berbew | ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619d

Analysis

max time kernel
82s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe
Size

77KB
MD5

6bd4571de5d8e0a6b803318682314a10
SHA1

79f42cc0ffb23d77ac7876f51535bc86efe11512
SHA256

ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619d
SHA512

e3005a8a696e7e674c409ec770e9e18e710fca7d147985c3bd4aaad31e13055fd34ca22f80c711d217732fa22f84041b363c9b3a8b5cd4b0b2fbe697c06d359d
SSDEEP

1536:jFBiqydDWjdQ/fY17Eyr2HdS9H5QFpjGYu5//k4P:pYedvr2HdQsjsnkA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenmfbml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cofaog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqjla32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bodhjdcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfebmia.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Capdpcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfmqigba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaobmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenmfbml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdcofop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Binikb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfbjdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aejglo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphaglgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clfhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajdcofop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceickb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Capdpcge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Codeih32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beldao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biqfpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aankkqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blaobmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clfhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhmmcjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bphaglgo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfbjdf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Codeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aankkqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceickb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beldao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmqigba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Binikb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aejglo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bodhjdcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhmmcjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Biqfpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cofaog32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 27 IoCs

pid	Process
2944	Ajdcofop.exe
2952	Aankkqfl.exe
2832	Aejglo32.exe
2896	Beldao32.exe
2796	Bfmqigba.exe
2772	Bodhjdcc.exe
2764	Bpfebmia.exe
2476	Bhmmcjjd.exe
636	Binikb32.exe
2068	Bphaglgo.exe
2924	Bfbjdf32.exe
948	Biqfpb32.exe
2884	Bdfjnkne.exe
844	Bgdfjfmi.exe
1880	Blaobmkq.exe
2208	Cbkgog32.exe
2644	Ceickb32.exe
824	Chhpgn32.exe
2636	Cobhdhha.exe
2008	Capdpcge.exe
1788	Ciglaa32.exe
2228	Clfhml32.exe
1968	Codeih32.exe
1056	Cenmfbml.exe
2436	Cofaog32.exe
1576	Ceqjla32.exe
2964	Coindgbi.exe

Loads dropped DLL 54 IoCs

pid	Process
1464	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe
1464	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe
2944	Ajdcofop.exe
2944	Ajdcofop.exe
2952	Aankkqfl.exe
2952	Aankkqfl.exe
2832	Aejglo32.exe
2832	Aejglo32.exe
2896	Beldao32.exe
2896	Beldao32.exe
2796	Bfmqigba.exe
2796	Bfmqigba.exe
2772	Bodhjdcc.exe
2772	Bodhjdcc.exe
2764	Bpfebmia.exe
2764	Bpfebmia.exe
2476	Bhmmcjjd.exe
2476	Bhmmcjjd.exe
636	Binikb32.exe
636	Binikb32.exe
2068	Bphaglgo.exe
2068	Bphaglgo.exe
2924	Bfbjdf32.exe
2924	Bfbjdf32.exe
948	Biqfpb32.exe
948	Biqfpb32.exe
2884	Bdfjnkne.exe
2884	Bdfjnkne.exe
844	Bgdfjfmi.exe
844	Bgdfjfmi.exe
1880	Blaobmkq.exe
1880	Blaobmkq.exe
2208	Cbkgog32.exe
2208	Cbkgog32.exe
2644	Ceickb32.exe
2644	Ceickb32.exe
824	Chhpgn32.exe
824	Chhpgn32.exe
2636	Cobhdhha.exe
2636	Cobhdhha.exe
2008	Capdpcge.exe
2008	Capdpcge.exe
1788	Ciglaa32.exe
1788	Ciglaa32.exe
2228	Clfhml32.exe
2228	Clfhml32.exe
1968	Codeih32.exe
1968	Codeih32.exe
1056	Cenmfbml.exe
1056	Cenmfbml.exe
2436	Cofaog32.exe
2436	Cofaog32.exe
1576	Ceqjla32.exe
1576	Ceqjla32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ciglaa32.exe	Capdpcge.exe
File created	C:\Windows\SysWOW64\Ceqjla32.exe	Cofaog32.exe
File opened for modification	C:\Windows\SysWOW64\Aejglo32.exe	Aankkqfl.exe
File created	C:\Windows\SysWOW64\Bpfebmia.exe	Bodhjdcc.exe
File created	C:\Windows\SysWOW64\Jlmhimhb.dll	Blaobmkq.exe
File created	C:\Windows\SysWOW64\Eajkip32.dll	Ceickb32.exe
File opened for modification	C:\Windows\SysWOW64\Bodhjdcc.exe	Bfmqigba.exe
File created	C:\Windows\SysWOW64\Bhmmcjjd.exe	Bpfebmia.exe
File created	C:\Windows\SysWOW64\Biqfpb32.exe	Bfbjdf32.exe
File created	C:\Windows\SysWOW64\Cmfjgc32.dll	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Hkfggj32.dll	Chhpgn32.exe
File created	C:\Windows\SysWOW64\Codeih32.exe	Clfhml32.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Knoegqbp.dll	Bfbjdf32.exe
File created	C:\Windows\SysWOW64\Jggdmb32.dll	Biqfpb32.exe
File opened for modification	C:\Windows\SysWOW64\Bgdfjfmi.exe	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Cobhdhha.exe	Chhpgn32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfebmia.exe	Bodhjdcc.exe
File created	C:\Windows\SysWOW64\Kpfdhgca.dll	Bhmmcjjd.exe
File opened for modification	C:\Windows\SysWOW64\Bfbjdf32.exe	Bphaglgo.exe
File created	C:\Windows\SysWOW64\Bkofkccd.dll	Bphaglgo.exe
File created	C:\Windows\SysWOW64\Ojeffiih.dll	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Bongfjgo.dll	Cbkgog32.exe
File opened for modification	C:\Windows\SysWOW64\Capdpcge.exe	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Elnlcjph.dll	Cenmfbml.exe
File created	C:\Windows\SysWOW64\Gfbejp32.dll	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe
File created	C:\Windows\SysWOW64\Lpqafeln.dll	Bodhjdcc.exe
File opened for modification	C:\Windows\SysWOW64\Bhmmcjjd.exe	Bpfebmia.exe
File opened for modification	C:\Windows\SysWOW64\Bphaglgo.exe	Binikb32.exe
File created	C:\Windows\SysWOW64\Bphaglgo.exe	Binikb32.exe
File created	C:\Windows\SysWOW64\Aankkqfl.exe	Ajdcofop.exe
File created	C:\Windows\SysWOW64\Eonkgg32.dll	Aejglo32.exe
File created	C:\Windows\SysWOW64\Bodhjdcc.exe	Bfmqigba.exe
File opened for modification	C:\Windows\SysWOW64\Binikb32.exe	Bhmmcjjd.exe
File created	C:\Windows\SysWOW64\Aohiimmp.dll	Bpfebmia.exe
File opened for modification	C:\Windows\SysWOW64\Chhpgn32.exe	Ceickb32.exe
File created	C:\Windows\SysWOW64\Hjlkkhne.dll	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Hlilhb32.dll	Codeih32.exe
File opened for modification	C:\Windows\SysWOW64\Clfhml32.exe	Ciglaa32.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Befima32.dll	Aankkqfl.exe
File created	C:\Windows\SysWOW64\Binikb32.exe	Bhmmcjjd.exe
File created	C:\Windows\SysWOW64\Blaobmkq.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Clfhml32.exe	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Bdfjnkne.exe	Biqfpb32.exe
File opened for modification	C:\Windows\SysWOW64\Blaobmkq.exe	Bgdfjfmi.exe
File opened for modification	C:\Windows\SysWOW64\Codeih32.exe	Clfhml32.exe
File opened for modification	C:\Windows\SysWOW64\Cofaog32.exe	Cenmfbml.exe
File opened for modification	C:\Windows\SysWOW64\Cenmfbml.exe	Codeih32.exe
File created	C:\Windows\SysWOW64\Cofaog32.exe	Cenmfbml.exe
File opened for modification	C:\Windows\SysWOW64\Ajdcofop.exe	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe
File created	C:\Windows\SysWOW64\Llaqkn32.dll	Ajdcofop.exe
File created	C:\Windows\SysWOW64\Bfbjdf32.exe	Bphaglgo.exe
File created	C:\Windows\SysWOW64\Amljgema.dll	Clfhml32.exe
File created	C:\Windows\SysWOW64\Beldao32.exe	Aejglo32.exe
File opened for modification	C:\Windows\SysWOW64\Beldao32.exe	Aejglo32.exe
File created	C:\Windows\SysWOW64\Mokegi32.dll	Capdpcge.exe
File opened for modification	C:\Windows\SysWOW64\Ceqjla32.exe	Cofaog32.exe
File opened for modification	C:\Windows\SysWOW64\Aankkqfl.exe	Ajdcofop.exe
File opened for modification	C:\Windows\SysWOW64\Cbkgog32.exe	Blaobmkq.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Ciglaa32.exe	Capdpcge.exe
File created	C:\Windows\SysWOW64\Acdlnnal.dll	Bfmqigba.exe
File opened for modification	C:\Windows\SysWOW64\Biqfpb32.exe	Bfbjdf32.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aankkqfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Codeih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clfhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenmfbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cofaog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfmqigba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmmcjjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfbjdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaobmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceickb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aejglo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphaglgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cobhdhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciglaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajdcofop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfjnkne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhpgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdfjfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfebmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Capdpcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Binikb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biqfpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkgog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beldao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bodhjdcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqjla32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjjagic.dll"	Binikb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmhimhb.dll"	Blaobmkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfjgc32.dll"	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cofaog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aankkqfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfbjdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll"	Bdfjnkne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Capdpcge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajdcofop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beldao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfmqigba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggdmb32.dll"	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clfhml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenmfbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonkgg32.dll"	Aejglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpqafeln.dll"	Bodhjdcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bodhjdcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlkkhne.dll"	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Codeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Codeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knoegqbp.dll"	Bfbjdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokegi32.dll"	Capdpcge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bodhjdcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Binikb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Capdpcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhmmcjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blaobmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbejp32.dll"	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajdcofop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkofkccd.dll"	Bphaglgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfggj32.dll"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djenbd32.dll"	Cofaog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chhpgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befima32.dll"	Aankkqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Ceqjla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aejglo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beldao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfmqigba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clfhml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bphaglgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnlcjph.dll"	Cenmfbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaqkn32.dll"	Ajdcofop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalmek32.dll"	Beldao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acdlnnal.dll"	Bfmqigba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfbjdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajkip32.dll"	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cobhdhha.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2944	1464	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe	30
PID 1464 wrote to memory of 2944	1464	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe	30
PID 1464 wrote to memory of 2944	1464	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe	30
PID 1464 wrote to memory of 2944	1464	ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe	30
PID 2944 wrote to memory of 2952	2944	Ajdcofop.exe	31
PID 2944 wrote to memory of 2952	2944	Ajdcofop.exe	31
PID 2944 wrote to memory of 2952	2944	Ajdcofop.exe	31
PID 2944 wrote to memory of 2952	2944	Ajdcofop.exe	31
PID 2952 wrote to memory of 2832	2952	Aankkqfl.exe	32
PID 2952 wrote to memory of 2832	2952	Aankkqfl.exe	32
PID 2952 wrote to memory of 2832	2952	Aankkqfl.exe	32
PID 2952 wrote to memory of 2832	2952	Aankkqfl.exe	32
PID 2832 wrote to memory of 2896	2832	Aejglo32.exe	33
PID 2832 wrote to memory of 2896	2832	Aejglo32.exe	33
PID 2832 wrote to memory of 2896	2832	Aejglo32.exe	33
PID 2832 wrote to memory of 2896	2832	Aejglo32.exe	33
PID 2896 wrote to memory of 2796	2896	Beldao32.exe	34
PID 2896 wrote to memory of 2796	2896	Beldao32.exe	34
PID 2896 wrote to memory of 2796	2896	Beldao32.exe	34
PID 2896 wrote to memory of 2796	2896	Beldao32.exe	34
PID 2796 wrote to memory of 2772	2796	Bfmqigba.exe	35
PID 2796 wrote to memory of 2772	2796	Bfmqigba.exe	35
PID 2796 wrote to memory of 2772	2796	Bfmqigba.exe	35
PID 2796 wrote to memory of 2772	2796	Bfmqigba.exe	35
PID 2772 wrote to memory of 2764	2772	Bodhjdcc.exe	36
PID 2772 wrote to memory of 2764	2772	Bodhjdcc.exe	36
PID 2772 wrote to memory of 2764	2772	Bodhjdcc.exe	36
PID 2772 wrote to memory of 2764	2772	Bodhjdcc.exe	36
PID 2764 wrote to memory of 2476	2764	Bpfebmia.exe	37
PID 2764 wrote to memory of 2476	2764	Bpfebmia.exe	37
PID 2764 wrote to memory of 2476	2764	Bpfebmia.exe	37
PID 2764 wrote to memory of 2476	2764	Bpfebmia.exe	37
PID 2476 wrote to memory of 636	2476	Bhmmcjjd.exe	38
PID 2476 wrote to memory of 636	2476	Bhmmcjjd.exe	38
PID 2476 wrote to memory of 636	2476	Bhmmcjjd.exe	38
PID 2476 wrote to memory of 636	2476	Bhmmcjjd.exe	38
PID 636 wrote to memory of 2068	636	Binikb32.exe	39
PID 636 wrote to memory of 2068	636	Binikb32.exe	39
PID 636 wrote to memory of 2068	636	Binikb32.exe	39
PID 636 wrote to memory of 2068	636	Binikb32.exe	39
PID 2068 wrote to memory of 2924	2068	Bphaglgo.exe	40
PID 2068 wrote to memory of 2924	2068	Bphaglgo.exe	40
PID 2068 wrote to memory of 2924	2068	Bphaglgo.exe	40
PID 2068 wrote to memory of 2924	2068	Bphaglgo.exe	40
PID 2924 wrote to memory of 948	2924	Bfbjdf32.exe	41
PID 2924 wrote to memory of 948	2924	Bfbjdf32.exe	41
PID 2924 wrote to memory of 948	2924	Bfbjdf32.exe	41
PID 2924 wrote to memory of 948	2924	Bfbjdf32.exe	41
PID 948 wrote to memory of 2884	948	Biqfpb32.exe	42
PID 948 wrote to memory of 2884	948	Biqfpb32.exe	42
PID 948 wrote to memory of 2884	948	Biqfpb32.exe	42
PID 948 wrote to memory of 2884	948	Biqfpb32.exe	42
PID 2884 wrote to memory of 844	2884	Bdfjnkne.exe	43
PID 2884 wrote to memory of 844	2884	Bdfjnkne.exe	43
PID 2884 wrote to memory of 844	2884	Bdfjnkne.exe	43
PID 2884 wrote to memory of 844	2884	Bdfjnkne.exe	43
PID 844 wrote to memory of 1880	844	Bgdfjfmi.exe	44
PID 844 wrote to memory of 1880	844	Bgdfjfmi.exe	44
PID 844 wrote to memory of 1880	844	Bgdfjfmi.exe	44
PID 844 wrote to memory of 1880	844	Bgdfjfmi.exe	44
PID 1880 wrote to memory of 2208	1880	Blaobmkq.exe	45
PID 1880 wrote to memory of 2208	1880	Blaobmkq.exe	45
PID 1880 wrote to memory of 2208	1880	Blaobmkq.exe	45
PID 1880 wrote to memory of 2208	1880	Blaobmkq.exe	45

C:\Users\Admin\AppData\Local\Temp\ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe
"C:\Users\Admin\AppData\Local\Temp\ab29299b90748f794b6a6e0adbf3ff08046204b550688d31dd5f94301135619dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\Ajdcofop.exe
  C:\Windows\system32\Ajdcofop.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\Aankkqfl.exe
    C:\Windows\system32\Aankkqfl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\Aejglo32.exe
      C:\Windows\system32\Aejglo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\Beldao32.exe
        
        C:\Windows\system32\Beldao32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\SysWOW64\Bfmqigba.exe
        
        C:\Windows\system32\Bfmqigba.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Bodhjdcc.exe
        
        C:\Windows\system32\Bodhjdcc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Bpfebmia.exe
        
        C:\Windows\system32\Bpfebmia.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Bhmmcjjd.exe
        
        C:\Windows\system32\Bhmmcjjd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Binikb32.exe
        
        C:\Windows\system32\Binikb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Bphaglgo.exe
        
        C:\Windows\system32\Bphaglgo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Bfbjdf32.exe
        
        C:\Windows\system32\Bfbjdf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Biqfpb32.exe
        
        C:\Windows\system32\Biqfpb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Bdfjnkne.exe
        
        C:\Windows\system32\Bdfjnkne.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Bgdfjfmi.exe
        
        C:\Windows\system32\Bgdfjfmi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Blaobmkq.exe
        
        C:\Windows\system32\Blaobmkq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Cbkgog32.exe
        
        C:\Windows\system32\Cbkgog32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Ceickb32.exe
        
        C:\Windows\system32\Ceickb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Chhpgn32.exe
        
        C:\Windows\system32\Chhpgn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Cobhdhha.exe
        
        C:\Windows\system32\Cobhdhha.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Capdpcge.exe
        
        C:\Windows\system32\Capdpcge.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ciglaa32.exe
        
        C:\Windows\system32\Ciglaa32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Clfhml32.exe
        
        C:\Windows\system32\Clfhml32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Codeih32.exe
        
        C:\Windows\system32\Codeih32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Cenmfbml.exe
        
        C:\Windows\system32\Cenmfbml.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Cofaog32.exe
        
        C:\Windows\system32\Cofaog32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Ceqjla32.exe
        
        C:\Windows\system32\Ceqjla32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aankkqfl.exe

Filesize
77KB

MD5
709095ce092a8eed38a7b46a48f6b5fd

SHA1
6ea698ec64ad7e3af48a810b2090f18cb87fb638

SHA256
8c69e8377b64267e7825013a32e9c768db992bf0c65efa473d205d96eab95155

SHA512
e7a5ac310774521f4385f912c6c20f0dcdcf8f1e41d7dc2bc58aad76cd7be03e81fbf72cb52b68278393f7cb179c73b637563853b2fe02702363138bd6e7a0c4

Download Submit
C:\Windows\SysWOW64\Bphaglgo.exe

Filesize
77KB

MD5
19127f5f6bc9154ed3d6f4aad508c69c

SHA1
bd923439c2738fcc15266999f757a6b67c5e09d4

SHA256
c0a6ca3e287cfd50accbd98416aa86596e2baa1ea4f0cfd0a0beda5cda92d89e

SHA512
c4251f4aedd2b660b22a50b10356103fa1d75d0ce88844df50dac290bc329c8cc3d5915c9c270755038558dc52ccce0e2e8c318813f7754bfd89ae1e038c854e

Download Submit
C:\Windows\SysWOW64\Capdpcge.exe

Filesize
77KB

MD5
c862cde673527d490b1052aaa2ae9dd1

SHA1
3c810517bca3615235d6d461b616832bc87081f4

SHA256
2fdc78f2ab7f0c332e62a183ace822d80878989e31699617f30ec55789e70692

SHA512
5d583947d432b5e0497c134bc89bfadc2d50e0f6c7d1188bde8c7375300b3ddd85cd45e943ea942833347458a6bbf5ecbf408f388c2b86cbada19a682ec4cef8

Download Submit
C:\Windows\SysWOW64\Cbkgog32.exe

Filesize
77KB

MD5
9793cf0e6ab3811d07d60b7ed3297482

SHA1
9a92072d5bcf33cb6c3d79569c8776096d185771

SHA256
539e273250a73f6fc7927340963913888763d560c34f1518bff861d7a450a3a3

SHA512
2fca99b56b0fc1ebb596de4cc064ec1073195f5ef80dc453d3329ddee42c85dd42f93fc951752c47a979d8c7dbaf4c99842248dc9685aa171fb9fd4a54a63d9d

Download Submit
C:\Windows\SysWOW64\Ceickb32.exe

Filesize
77KB

MD5
e4dc1bf054124f59628747eaa40d2043

SHA1
0e0663b2d640a6324d4aeb4e2080151cbff8f740

SHA256
0745ff2847bf45fdd9e0466d0587e4047dd33608696da80e66a31486d8eaf58b

SHA512
8795f2e58540c72cb41a5b990feda8533e9e75e1add4812bcc0b0a5b294e6e57da9efe89ddfb45ee4325dd99554c0f93104f0908b66726068919ea270c2b77d9

Download Submit
C:\Windows\SysWOW64\Cenmfbml.exe

Filesize
77KB

MD5
732ab55740989bd04ba3bc08af527bc1

SHA1
e98e75b593690f88f537388de3642f78270ad012

SHA256
2f745c112f89fea8097e68bc2fc13e18647bd7526011a7004fdcb236050f29e6

SHA512
684555914beffade56aa4649814eb7baa2d12efa4ff3e2056e66ab1adcdb34433cb7e8b1b9a36d491ed0edbdb5106dcf27920751fca5fd224b5917371c93f581

Download Submit
C:\Windows\SysWOW64\Ceqjla32.exe

Filesize
77KB

MD5
adb39868648f556d72681c0a6677d0e3

SHA1
90fc4259366c17782aa3ab4705859b1e91d5053b

SHA256
e8d86882bd4345cc1ff45d060b5290453c269324af6fd953e0963b731ae09a2c

SHA512
6eaeaf6cef3c66d1de1592b7133d6b1b234f1c4e4b52d98553458dda11b75c0002d74041e2ed01e815f7476e1e7a9672239ee25ce2074bccd48a54df0a1d93de

Download Submit
C:\Windows\SysWOW64\Chhpgn32.exe

Filesize
77KB

MD5
6a87d4613297ee3d48a6fab60e08ac12

SHA1
3237bfecc6a47c310286163ceaaaf4a7f4141c5f

SHA256
47dcbcb12de0867372bbb48b6c4d2a27f6117872a0628091cd9b3cddd1942d1b

SHA512
3af2a85edaacd7adee6d6092fcd9842caa2f3c3229ce675485e4e87d3b499019a0e7032f63e2ee8947f13a7a7e16a741c8fd33abe65c6dbc7fb98aa5ed468a80

Download Submit
C:\Windows\SysWOW64\Ciglaa32.exe

Filesize
77KB

MD5
cb8224d50fc1ad51c44446edaba8b969

SHA1
942543688fbddd99178723fd96e3b2ba808d37d5

SHA256
b0b46141a8fd053cf446331e1fdd90fcc107c74dbbd22bc67e1d79049be0995a

SHA512
ce02f6fb8eb566ad89f348b881fdc7bf3d8d052a9a42d333b7f470850b981a63e09607510e701b8ffdb40bbc3f56d6f9d4eb72da47bdab98f56b013e38616986

Download Submit
C:\Windows\SysWOW64\Clfhml32.exe

Filesize
77KB

MD5
5b5624733cfbe4bcc20321aee180ed05

SHA1
fdfd79d38e5d2f52227bc7cf842e26a650e343b1

SHA256
2955b0d53183f1b4b907c341cda6f34e646d0b2ee164baa652d8fc29bd00af92

SHA512
a0dfea0bf9ee47425f502d6d2f4a1a85cb2e20bf177ca0b77c56eab90eb263fbefbcdd507135612e40d05acaa13872a52a3a9bce4ad74c7a3274bf5fb6e2b6a8

Download Submit
C:\Windows\SysWOW64\Cobhdhha.exe

Filesize
77KB

MD5
f685be686489aec976ce45035033943e

SHA1
12cc249c9fa2fda2b85f35018ca4c407c626bf03

SHA256
2a27eb74ecf7173f95ad9343e929984007bbc1a65e5f86db33f2081a7326cc35

SHA512
c9fa38a9ae53778dc0b4d8f7224c23713aaed6497ba3563c1cab8f953fdbedd9bfe4b13e28a84e12793820dfe7d66cd798b4f0b19c08c48e18e8d68df0f303be

Download Submit
C:\Windows\SysWOW64\Codeih32.exe

Filesize
77KB

MD5
0e392fdf8e882d404c58e7c6081990d9

SHA1
70b6716eafc139870728e38dc44316b08120a7f8

SHA256
dcdee0341b37c6af7a65cf6b670de5cd99c0f7860a270d49f5fe8d3f7097a90f

SHA512
22b14c8e8d8b66483300b763f22de3be5ba2ba1eda86c542e3f3ac82f449d547e1ce43e05ccac7ecf0314ab633cd3cdc13850d8592e75a18409b275657a11046

Download Submit
C:\Windows\SysWOW64\Cofaog32.exe

Filesize
77KB

MD5
f35dee889e5e4778443e6b7a38f132ba

SHA1
2696dee98b068dcb9ffaa5781cd87845bc3c29ac

SHA256
6f543329032df0bb9c09386d45338d260583c693c9c805ec7301c6ed96cf4be6

SHA512
cfccfd823f821680ad5b981e9821c55c5891b8707ecefcf0f87733b8d081deb126b7c541e7061f82ab7c9c6496781fa41e916a9ce2c911c3d0677fb74c5cd1aa

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
77KB

MD5
a0de58227bc99865fb7f980c5b5fea04

SHA1
b41f7abb3067321cc58b56461298471f9dead09f

SHA256
51fd2c58ca011961054a01bc38de44f2f186b989e30b0325190d54b479b3f981

SHA512
977b5f1b92249c5fb1cccf4df516c1467bc7b703129e6df1a5d72eb49ff01289508354257c15066efb6fea18396fc8d318af289f9bd3cf19260287ba42784e95

Download Submit
C:\Windows\SysWOW64\Nalmek32.dll

Filesize
7KB

MD5
939021ed6f0e8f4cbebcfd8cf6550984

SHA1
b5ccde1e38595973e4f8d38e7901316afccb2271

SHA256
2e80a9dce3ab3bc70dbe62337acf35547966828d7fef0ef227187a37a04a0c6c

SHA512
09c2e39e39ecb3b77416dc9425150f7f2e24d9f67035f40b997b42e35a1f16eac29b13fc435c2b3fff13d9e725554ee227680946612ee7b8c6626ff2594f428d

Download Submit
\Windows\SysWOW64\Aejglo32.exe

Filesize
77KB

MD5
3e0be8831c5fb8094f1e3a64317afc46

SHA1
dd8a67c206767961e41cdd18e00bf73f4fed17f3

SHA256
2adb959d95e91d59606be3cf76c2faf2ac2beac618e847ea0ef32e654e5d2491

SHA512
43f2186e24b788dd03971aef28908a8436fb11cddc8d517f951320a853bd9248994580ee61eee16f46c682b514be537a87a021ad8131246ab00e472159307635

Download Submit
\Windows\SysWOW64\Ajdcofop.exe

Filesize
77KB

MD5
8784e3529758b01b0f14cb94b9458d26

SHA1
250638ae2bcb59024c6f221977dbdc62157d1e79

SHA256
88eb353f6e31fc25182a4b586daf2d863a7e0257b727b45b25724b95153be7b8

SHA512
eca3b52836e26ace0c39b5c56939b3cbd755b413c7f116d32e48fb7ed82cd04cc3263ae0c9224f8fbb2acf575e9960c1a1bb11639cf2b871385b836150d4f014

Download Submit
\Windows\SysWOW64\Bdfjnkne.exe

Filesize
77KB

MD5
bd82b83ba73ff96ab587f731fb19c2b3

SHA1
6c8202241da3eaab50ef3d0eba43c97e23db4607

SHA256
5aafefe6603b4605027a0ead678ee68c0f04475222685c679fef23557fbc02e7

SHA512
d581e6262b4cf1da3f970a9fb74c9265e2e9c81a4cc53f4431a1060e6cf43819d3393d72d21424a072a2bf9799cdd6bbc2954649222113712e2ecb94957a1a51

Download Submit
\Windows\SysWOW64\Beldao32.exe

Filesize
77KB

MD5
806055e92ca29281ce5ac335e3d1efdc

SHA1
3985e4dc94af901aee8bc5d8dd21419bc73b19d8

SHA256
d55ff4919715e9fe2e2c5fc9c2ee863d72633a251cef631823bb17e3f74ee835

SHA512
47df033faa584c654652bb0abddf277062dd7fafc564e84e5f6d994881dbee30d1a6780958f31a8c3b424a8fd90b716c02854a492909bea61a68225c5b2e0665

Download Submit
\Windows\SysWOW64\Bfbjdf32.exe

Filesize
77KB

MD5
6a8099cdbf1cf6587b420de165061051

SHA1
14324342d87384edb5805115e5cd6c2cb9d2b523

SHA256
6c877836695b25308921a791f1d03e58519c5498c053e46c75caf091290da58b

SHA512
d010fc51f371e5a4cfa3399bb3bb2e1461a4ada6635a07fcf1a78f1ae85d0c9c3bbd1ff1c1b21ac57c386832df588904e8778895299f9e73b11d37e67e518a97

Download Submit
\Windows\SysWOW64\Bfmqigba.exe

Filesize
77KB

MD5
f86fa476d74acb5e3093b70a7e5f95d6

SHA1
c784993d3341d536facd2f824b7904aa0cd11320

SHA256
8bbe8dfb928b0c394a374f1eaf39658e4a6618ec98128604c31290d8d4b7f56b

SHA512
77a1c2cd914ce54825bfc81ce2c2fe1d1fcef18c09c29351625c02df02d13203e220778c1127e91b591b55797d50ee258b5c5c4ef1e22e5278d016709028d2df

Download Submit
\Windows\SysWOW64\Bgdfjfmi.exe

Filesize
77KB

MD5
d2264227e81c499f30b16b40d78ba826

SHA1
608a5d65812a3f63a64985628291c7a0d664e588

SHA256
76ff79535e3ac55aba9b5a9a3c56fd7264062a64a1446302bba18303a1a7211b

SHA512
6ea4a9942d94f537fe59c08ed015cd4a7f15bdd49205ec2cdad79ae2cce5df74086758dc334f1ca9f3ede7d1aa7ea79974a96a8976fe3fd29174b5a8468cde84

Download Submit
\Windows\SysWOW64\Bhmmcjjd.exe

Filesize
77KB

MD5
ca16c12bbe37d4b5c39b650cb7e086ee

SHA1
2b3d6237e571d8597e951fe873cf3bccf262e4b8

SHA256
8e77f3c51b06ee7de53db68b328d7cff46c6d3349f1d3a4a98e12d2ce35d19b8

SHA512
3f093a015204fba0bfe5a4a07fecf9aa44fe3ffb93e7851805a8e0203dd271a2a31ff469fa25d5dfcab405bfc269c4c51d4bdfe2aceb9fd0f9d7fdd2e64f482f

Download Submit
\Windows\SysWOW64\Binikb32.exe

Filesize
77KB

MD5
9bd1363869992d61456f0877d89d15c0

SHA1
2b6b66d91f3607b2416394c16e847661069b5ac3

SHA256
28af896787e9bf7c3e24559cf87d4572750b83413ce7f920699169cb9d4e446d

SHA512
d480d9f2309caea38fd9c7af2c8f0a52da7bdcb78ae43ac2560b27cab01f1a3bfab3c8f30a1943ed7abbbf0bc5ca28bc5ab90c2624f5daabe54d10162293e78b

Download Submit
\Windows\SysWOW64\Biqfpb32.exe

Filesize
77KB

MD5
c2ff9df8328fe6b6f8112206e6b269cd

SHA1
7fd4ade82fd91cafa8039712e5302da41936f505

SHA256
4493eac73ff8443abe012c00da6ff3516e671f5df6cee2f8919fe01fe57b8317

SHA512
fa7ecf35a995413871525c03f6e2888da57ff4297ea1afe57800ebebc13ed6ba45b92956318fdf7e57cea34b184776ecb42f240793e89946cacb302810684356

Download Submit
\Windows\SysWOW64\Blaobmkq.exe

Filesize
77KB

MD5
694b0988363f3a476dde2ce21aa4a0c8

SHA1
1de2cee612a13f7790a915973d15b3ea6157ca29

SHA256
e89aca874c6008f480b973f31071664a5fd401052c645374bf6d3333739b796c

SHA512
a2f98107ee1dc40227a9a5b95e9dcce5eae34b25d80c8f3a17f87951a5cdc7f8042fe7e575ec8e7b4c564d5f633bfa1a35212726b696413bdb428075c24ebf2f

Download Submit
\Windows\SysWOW64\Bodhjdcc.exe

Filesize
77KB

MD5
29605aca28e7f8ca9c73ff38f8bbc101

SHA1
7ad1e6aeb0e3d4efe8d22e93cbf9e7f9f5a0194a

SHA256
ab6a3533c35e82dc04e778a5e200d02f9c4d4dd92f5ee3ccb5237906e75264db

SHA512
6f522dffae3b4a82a9e76482f64b7dd4dd271bf7c452194a70e10be059742cbe95733fb504f620ebbbb92284efa5289a3bc7d7553ab71a165cf3e1a39a5c6cc2

Download Submit
\Windows\SysWOW64\Bpfebmia.exe

Filesize
77KB

MD5
8fd354c6c20467956a986747d558bbf5

SHA1
65c431cd77fff6272aec1577f709e44b95cb5262

SHA256
8fdb2dfd4f943fa462b7e16acecc1b3f56c20a3576bf840ba2e97543fc685a81

SHA512
4856a75f02b7c142743d46c199dd8a09a094aa863a7fd4966a62b475d370009caaf0014f5ffd7af719b02d6ea1eba9e0eee370978b1c70dcbc7a0b3982b4c705

Download Submit
memory/636-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/824-238-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/824-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/824-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/844-186-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/844-194-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/844-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/948-166-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/948-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1056-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1056-300-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1056-304-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1056-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1464-329-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1464-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1464-13-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1464-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1464-12-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1576-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1576-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1576-322-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1576-326-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1788-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1788-270-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1788-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1788-271-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1880-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1968-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1968-293-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1968-292-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2008-257-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2008-251-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-140-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2068-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-219-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2228-282-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2228-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2228-278-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2228-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2436-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2436-314-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2436-315-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2476-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2476-113-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2476-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2764-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2772-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2772-87-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2772-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-67-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-333-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2884-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-173-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-335-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2896-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-146-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-154-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/2944-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2944-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-40-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2952-34-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2952-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-331-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads