berbew | 5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2024, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99.exe
Size

194KB
MD5

f5f243f1c618171696524f64aae7f105
SHA1

393a6ddbac0354a71443b0917fda82630c7c0abc
SHA256

5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99
SHA512

b5ffbc7791dbf811699ade7a87448f87aafa511ba5d394aee03b169e225212d1066a4c5ac1c0857f02cebddf0dcf2f9f2beac58fb8575d40e15c9a354b588e29
SSDEEP

1536:9xPPHVFr6Oh3JQ28raReb0lZatMIM/5/KEatMIGuatMIc/zT4a5GV:D9FWmB8WgymMIM/kEmMIGumMIc/1GV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 42 IoCs

pid	Process
1476	Qqfmde32.exe
4360	Qceiaa32.exe
3260	Qjoankoi.exe
2476	Qddfkd32.exe
3924	Ajanck32.exe
4160	Ampkof32.exe
4456	Aqkgpedc.exe
2996	Ambgef32.exe
3176	Aclpap32.exe
1352	Amddjegd.exe
4172	Afmhck32.exe
1336	Amgapeea.exe
3056	Aglemn32.exe
3116	Anfmjhmd.exe
2440	Accfbokl.exe
1012	Bjmnoi32.exe
5096	Bebblb32.exe
4868	Bjokdipf.exe
2364	Bnkgeg32.exe
1624	Bffkij32.exe
5012	Balpgb32.exe
3792	Beglgani.exe
4656	Bjddphlq.exe
2900	Beihma32.exe
3096	Belebq32.exe
4596	Cndikf32.exe
4332	Cjkjpgfi.exe
3644	Chokikeb.exe
516	Cdfkolkf.exe
3312	Cnnlaehj.exe
2828	Dhfajjoj.exe
1708	Dmcibama.exe
936	Dhhnpjmh.exe
4492	Djgjlelk.exe
1416	Dmefhako.exe
640	Dkifae32.exe
4248	Daconoae.exe
864	Ddakjkqi.exe
2820	Dmjocp32.exe
3156	Dddhpjof.exe
2684	Dhocqigp.exe
2188	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2436	2188	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1476	1964	5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99.exe	82
PID 1964 wrote to memory of 1476	1964	5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99.exe	82
PID 1964 wrote to memory of 1476	1964	5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99.exe	82
PID 1476 wrote to memory of 4360	1476	Qqfmde32.exe	83
PID 1476 wrote to memory of 4360	1476	Qqfmde32.exe	83
PID 1476 wrote to memory of 4360	1476	Qqfmde32.exe	83
PID 4360 wrote to memory of 3260	4360	Qceiaa32.exe	84
PID 4360 wrote to memory of 3260	4360	Qceiaa32.exe	84
PID 4360 wrote to memory of 3260	4360	Qceiaa32.exe	84
PID 3260 wrote to memory of 2476	3260	Qjoankoi.exe	85
PID 3260 wrote to memory of 2476	3260	Qjoankoi.exe	85
PID 3260 wrote to memory of 2476	3260	Qjoankoi.exe	85
PID 2476 wrote to memory of 3924	2476	Qddfkd32.exe	86
PID 2476 wrote to memory of 3924	2476	Qddfkd32.exe	86
PID 2476 wrote to memory of 3924	2476	Qddfkd32.exe	86
PID 3924 wrote to memory of 4160	3924	Ajanck32.exe	87
PID 3924 wrote to memory of 4160	3924	Ajanck32.exe	87
PID 3924 wrote to memory of 4160	3924	Ajanck32.exe	87
PID 4160 wrote to memory of 4456	4160	Ampkof32.exe	88
PID 4160 wrote to memory of 4456	4160	Ampkof32.exe	88
PID 4160 wrote to memory of 4456	4160	Ampkof32.exe	88
PID 4456 wrote to memory of 2996	4456	Aqkgpedc.exe	89
PID 4456 wrote to memory of 2996	4456	Aqkgpedc.exe	89
PID 4456 wrote to memory of 2996	4456	Aqkgpedc.exe	89
PID 2996 wrote to memory of 3176	2996	Ambgef32.exe	90
PID 2996 wrote to memory of 3176	2996	Ambgef32.exe	90
PID 2996 wrote to memory of 3176	2996	Ambgef32.exe	90
PID 3176 wrote to memory of 1352	3176	Aclpap32.exe	91
PID 3176 wrote to memory of 1352	3176	Aclpap32.exe	91
PID 3176 wrote to memory of 1352	3176	Aclpap32.exe	91
PID 1352 wrote to memory of 4172	1352	Amddjegd.exe	92
PID 1352 wrote to memory of 4172	1352	Amddjegd.exe	92
PID 1352 wrote to memory of 4172	1352	Amddjegd.exe	92
PID 4172 wrote to memory of 1336	4172	Afmhck32.exe	93
PID 4172 wrote to memory of 1336	4172	Afmhck32.exe	93
PID 4172 wrote to memory of 1336	4172	Afmhck32.exe	93
PID 1336 wrote to memory of 3056	1336	Amgapeea.exe	94
PID 1336 wrote to memory of 3056	1336	Amgapeea.exe	94
PID 1336 wrote to memory of 3056	1336	Amgapeea.exe	94
PID 3056 wrote to memory of 3116	3056	Aglemn32.exe	95
PID 3056 wrote to memory of 3116	3056	Aglemn32.exe	95
PID 3056 wrote to memory of 3116	3056	Aglemn32.exe	95
PID 3116 wrote to memory of 2440	3116	Anfmjhmd.exe	96
PID 3116 wrote to memory of 2440	3116	Anfmjhmd.exe	96
PID 3116 wrote to memory of 2440	3116	Anfmjhmd.exe	96
PID 2440 wrote to memory of 1012	2440	Accfbokl.exe	97
PID 2440 wrote to memory of 1012	2440	Accfbokl.exe	97
PID 2440 wrote to memory of 1012	2440	Accfbokl.exe	97
PID 1012 wrote to memory of 5096	1012	Bjmnoi32.exe	98
PID 1012 wrote to memory of 5096	1012	Bjmnoi32.exe	98
PID 1012 wrote to memory of 5096	1012	Bjmnoi32.exe	98
PID 5096 wrote to memory of 4868	5096	Bebblb32.exe	99
PID 5096 wrote to memory of 4868	5096	Bebblb32.exe	99
PID 5096 wrote to memory of 4868	5096	Bebblb32.exe	99
PID 4868 wrote to memory of 2364	4868	Bjokdipf.exe	100
PID 4868 wrote to memory of 2364	4868	Bjokdipf.exe	100
PID 4868 wrote to memory of 2364	4868	Bjokdipf.exe	100
PID 2364 wrote to memory of 1624	2364	Bnkgeg32.exe	101
PID 2364 wrote to memory of 1624	2364	Bnkgeg32.exe	101
PID 2364 wrote to memory of 1624	2364	Bnkgeg32.exe	101
PID 1624 wrote to memory of 5012	1624	Bffkij32.exe	102
PID 1624 wrote to memory of 5012	1624	Bffkij32.exe	102
PID 1624 wrote to memory of 5012	1624	Bffkij32.exe	102
PID 5012 wrote to memory of 3792	5012	Balpgb32.exe	103

C:\Users\Admin\AppData\Local\Temp\5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99.exe
"C:\Users\Admin\AppData\Local\Temp\5eddf040ebafe2c04e3fbf2d43372cd01b8f7033072de0ecc108e055fde11f99.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\Qqfmde32.exe
  C:\Windows\system32\Qqfmde32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\Qceiaa32.exe
    C:\Windows\system32\Qceiaa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\SysWOW64\Qjoankoi.exe
      C:\Windows\system32\Qjoankoi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 408
        44⤵
        Program crash
        
        PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2188 -ip 2188
1⤵
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
194KB

MD5
0a73eaa6ee1a04315ecd6fbe306a7332

SHA1
3438de00e1c2c36b2304d73e36b494a4f79dca39

SHA256
b1e8c1150e9462e1b38c2a6e2b9268e1d477c556036856962576f83dad8fa958

SHA512
85a840d4c7bbb0e14fc1015f3f0c6a5c3fc81c4257c455825c51b64c4d33061b3c5799919cd7906a2bb2548168743623f219db6b10fc6148a1f398429d15b597

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
194KB

MD5
4882cc25cf70ab2f917ff14cb4e28dc7

SHA1
a81864cb2d59bf8eefa89550933d103c2f1c1de4

SHA256
5b4e0f58967557cc7981d7848303a6939d9809555723428040b878672af69f31

SHA512
9896f6d1a1f2ef996f05a52e1d491c6de0c64d7041fe5a5ba5c3b6167b999e51acba4f204b2bd6029ffc0e49672bb78b9dbb63667730a085ace14e6ebb7656f7

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
194KB

MD5
b38f2618bc9ab836e0d94969570e1770

SHA1
2e2d879cb81bbe18285d7813a35911b23bcfd21d

SHA256
7517f67d673075e9ce3c00c278f2ed263348cac4bee2958f0fc5c5ecf83bbae0

SHA512
fea171709427a095f511da61e32254423433cfe4f2e18081f62b3e4e1c5d2e84220d535a7d3e5c1bdd20f0d08182b3a3d2448a41c2165888b64e07106e608564

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
194KB

MD5
4f946d74b9722ff35c3162a997a991de

SHA1
67e004ac7b2e4ddc5be7f2711b5a5eabedfb03ec

SHA256
7a58e5dbf2fe657c1b09f311ff017647f28462e85d1df39bfb7df288e3d3b30c

SHA512
81e8a9643eaae71abfe21dc0cb88d84102d54c9f9b1f18fa78e6fe57bcb3c0ec5c03fd5b7fe54077c7725a1f6c15cd98387e9280977d21bf50755d4d36aa1277

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
194KB

MD5
a92eb9e5caa955f774f07ac01e4fb3b6

SHA1
0fcaa3de927b81e0c0326d35efa19daeba35a417

SHA256
18a2a441d9bcc3d853ca93720386f121baaad5a6e4c90eb73d84df246de7ff08

SHA512
83c9e5a046f477c5c973239ec4325e0bdb98d7d6c3c87f0e502f71e76c7e661acc9884d3aae21742b87e9f95615b4ef79f0c322e3e2b34a957f85d11fbc9bd90

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
192KB

MD5
54256a6776528a8b763f6e0ed9c03ffe

SHA1
4b63a1b036ee977b6fae2510106c041153314c0e

SHA256
9f8c990eb20ae96ee597d935acf99b4e03167463b2ceabbcf1369e7269f07623

SHA512
8da9a629fff917d29796783317eced77cc3c2f7a15ef31452984d7abb94990ac7c581bfc9db84736f5b32f6102196748b668701ebcec19cb33318e5a7ac4ed24

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
194KB

MD5
b8d8887c161043fd565682e3a930771c

SHA1
00bc093d41693502f08fb9ee3e020eb894326a42

SHA256
2c1a022abc43e1046818acab51faa2d0519cf71618ee7fd1e6f58e86cac54455

SHA512
1d4f4eb311e1f37499adea79a28fa38e94f4d40a311b8094f9426a1a4c1b83d54d153ae563a9336e1a1d4ce6622d0ea5a8fe66db7e3204359028a806ff1f48cc

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
194KB

MD5
ad94a57d9559015a967755445ac94e64

SHA1
2945401ed692222a4fda6e36a1ffc465c8c631fc

SHA256
65d4b781dc670bde2e9b1ccf16259095bd6fac3c30a0b751b4d3f6f048024811

SHA512
2b185013a89f28224d48f091f557a277975a72161cc378a8e94e50743ed9871dd4fe675bfcbf2c1d22547179791ffd324a4d2d784293edcff90262b6d271adb1

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
194KB

MD5
0916ff44ac7555aa9bed85776460bdf4

SHA1
80f6eaa63fba0638407a9cbd5718715b6d75f7be

SHA256
e7e5287911c8b6b39479f3102664a4bfb14d6f2381df9ccc4a43714324ed50f0

SHA512
9f6c6cf517b92f432e82af8364d2243a670d2912a5b256d9090071b9ec22b54ece1e445aba1bb6257385e5822b76b5fa5206155f095557a2d8abd9323f4b59ca

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
194KB

MD5
e2ef73744536de01f9305d2a329e96a5

SHA1
4a1c7dec0146a6b71098e116f9dac04dc4a35b47

SHA256
e70166c8f454984def31c7d49b69d16d244ae68572b7e0c6d30fb7bca785248b

SHA512
54a29e218ed9f9d251af534c08bb6d6dfaebcd2520b0b63f643cd33b9d87244f4616720828db185f11e4c85fb6c3ccd73cbeb7da8d701c464f932a5a9707ea12

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
194KB

MD5
3023f70ac9b711365c07a3d11ea953d0

SHA1
5bd06feea4f438c1103627ed4aa142fcb88a42a2

SHA256
27969f4fae3be524e8011049ee946a8501ce156668e4aa4a8ac9a60a429da52f

SHA512
ec08e9abfb216f4a495e08199440040a9f0801a9cddd40b73ac8a25c04a1b63d0729f8b4fe031690dd715c55aed7870139caececab75aa9008b98dc83ec41307

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
194KB

MD5
42cb4dd0cf61f7ddb1fb2f9d16fb53da

SHA1
ac94004836032d4755aacd6aa1a30e2c0a04578a

SHA256
c160deb7dccd91b8058f9c04c95c535bc9a6c6905be5c54a79368b2e062649ae

SHA512
7bcbb8fb18637bf5510387f5606d37c1c92224e203ec08b544b834e47259d4632e90249caf6433c031d3fb4261c4790c2a122d9dc5bf6f6d60efe189f162fd9f

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
194KB

MD5
255212945c35f79021257e0ded24981d

SHA1
dbb7169ab84ec666036e4cd80e940b10829793b3

SHA256
aa63af3cd5a0a81195144c75c830e216c21d694d335ec6e087446c5b9477a9d0

SHA512
565c778c41beb0bd47348e60afa4b132d9ea78284c2df7f9d3a6d61cd937534f2f309476d35905672323a4a90e2c975a87dec71f3dff115936bf567ae580126f

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
194KB

MD5
be02cb56a14ce7aefa6629dbc29a3dca

SHA1
c8eaca08e6904da67ebe97c7b32efa1dc55c2579

SHA256
ec6c826dbe6a89acc54246de7e98e2f17fbde38201d686f11012e3555be370be

SHA512
4c9c35722402a4fa8ee571504d947ff7ca42801947b0d0cca16380afe9e0a792137fd16ac414b2990a1e3ac8d205b539fb50a5a8b9e530161d26da2ad65f963d

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
194KB

MD5
4531f8b66755eea18290b401c2e2a2fa

SHA1
0068ebb991b589686301a9272c79782b5d1ff3a0

SHA256
ec6afb969828f98164f0905c2e467d677e797350a12adea59277dd85a38c7719

SHA512
386908b74d2af26336e52e22be70884b929b3ef55f9d5c0eecd6d836f71cb8ed93df4b465161ab9ad1b1a3ffc7c76d9c7720af2fbb8520351790b2458402b75c

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
194KB

MD5
768f22776b26e3821850fd2a5be00fd5

SHA1
2fae1b990e953171ebd8d2ef95c0e0208fe4238f

SHA256
ebd6e368043334589d33251fb2f3d07be4eda40628d2b3c8959529894bfdb06b

SHA512
1d7c8a0f06d6fabef8e09499df00abad034d052697117476abd52985c6493d8e521f0ddbf517199cb694b56f7acb9ffaf71a030848c12aa3229f54a5cb5d64fa

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
194KB

MD5
c8c1a360919f1b649a84ce4924c9b070

SHA1
8b312e4e8e28ebec2d8bf37a00bc11cc9ad13cc5

SHA256
067df512a89b558542e93d7fdbba5fa75db3eb07643a444116033e77ed90a13d

SHA512
0ec011831e63075b913c3f751fab50da985074d1f390ff19c371af6f1773042fbf97a281be1e413f6da662fdfcff0d431fa687165fbe99446cc7dd7d1290b220

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
194KB

MD5
cacd0c753476a3dc5f4b65a353404375

SHA1
0b048f5f299492d63e3629991a522e0868587bf3

SHA256
880f5ac1b1c9f1dfda1eaf1077540c66b405eca5d67a75935464ffa2eb2cbd26

SHA512
f02355ebb2d6d926e4ef7274b6c682100a94d6a2e0403ab44fc14a44c5aee36ced4b22d1fae604b1a5ce27affe76e2fe2db9042416fac27609b276ba5f3566f6

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
194KB

MD5
a6b85a92428b6cd2ecebe8090046eb4c

SHA1
5c64a5f2ba4048d07acd4043c43c1e3ee25a589c

SHA256
0b5d532e2fb92b38394561913e4e7b0f08c9ef837524e4fd641790b2b0149091

SHA512
00eb09a739c84054415e026d65478f83eb6fa9d9924763ab5a428c1242f81caed801fde28adcee37f27ea852c97d87364937d29ffdd354e028de249c16d9315b

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
194KB

MD5
96dfead15caa60836fe759c9e867cc8d

SHA1
2f152f862cd2af60591b1c3a3492d3beeae74f4f

SHA256
98917fe07c86b6c4b63762dbbb8b53d2be0d103c3cd7b31cce6659fd0499f504

SHA512
1f00c77f5faf29f49a6d3b1d4494febfbc470fe2665484d73108c8264bfc990a40919971a28282016dad78a028ca342a59ad2d08698ed0f79e1aad5cc057fafa

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
194KB

MD5
db8a2f9cf0dad4d66d795f26cd475f6d

SHA1
873daed8c3fd6d80b002e4a5072f76dff3b06b1e

SHA256
a6d4d0dc72a81564c7747e9a952b2107342db6a80e1261c20ecca9f3ba2eb814

SHA512
e70c85ec3528e40ac727443e0782b29d347ea683f32f870950f72bcc1aae43e87871acd287e26ece0609817faa619138ee01c31238c63ab77d4dce92880b2f24

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
194KB

MD5
acde22dc79e745071a38523b02f90525

SHA1
0a8f3c30a591f0bb69ddaf955eaac49a9b095581

SHA256
d5acd27d50e6348d6e1beaadecb23b61a437b87543f67390140535812160b93f

SHA512
f2705a3fb47ce3e22f782089fa9454b0cc887fd520868053d2f7a7576a3d2d7d8266544e9a42e9285e3203f3920cae17af0d5395a8b4b4406f4be07c9689e489

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
194KB

MD5
c48b1c9e39e3d85680a67e8d927cc607

SHA1
6ca1261d3426b6106bb2b67e0d9476be9bc65c2b

SHA256
6faa23a7044ca4eb833d2e1d2099e67006e4f3fd6acab426e6179c9494e65551

SHA512
9e151700cf174ed0db75b0947a6109dde18f42f2e15e15fb2d329c2c3247f7f6477891d44db2e4dfcf084bc94f5a8ebd5d82b687fc225c9276af496717851e1f

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
194KB

MD5
11ac258cb7149dad50852fcc9ec9cb35

SHA1
02ee20ce3be5373a1f199a45523cc87cbaeccfbe

SHA256
0e02cf52758734ba0b20ebdf12da93cba2d976afa50f9c93707e6de21d12bd8c

SHA512
1f91bd94b295626dfec02a6ef39a1d56732be8f7965e89b328ebdc37dc485b8bae077e782750e9d5eadb9d053fd04db9e88fdb01d530847f91c674b65d27dd55

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
194KB

MD5
f9a7d63fec765091a8ed75e34ca03274

SHA1
ea84e134c3a0589c3efb01740ce3d034eecb778c

SHA256
f8c233632b83fb6c4d279d72aa9a4917ae385ef57c11793d2639f3703c8171bb

SHA512
7aec450cffec345345a406a5e0555608080bd7da6efe76451389ea0d9ca7da29aba35f80bfab593fe90162ffffedb05392d7027baad2c6ff80ee07aaf5a4efe0

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
194KB

MD5
0eefcc1df165331e21410da319709dd7

SHA1
e1edc313109a61d0c5aaac5260f9470d2c9b58b8

SHA256
7fa8a91e32d8ccafde01ad0db2ab8b3367de18baa5473109d7ace2f77e53a83d

SHA512
79e5c02ae83b0cbda1a882ec82deb3933590d3c41ca5b9a3daf76c9dfdf9e110e583d7b0f1ff9d1ca4c73ba086aa9982de3c388e4b90310714484251c65bcaff

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
194KB

MD5
9427b9b08c970f8067b00da11760300c

SHA1
f21256d1a21718e2dd502e13498e7a1b05e0988b

SHA256
a5c612393e1ed77576470f993dc1798c2def2a3078f43129e7a37444d3896bae

SHA512
6f227afbda0f6ea80bdc87ad0a6f0d7223db109daadaec6c84b14a9875b578a9ee8abc42d29cac8665f866df6672fbab27b86a59d2674e899d596b300e698a60

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
194KB

MD5
f17d8722691c607973121b4fc661f9da

SHA1
34cf4c60c03c4cffc14066e0da4c10eed6d63a99

SHA256
3c92616e4de14fddc8746a0329621ba1e46b641bce58ab1cda4c0839aee09cd4

SHA512
07bbc09501f14c04fc094a095d4272a64855a0111a4114a022e3b123a50094a9391d6765fcf6981a63808cc6db140063b9afbb05781f071cd6f73c5678281d42

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
194KB

MD5
6feb343dd42ae2fa2ea0a9d7d928b5d8

SHA1
a3bc6f60f5b4a0334181cd643d23ec12d4fd6068

SHA256
fca77431599a2ac040cd370945b0771d16c0bcb46b0c99206ceb2d0d18a766f8

SHA512
d8ff3b4d755b584a5554877c1086824bdc2a60e3024cce31500d4988f9e6b113ac3aa4a61584718fee6d88cda44fb0161f8e03b44670ab5c2123955f7300bf4e

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
194KB

MD5
913c0e9b9cc36443dfddb03cf59969d5

SHA1
5c52e6d9182f3031218c85a1f9f2b55b7abce86c

SHA256
57e67a8a8bd7610ca9e30a1d26252638703d5bb85d9f84fdd1ede5f476e781e3

SHA512
3e96916214048b247afb5f0c2e4f58914385b01aa44c58e083f50702e7c8e7218509fe4fcc7a210d0e677f2f08fa1f3c2962e45f3550bd5a012281a564fa4460

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
194KB

MD5
dd1b61d777c803d7507a63f6e595ed12

SHA1
a1332a7586b72adf357077269bdaee9cf6f14ade

SHA256
b738c1014d780f066a57220c107336cbf5acb0b7d8db053bfbc26945294e1c63

SHA512
c4fb5923d1fc74c4fa6f28ed1b0f203dab785a05455abe68e8355fb72c20422674bfe7d3c4d4035ce8b521e8b0588c2465a59c69cb091dc8de680dd56dd5d7cf

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
194KB

MD5
b6ff1aea836c2cc04c4a441efb2da061

SHA1
c1a9cdabc5dd49f89e198df784fffa54dab25966

SHA256
3555534d9dc9e7c6dd01b225cb2ac28c0dfdad815ad4e683ee4c93b863276402

SHA512
8bcac69e25faeb27e8e2ccd3e73a678ba82ff2c46d397431d3d0ffff14eaa78e9cd2a6efc45590dfbe2f59a9edc1afa424d84a1a67a3b128273ac57af2ef0c7c

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
194KB

MD5
992ce3e4064eca7304f2ab0930d24025

SHA1
fe16904e1e20e2964d90a9bf974e143bd35e2f92

SHA256
147f0419cdccdebef4350dfddda1ca4f30691594d2db59c08cacc6631f229ae4

SHA512
242624b1fdcaac085d493b7f14e2a98aa4063abb84babb26c95921b13d716188483b91a740bc20e8bfa72cbca80308d1dba6e400fb8384a5315bc734ebdf49ac

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
194KB

MD5
82cffd1b391ad7539c1e30e8e62f79b6

SHA1
d08705b82d28e34770aedf0e51b577ce5b4b086a

SHA256
d7c04d800c8c2bd8910f137677a19ddc26f947623e23ccde43cb2312e00f9bf3

SHA512
5f2a66059fe1a6a03f824c74a1e7c3a841d6a52efaee31a77d3791abd479ca46254ad80ca13c9d6446680630074a1f329dffdc5eba894215d4775d4277f4655d

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
194KB

MD5
4ff3f3d80b0b18f929c89f8cccaf74d5

SHA1
524e8f0ac7007d96db42ab51cb3dfa4f30027fc5

SHA256
75c081292d764553567a400d6086341b866cb070cc20c70d252e55bcd05eb535

SHA512
3fb70c3692b6aa5050ceab1b87400c0db3f7aacc9aeff95db1f26e9e14f0afd4fbcfeaeacc3d263013277c9e16300817400f0f5ae9b2aa77925ccadc48ee7fae

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
194KB

MD5
7ed362fabaf6d3d0f25d58d0cecba57d

SHA1
1f37430be295e4f98f96e191d17a7368f1d46663

SHA256
19f5dd9564181efc4908c2c5453a04d8643a7bf3886f62617adb7cd99e32f212

SHA512
5699511da7dd4b96e7b7ee7653e09b936dc0a5fb13019dc67ba1dee944d13a797c7763f47e147196d7efaec4b3aa9d2771c872b33f59e2eb68762bd933124cd3

Download Submit
memory/516-339-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/516-230-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/640-327-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/640-328-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/640-279-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/864-325-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/864-291-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/936-261-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/936-331-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1012-127-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1012-365-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1336-95-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1336-373-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1352-79-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1352-377-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1416-273-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1416-401-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1476-395-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1476-7-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1624-357-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1708-254-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1708-333-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1964-397-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1964-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2188-316-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2188-318-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2188-315-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2364-151-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2364-359-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2440-119-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2440-367-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2476-389-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2476-32-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2684-319-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2684-309-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2820-297-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2820-323-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2828-335-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2828-247-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2900-349-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2900-190-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2996-64-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2996-381-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3056-371-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3056-103-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3096-347-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3096-198-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3116-112-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3116-369-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3156-321-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3156-303-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3176-379-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3176-71-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3260-24-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3260-391-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3312-238-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3312-337-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3644-341-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3644-223-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3792-353-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3792-174-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3924-40-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3924-387-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4160-48-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4160-385-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4172-375-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4172-87-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4248-329-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4248-285-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4332-214-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4332-343-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4360-16-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4360-393-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4456-383-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4456-56-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4492-267-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4492-400-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4596-206-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4596-345-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4656-351-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4656-183-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4868-148-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4868-361-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5012-355-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5012-171-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5096-135-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5096-363-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads