

Loads dropped DLL 55 IoCs

pid	Process
2616	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe
2616	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe
1052	Pohhna32.exe
1052	Pohhna32.exe
2712	Pebpkk32.exe
2712	Pebpkk32.exe
2728	Pgfjhcge.exe
2728	Pgfjhcge.exe
2916	Pifbjn32.exe
2916	Pifbjn32.exe
2876	Qcogbdkg.exe
2876	Qcogbdkg.exe
2704	Alihaioe.exe
2704	Alihaioe.exe
2992	Agolnbok.exe
2992	Agolnbok.exe
1676	Alnalh32.exe
1676	Alnalh32.exe
2260	Achjibcl.exe
2260	Achjibcl.exe
320	Aficjnpm.exe
320	Aficjnpm.exe
1708	Ahgofi32.exe
1708	Ahgofi32.exe
1772	Adnpkjde.exe
1772	Adnpkjde.exe
2200	Bhjlli32.exe
2200	Bhjlli32.exe
2356	Bkhhhd32.exe
2356	Bkhhhd32.exe
816	Bqgmfkhg.exe
816	Bqgmfkhg.exe
992	Bqlfaj32.exe
992	Bqlfaj32.exe
2144	Bcjcme32.exe
2144	Bcjcme32.exe
1752	Ciihklpj.exe
1752	Ciihklpj.exe
888	Ckhdggom.exe
888	Ckhdggom.exe
2216	Cepipm32.exe
2216	Cepipm32.exe
3028	Cgoelh32.exe
3028	Cgoelh32.exe
2252	Cjonncab.exe
2252	Cjonncab.exe
2488	Cbffoabe.exe
2488	Cbffoabe.exe
1756	Cnmfdb32.exe
1756	Cnmfdb32.exe
1160	Calcpm32.exe
1160	Calcpm32.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Pohhna32.exe	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe
File created	C:\Windows\SysWOW64\Qcogbdkg.exe	Pifbjn32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Alnalh32.exe	Agolnbok.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Pifbjn32.exe	Pgfjhcge.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Alnalh32.exe
File created	C:\Windows\SysWOW64\Alppmhnm.dll	Achjibcl.exe
File created	C:\Windows\SysWOW64\Ahgofi32.exe	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Qqmfpqmc.dll	Pohhna32.exe
File opened for modification	C:\Windows\SysWOW64\Agolnbok.exe	Alihaioe.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Mlbakl32.dll	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe
File created	C:\Windows\SysWOW64\Peblpbgn.dll	Pifbjn32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Alihaioe.exe	Qcogbdkg.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Achjibcl.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Achjibcl.exe	Alnalh32.exe
File created	C:\Windows\SysWOW64\Qcamkjba.dll	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Dicdjqhf.dll	Qcogbdkg.exe
File created	C:\Windows\SysWOW64\Hpqnnmcd.dll	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Pohhna32.exe	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe
File created	C:\Windows\SysWOW64\Eibkmp32.dll	Pgfjhcge.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Eoobfoke.dll	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Ihkhkcdl.dll	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	Ahgofi32.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Bhjlli32.exe
File opened for modification	C:\Windows\SysWOW64\Pebpkk32.exe	Pohhna32.exe
File created	C:\Windows\SysWOW64\Lgpgbj32.dll	Agolnbok.exe
File opened for modification	C:\Windows\SysWOW64\Ahgofi32.exe	Aficjnpm.exe
File opened for modification	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bqgmfkhg.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Alnalh32.exe	Agolnbok.exe
File created	C:\Windows\SysWOW64\Mfhmmndi.dll	Alnalh32.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Ekndacia.dll	Alihaioe.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Ahgofi32.exe
File opened for modification	C:\Windows\SysWOW64\Pifbjn32.exe	Pgfjhcge.exe
File opened for modification	C:\Windows\SysWOW64\Qcogbdkg.exe	Pifbjn32.exe
File opened for modification	C:\Windows\SysWOW64\Bhjlli32.exe	Adnpkjde.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2440	1592	WerFault.exe	56

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agolnbok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgfjhcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pebpkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pohhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pifbjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqmfpqmc.dll"	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgfjhcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alnalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agolnbok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblpbgn.dll"	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alnalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekndacia.dll"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncakm32.dll"	Pebpkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibkmp32.dll"	Pgfjhcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pebpkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agolnbok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1052	2616	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe	31
PID 2616 wrote to memory of 1052	2616	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe	31
PID 2616 wrote to memory of 1052	2616	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe	31
PID 2616 wrote to memory of 1052	2616	7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe	31
PID 1052 wrote to memory of 2712	1052	Pohhna32.exe	32
PID 1052 wrote to memory of 2712	1052	Pohhna32.exe	32
PID 1052 wrote to memory of 2712	1052	Pohhna32.exe	32
PID 1052 wrote to memory of 2712	1052	Pohhna32.exe	32
PID 2712 wrote to memory of 2728	2712	Pebpkk32.exe	33
PID 2712 wrote to memory of 2728	2712	Pebpkk32.exe	33
PID 2712 wrote to memory of 2728	2712	Pebpkk32.exe	33
PID 2712 wrote to memory of 2728	2712	Pebpkk32.exe	33
PID 2728 wrote to memory of 2916	2728	Pgfjhcge.exe	34
PID 2728 wrote to memory of 2916	2728	Pgfjhcge.exe	34
PID 2728 wrote to memory of 2916	2728	Pgfjhcge.exe	34
PID 2728 wrote to memory of 2916	2728	Pgfjhcge.exe	34
PID 2916 wrote to memory of 2876	2916	Pifbjn32.exe	35
PID 2916 wrote to memory of 2876	2916	Pifbjn32.exe	35
PID 2916 wrote to memory of 2876	2916	Pifbjn32.exe	35
PID 2916 wrote to memory of 2876	2916	Pifbjn32.exe	35
PID 2876 wrote to memory of 2704	2876	Qcogbdkg.exe	36
PID 2876 wrote to memory of 2704	2876	Qcogbdkg.exe	36
PID 2876 wrote to memory of 2704	2876	Qcogbdkg.exe	36
PID 2876 wrote to memory of 2704	2876	Qcogbdkg.exe	36
PID 2704 wrote to memory of 2992	2704	Alihaioe.exe	37
PID 2704 wrote to memory of 2992	2704	Alihaioe.exe	37
PID 2704 wrote to memory of 2992	2704	Alihaioe.exe	37
PID 2704 wrote to memory of 2992	2704	Alihaioe.exe	37
PID 2992 wrote to memory of 1676	2992	Agolnbok.exe	38
PID 2992 wrote to memory of 1676	2992	Agolnbok.exe	38
PID 2992 wrote to memory of 1676	2992	Agolnbok.exe	38
PID 2992 wrote to memory of 1676	2992	Agolnbok.exe	38
PID 1676 wrote to memory of 2260	1676	Alnalh32.exe	39
PID 1676 wrote to memory of 2260	1676	Alnalh32.exe	39
PID 1676 wrote to memory of 2260	1676	Alnalh32.exe	39
PID 1676 wrote to memory of 2260	1676	Alnalh32.exe	39
PID 2260 wrote to memory of 320	2260	Achjibcl.exe	40
PID 2260 wrote to memory of 320	2260	Achjibcl.exe	40
PID 2260 wrote to memory of 320	2260	Achjibcl.exe	40
PID 2260 wrote to memory of 320	2260	Achjibcl.exe	40
PID 320 wrote to memory of 1708	320	Aficjnpm.exe	41
PID 320 wrote to memory of 1708	320	Aficjnpm.exe	41
PID 320 wrote to memory of 1708	320	Aficjnpm.exe	41
PID 320 wrote to memory of 1708	320	Aficjnpm.exe	41
PID 1708 wrote to memory of 1772	1708	Ahgofi32.exe	42
PID 1708 wrote to memory of 1772	1708	Ahgofi32.exe	42
PID 1708 wrote to memory of 1772	1708	Ahgofi32.exe	42
PID 1708 wrote to memory of 1772	1708	Ahgofi32.exe	42
PID 1772 wrote to memory of 2200	1772	Adnpkjde.exe	43
PID 1772 wrote to memory of 2200	1772	Adnpkjde.exe	43
PID 1772 wrote to memory of 2200	1772	Adnpkjde.exe	43
PID 1772 wrote to memory of 2200	1772	Adnpkjde.exe	43
PID 2200 wrote to memory of 2356	2200	Bhjlli32.exe	44
PID 2200 wrote to memory of 2356	2200	Bhjlli32.exe	44
PID 2200 wrote to memory of 2356	2200	Bhjlli32.exe	44
PID 2200 wrote to memory of 2356	2200	Bhjlli32.exe	44
PID 2356 wrote to memory of 816	2356	Bkhhhd32.exe	45
PID 2356 wrote to memory of 816	2356	Bkhhhd32.exe	45
PID 2356 wrote to memory of 816	2356	Bkhhhd32.exe	45
PID 2356 wrote to memory of 816	2356	Bkhhhd32.exe	45
PID 816 wrote to memory of 992	816	Bqgmfkhg.exe	46
PID 816 wrote to memory of 992	816	Bqgmfkhg.exe	46
PID 816 wrote to memory of 992	816	Bqgmfkhg.exe	46
PID 816 wrote to memory of 992	816	Bqgmfkhg.exe	46

C:\Users\Admin\AppData\Local\Temp\7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe
"C:\Users\Admin\AppData\Local\Temp\7dea377e36bbc19e9a77a2d1279c122f0cbeaa00ad4128edd1b1ea71aee999ccN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\SysWOW64\Pohhna32.exe
  C:\Windows\system32\Pohhna32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\Pebpkk32.exe
    C:\Windows\system32\Pebpkk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\Pgfjhcge.exe
      C:\Windows\system32\Pgfjhcge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\Pifbjn32.exe
        
        C:\Windows\system32\Pifbjn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Agolnbok.exe
        
        C:\Windows\system32\Agolnbok.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 144
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
376KB

MD5
189e7499833c2ba5d5243fecbce7d21a

SHA1
5b4e2240ec29363af9db3a573371bd8933963874

SHA256
d5adf360b7a5dcd67b7b57af45da361f21eaae17476a3d5cd857152dcf62f85b

SHA512
689d92bcb262c6bc847f3b851ee7ef0a9df1263248ec22b1c487268b4108123caa4c981dad7f8feadab75fb517a4f38d02a603a6003d109b6a241de0aa9ba0a5

Download Submit
C:\Windows\SysWOW64\Agolnbok.exe

Filesize
376KB

MD5
037be81ac3e8e5559dc91bc4ce2d406c

SHA1
239a97f3408688acea6a10de3eac23269c9b7c08

SHA256
145fbfbceb2d25079f02fd448da8e44fc60e30e4114bf137e791f082eeab60cd

SHA512
3be1ef1c1354135cd072df64bd4cf5e4c35bdeb4dfdbcaa2bd8c5609388b4cbd8d4e8c8be71a9d60bacf3954a4a0fc6d5c36bdb606245c853a7af06ac2f1eabf

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
376KB

MD5
b71820f45a59de45f269ef380d8aa415

SHA1
f98b520de9f1954f57812c33983ed7e64cb1c060

SHA256
3eb02d6e2c6b6c9808731622198159a75dcd0d15576a146d28deff807dc418ea

SHA512
3d7f9777d372276fc7ac8f17377de25d4884e7aa1e19300e84878eb8abcbaed71102cc54a81171a6d06cf480cc026e64f6c09e9df61e6f3c43051a408caadea6

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
376KB

MD5
364416bcad6bd9ab8ab2edceac59272b

SHA1
26afdfa0ac2285f89987d3bf88ca225c98b20479

SHA256
1d47959671162c74777f5f557cf4ed598346a854211874a04988d50c50fa5e7f

SHA512
b755856695cd68bd4a1cad43b9d994360dd7f78a86709d9a986e983fc1754600f8ab852f4d7c184c9be8987cbecbd375737c45acfbf3789fbb300d4c5a51979d

Download Submit
C:\Windows\SysWOW64\Bhjlli32.exe

Filesize
376KB

MD5
d5062bb4c420c3361e5823c496f521a3

SHA1
a054063b49ccedcf2507d08ec3dbc300fcc14786

SHA256
97250a514de9b3bac9a18f8c5947be29287fcac4cb8ec6e24f940f8e8e3d7f14

SHA512
001189cde35bf3c8fbb05dbf7c0254bb0ea93a141759a98b74da7b964ecf4cc2490e523f3396c96374e7f5a235ae5dcdebc527cd1e3be4b4a1293036832ab799

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
376KB

MD5
e58f9a547c93cef171d1857d3b1b2098

SHA1
43cb3810da6c970ca29774fb6c10d53e998ae366

SHA256
16a5524bd567364d3429523042e9742ca704bb565f538a6cc4f1ff17805a6ca3

SHA512
5495aaa808bf43062ea53f9002341c2be6eab6643feb76f096578cf89337814e654de525963477f410eedbd6bb7d3f40c87d95b2a425ffb576ae2f844deb4932

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
376KB

MD5
f671ab5ecd8f1e72d9d3a86cfe2ddb7a

SHA1
643446ef5b28c3f923862b3670489809a6b87fe0

SHA256
abf6ddc4883d0784ed23b74a574df718ce44073ac2d7c1f73fdb1fcefd0d6991

SHA512
5b2cf8c1234b524ad6496939129aa106fb464bb4ddc0c3d7c39d5942f22f6194f81d1c69d3ee7d963188047055f499d9d78eb26091f16731a3a5a76631e5402f

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
376KB

MD5
9f22f4eddb67b574b31126b02911a17d

SHA1
5a0ed8f21e5aeb4328d709e9b8b4f7e15a546865

SHA256
28abafabd441e0eeccde168a90ce1874719087f472963a56fdf91bb7d4946b88

SHA512
67a404fe153c62e256deea90ef9af115b5666db7c0c77165ab8b96ce8acefdc8e3f86ebdeb8b656bfeaf5df25e6e782f572ad8f497f06956fd1e0757182f83f7

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
376KB

MD5
92de60374180fceb973528c038c4b408

SHA1
63ef71752cb32bc9d30a0e3e286c872d9cfd193b

SHA256
b66efbd60e75b26e5e09a4581900ff454a54008f860c045e1695b1e01c3ba6ca

SHA512
e5438c2b36697e1ca739b1c785af4b915eb0abb8783ee1bcb2f72056ae0cf23ef91cfe558a5f11f820e987a0b25d27de11d9fbc950bfeeab3290a2bf485a45c1

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
376KB

MD5
7a36ba1e0e3294977bf0466fd5a14d7d

SHA1
4c5c8717c85633b4bd3bb4c46d9de53d695e2eac

SHA256
150492d4458d798b90906b4c0b1ae534cf4e63cae64f02ab14340931b7674eda

SHA512
6c0e51b2400b5cb7919625e9bbaa5e1157c1d683204c5ce822089bd325523351ce018c0654d26e7ec189c2d918fdc1b4c1008fb813f425ef4d33772c96fd37c7

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
376KB

MD5
4875a704e9171d393a2c95821671e701

SHA1
7e6329358c4a83de596d2e03b775b964c5ed52ff

SHA256
855dce67638fdcd3ed957222790be1ac07090751fee619cfb992efabc6bc5a74

SHA512
ca659c79f0dcc21a28c9964429b4984681d4a96f56503c9f1f5b4e39efa86020f27c0ae12533300255d0aaba63e9221e5b5903647b9073bb559ad4e2ac9a8489

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
376KB

MD5
bfd59e1350f969eaa926687bbfa99b4b

SHA1
0106d932042bed256dca5e0e3364ba83a4c805af

SHA256
9569991017591eaecc64e6f6c95dbf4b3e53654a055d9ab6265a9efcfeadcb76

SHA512
a0ebc604ea57f51a4c1a335fceba47710c583240b3a89ce950a2dea17ca3a10e4a81dffc3ab89486fbfa53c1c82e425f3a35b974851c32e4e62a5e95d37f1704

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
376KB

MD5
a26ca499e22f3d83e7d958d6b87476eb

SHA1
6c85d43c45c8e5c937836169ee98b5bde68b1ba7

SHA256
f4bd8259342e626245810e4e83d621736835609323ed1966cbe0cdf097dd2e28

SHA512
ff4a4c7d803510f09d1ad8e77441bc99b739e7afc07c47725dcd694439d77de63e29c7d97f83e8bd00f4674927b6181e4e4b864d1ce2b16118554ce576e1b204

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
376KB

MD5
a765f22b34b901ab884e73f69a95a3c3

SHA1
c7ce0aa59b8b79cd65fb7adbff5db8575182e3e9

SHA256
3d3822bbd5c3d4800e321540ab434504f671dccb6530c0751b40afe8b7e789c4

SHA512
d59eef751da9cb216ddcbcbf92ce7b10668ec05fde404409e849e81d5a458644d67c57c379b32d6ef58f15784449d786d78a47f5d48feba1c878aacb2feba979

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
376KB

MD5
795f3c31709d76341f7fd3c81222dfd1

SHA1
00bf779ac63549b6d287143f16a2dc966ae94e78

SHA256
38c115cb7bcfb525ad8baca208a0695236abf6ca27bf035a2f9a9a17e541704c

SHA512
c47b5f78e9b3f1b414389555c222425aab9da67f7b61258fe129d6dcfc27bdd7a91ba982d43fc871a923ee29490c16a912d9bdf42c2f407567cb5dc79355a7da

Download Submit
C:\Windows\SysWOW64\Pgfjhcge.exe

Filesize
376KB

MD5
baab07a2bf2e55d3af64d1f7c8ac6be4

SHA1
43955db26c508fd288239e9f3bf64a68ee3707f2

SHA256
6a7ec614cc8c3e34c6bd54d4532046cc5adc63deb13b48e9d5c57d5180972af7

SHA512
efea7a5823e342767c0b7f8b7839f06743667872a620ee7d3a9173562fa3a151b724c196cb6d8e80e3982724d5d711684b344cab34b7d3548ca196a065ca0b11

Download Submit
C:\Windows\SysWOW64\Pohhna32.exe

Filesize
376KB

MD5
a7f4cf1352083172feaf79caa902ba19

SHA1
f2194d4aad1c170803f42f603553a644e1067723

SHA256
6554e81434202150e1769d428a53e9baeaa6bae429f892c0e0b1d5ff04595a30

SHA512
74ba6a530aabb04e652bb9afdc977acce708179edbc3def8dc6963f57b24014197bd41041812aab3d1622c18f7d61af0e0a2df98c799b2a465416a35df23fa93

Download Submit
C:\Windows\SysWOW64\Qcogbdkg.exe

Filesize
376KB

MD5
f47959502145a9283f996c817fb486f3

SHA1
f98e18a180e81e66c4682ad5a256580bd2115aad

SHA256
0fee2260b6262c9e6c95c1f3ee7b8fdebbbe4af6450885de9a813bbdfdfdb52c

SHA512
e85e5057c1ce49b9e96d193344884a08c231adc40f3bf77434ed719705b77987f31a8ced2f9a109235cf6c3669f798af35491119cdace3178135d59d88fee732

Download Submit
\Windows\SysWOW64\Achjibcl.exe

Filesize
376KB

MD5
f041f77aad1305cbef80aec65ef06a01

SHA1
88ab146f3a54d7570e7da360cd19ccf3e7adbfe6

SHA256
0a622da117dd91d07155e4b36095786a751ca32eb2eb732de13bc879407887fc

SHA512
5dccbc1a91ba80fd96dd813f79dd7893169130effdd95c69d30f38b34643ed07f67646c590fc6bb3a4aa16eddfffd06dd716d8712d6afb16bad1e9061f8f07a9

Download Submit
\Windows\SysWOW64\Aficjnpm.exe

Filesize
376KB

MD5
d39aa3c07ebfb2a9009407a1bb0a3725

SHA1
0715686c48dd3dc296d7114d95989a01c601504a

SHA256
f4e03ab69e861e973437c57cc4c685bd82c6e709356c17ccb38f955c7ca44ba9

SHA512
1e6b1bcd5489b8f1457fce6364a818a35a1ba71f88416f2ffc96e793b7640c1e6362d1d37de57c9ff91ca9d061428ee14708db58aa03cbddc23d526af3694082

Download Submit
\Windows\SysWOW64\Alihaioe.exe

Filesize
376KB

MD5
0fd8f63da5975e63ba731c743848d980

SHA1
92553565117e446b8056b3f4b29b3d72ad101248

SHA256
da57629c6d9a331850fd608f8fdb8889fa869c50a68256666a7d9f6d16d91cee

SHA512
d38593cbe9e034fd709731450c3119dbfc494d640bc49fd4eb0c2070cab3231ea0f620f140f6eab86e86db96ccced5ac4312fe16ded2f0b44fd16b23a98faca8

Download Submit
\Windows\SysWOW64\Alnalh32.exe

Filesize
376KB

MD5
2d5b675f1133fff83c04a61d074f8fba

SHA1
ff027f6c2587186b9f185d8729b95bce709dee9b

SHA256
7a34ac40b2e7dd782e9be75d79269ef7300a52eb49d65d995d28dd921a207504

SHA512
5444f15907782dfa0fbedf69c49ccf7384ea58b765a0fa73d60f05ec695a53aba565458a71dce74e0a05d4b88fff19e02a50778c864e44aead1f21c0a1bc28e8

Download Submit
\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
376KB

MD5
f9d34145e8afaf60b513967a2649c9ab

SHA1
399c8831892ba2c671dc80830190aa1f7225c25c

SHA256
2976f9c4cf5fe5c8292e9c20dc7dc5545f38078fc042e37ad82c9d5338b3ed1e

SHA512
56dec927d91fecc5908d0ce07a49d06598bfedd246f69116e901c8d6bbddc66bc9a9b15f9b19175275d02432eaca1afb291f1569fdaca777e03e0116e01d3081

Download Submit
\Windows\SysWOW64\Bqlfaj32.exe

Filesize
376KB

MD5
fb302e7566f3c4705ed6156fefb9683a

SHA1
f239134b5e36cfc6b61bc5304174a487d60235dc

SHA256
81abf82228e2dd35facbc3ac83ef68539d53c893bceb0159f2bc3d2e544f7c09

SHA512
63f85450bec0f13421f37d35ba198fe60c7490adaf6396de705ce651184439b4033899398b3430e0f7cbce54bc65b769b4a740ae15962e1f8e989aa8c4214477

Download Submit
\Windows\SysWOW64\Pebpkk32.exe

Filesize
376KB

MD5
c62818770159b60dc8514bda321ae0e2

SHA1
b94f2a7af8b8f495ebd54a7fb11811153c2e5c80

SHA256
27581ffa2346b6ffa1aedc394cb29a925a4fa18c91ff7f728fb71a0ea4f84cc5

SHA512
b3dcb5ccf7d6b88e6be5dc04c0935521029ad9bdc72b438ed5b6826180bb03d3cde1210b88ae5baaddf95951d1340a242bdf3a70be6755ae3b5448e68767d5c3

Download Submit
\Windows\SysWOW64\Pifbjn32.exe

Filesize
376KB

MD5
3b9fb80e8b4fecbdeb2b9d4ed192b29f

SHA1
85814911cc7d3510273dd47e51d845d26d4cbc41

SHA256
dc9d19ea39640e7be81e2466e0a5ec46e6f60f83d26bf0be3b309504cbf58c41

SHA512
93d5a4f80fefe8fc9f72b6991b207c68d51206ef908ab1528f88cd977703b209fb1f65700fb069babecbb929b8d092c2af892d6cfe2d06ec8b5c3402c49af5c3

Download Submit
memory/320-141-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/320-359-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/816-369-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/816-216-0x0000000000370000-0x00000000003CE000-memory.dmp

Filesize
376KB

Download
memory/816-204-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/888-373-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/888-258-0x0000000000310000-0x000000000036E000-memory.dmp

Filesize
376KB

Download
memory/992-357-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/992-222-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/992-228-0x0000000000320000-0x000000000037E000-memory.dmp

Filesize
376KB

Download
memory/1052-22-0x0000000000250000-0x00000000002AE000-memory.dmp

Filesize
376KB

Download
memory/1052-28-0x0000000000250000-0x00000000002AE000-memory.dmp

Filesize
376KB

Download
memory/1052-376-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1052-19-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1160-328-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1160-310-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1160-331-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1160-319-0x0000000000290000-0x00000000002EE000-memory.dmp

Filesize
376KB

Download
memory/1592-330-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1592-332-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1592-322-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1676-364-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1676-111-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1708-163-0x0000000000460000-0x00000000004BE000-memory.dmp

Filesize
376KB

Download
memory/1708-367-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1708-149-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1752-335-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1752-333-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1752-248-0x0000000000290000-0x00000000002EE000-memory.dmp

Filesize
376KB

Download
memory/1752-243-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1752-249-0x0000000000290000-0x00000000002EE000-memory.dmp

Filesize
376KB

Download
memory/1756-308-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1756-323-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1756-309-0x00000000002F0000-0x000000000034E000-memory.dmp

Filesize
376KB

Download
memory/1756-325-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1772-358-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2144-336-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2144-229-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2144-238-0x0000000000360000-0x00000000003BE000-memory.dmp

Filesize
376KB

Download
memory/2200-375-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2200-188-0x0000000000310000-0x000000000036E000-memory.dmp

Filesize
376KB

Download
memory/2200-187-0x0000000000310000-0x000000000036E000-memory.dmp

Filesize
376KB

Download
memory/2216-362-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2216-269-0x0000000000250000-0x00000000002AE000-memory.dmp

Filesize
376KB

Download
memory/2216-259-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2216-265-0x0000000000250000-0x00000000002AE000-memory.dmp

Filesize
376KB

Download
memory/2252-289-0x0000000000320000-0x000000000037E000-memory.dmp

Filesize
376KB

Download
memory/2252-285-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2252-327-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2252-329-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2260-368-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2260-123-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2356-363-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2356-189-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2356-202-0x0000000000250000-0x00000000002AE000-memory.dmp

Filesize
376KB

Download
memory/2356-197-0x0000000000250000-0x00000000002AE000-memory.dmp

Filesize
376KB

Download
memory/2488-290-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2488-299-0x0000000000460000-0x00000000004BE000-memory.dmp

Filesize
376KB

Download
memory/2488-326-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2488-324-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2616-361-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2616-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2616-12-0x0000000000330000-0x000000000038E000-memory.dmp

Filesize
376KB

Download
memory/2616-13-0x0000000000330000-0x000000000038E000-memory.dmp

Filesize
376KB

Download
memory/2704-365-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2704-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2712-360-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2712-40-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2728-49-0x0000000001F90000-0x0000000001FEE000-memory.dmp

Filesize
376KB

Download
memory/2728-374-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2728-42-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2876-70-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2876-82-0x0000000000310000-0x000000000036E000-memory.dmp

Filesize
376KB

Download
memory/2876-370-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2916-69-0x0000000000290000-0x00000000002EE000-memory.dmp

Filesize
376KB

Download
memory/2916-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2916-366-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2992-97-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2992-372-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3028-279-0x0000000000250000-0x00000000002AE000-memory.dmp

Filesize
376KB

Download
memory/3028-371-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3028-270-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads