berbew | 5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2

Analysis

max time kernel
124s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2.exe
Size

97KB
MD5

c21aa83d174ccfd7b2021e9d503c4e6f
SHA1

391b95caba57bf0131611237c39b44553079b49b
SHA256

5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2
SHA512

5392a66825cc0a9300a5ea13120faeba7c4189dcd1445ba78dde11dd4c873e1466c79b4ed279d0d0f0bed659f8533445c4462907fcc0dd07cd21187aab447d5f
SSDEEP

1536:Fy5ZM3pABEvco9XlvPQIwgW3kXUwXfzwE57pvJXeYZc:Gi3p8WXlvPCAPzwm7pJXeKc

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caojpaij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coqncejg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Conanfli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coegoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caojpaij.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 39 IoCs

pid	Process
2752	Apaadpng.exe
556	Bgkiaj32.exe
1108	Bobabg32.exe
4336	Bpdnjple.exe
4928	Bgnffj32.exe
4528	Bmhocd32.exe
1020	Bpfkpp32.exe
5044	Bhmbqm32.exe
2476	Bogkmgba.exe
4360	Baegibae.exe
1928	Bhpofl32.exe
4852	Bknlbhhe.exe
2832	Bnlhncgi.exe
3960	Bdfpkm32.exe
928	Bgelgi32.exe
4516	Bnoddcef.exe
1372	Cpmapodj.exe
4272	Chdialdl.exe
4920	Conanfli.exe
1424	Cammjakm.exe
4332	Chfegk32.exe
976	Coqncejg.exe
1624	Caojpaij.exe
428	Cdmfllhn.exe
3988	Cocjiehd.exe
4536	Caageq32.exe
2740	Cdpcal32.exe
2180	Cgnomg32.exe
3056	Coegoe32.exe
2316	Cpfcfmlp.exe
4696	Chnlgjlb.exe
544	Cklhcfle.exe
5008	Dafppp32.exe
4104	Dhphmj32.exe
4708	Dkndie32.exe
772	Dnmaea32.exe
2732	Ddgibkpc.exe
2628	Dhbebj32.exe
724	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ekppjn32.dll	Dafppp32.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfkpp32.exe	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Gbhhlfgd.dll	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Chfegk32.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Cpmapodj.exe	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Cdmfllhn.exe	Caojpaij.exe
File created	C:\Windows\SysWOW64\Pghien32.dll	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Nchkcb32.dll	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Bpdnjple.exe	Bobabg32.exe
File opened for modification	C:\Windows\SysWOW64\Bnoddcef.exe	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Cpmapodj.exe	Bnoddcef.exe
File opened for modification	C:\Windows\SysWOW64\Chdialdl.exe	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Fmamhbhe.dll	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Chnlgjlb.exe	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Bpfkpp32.exe	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Cammjakm.exe	Conanfli.exe
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Dafppp32.exe
File created	C:\Windows\SysWOW64\Lahoec32.dll	Bgelgi32.exe
File opened for modification	C:\Windows\SysWOW64\Cklhcfle.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Ampillfk.dll	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Bknlbhhe.exe
File opened for modification	C:\Windows\SysWOW64\Cdmfllhn.exe	Caojpaij.exe
File created	C:\Windows\SysWOW64\Dhbebj32.exe	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Oeeape32.dll	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Bmhocd32.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Caojpaij.exe	Coqncejg.exe
File opened for modification	C:\Windows\SysWOW64\Cdpcal32.exe	Caageq32.exe
File created	C:\Windows\SysWOW64\Ijilflah.dll	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Dhphmj32.exe
File opened for modification	C:\Windows\SysWOW64\Bgelgi32.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Hnflfgji.dll	Cammjakm.exe
File created	C:\Windows\SysWOW64\Cgnomg32.exe	Cdpcal32.exe
File opened for modification	C:\Windows\SysWOW64\Dhbebj32.exe	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Bhpofl32.exe	Baegibae.exe
File created	C:\Windows\SysWOW64\Chdialdl.exe	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Chfegk32.exe	Cammjakm.exe
File opened for modification	C:\Windows\SysWOW64\Caojpaij.exe	Coqncejg.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Bhqndghj.dll	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Qfoaecol.dll	Coqncejg.exe
File created	C:\Windows\SysWOW64\Biafno32.dll	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Bghgmioe.dll	Cklhcfle.exe
File opened for modification	C:\Windows\SysWOW64\Dhphmj32.exe	Dafppp32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dhbebj32.exe
File opened for modification	C:\Windows\SysWOW64\Bobabg32.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Bkamodje.dll	Bogkmgba.exe
File opened for modification	C:\Windows\SysWOW64\Bhpofl32.exe	Baegibae.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Dgihjf32.dll	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Conanfli.exe
File opened for modification	C:\Windows\SysWOW64\Bgkiaj32.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Bgelgi32.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Bnoddcef.exe	Bgelgi32.exe
File opened for modification	C:\Windows\SysWOW64\Ddgibkpc.exe	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Hlfpph32.dll	Bpdnjple.exe
File created	C:\Windows\SysWOW64\Dafppp32.exe	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Iocedcbl.dll	5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2.exe
File opened for modification	C:\Windows\SysWOW64\Cocjiehd.exe	Cdmfllhn.exe
File opened for modification	C:\Windows\SysWOW64\Apaadpng.exe	5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4700	724	WerFault.exe	124

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caageq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfkpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpcal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coegoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhphmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpdnjple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknlbhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfcfmlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bogkmgba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baegibae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmapodj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkiaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmbqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coqncejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghien32.dll"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dafppp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chdialdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiapmnp.dll"	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll"	5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgddkelm.dll"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll"	Caojpaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqnbqh32.dll"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Conanfli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahoec32.dll"	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coqncejg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baegibae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll"	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeape32.dll"	Bhmbqm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 2752	3688	5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2.exe	86
PID 3688 wrote to memory of 2752	3688	5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2.exe	86
PID 3688 wrote to memory of 2752	3688	5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2.exe	86
PID 2752 wrote to memory of 556	2752	Apaadpng.exe	87
PID 2752 wrote to memory of 556	2752	Apaadpng.exe	87
PID 2752 wrote to memory of 556	2752	Apaadpng.exe	87
PID 556 wrote to memory of 1108	556	Bgkiaj32.exe	88
PID 556 wrote to memory of 1108	556	Bgkiaj32.exe	88
PID 556 wrote to memory of 1108	556	Bgkiaj32.exe	88
PID 1108 wrote to memory of 4336	1108	Bobabg32.exe	89
PID 1108 wrote to memory of 4336	1108	Bobabg32.exe	89
PID 1108 wrote to memory of 4336	1108	Bobabg32.exe	89
PID 4336 wrote to memory of 4928	4336	Bpdnjple.exe	90
PID 4336 wrote to memory of 4928	4336	Bpdnjple.exe	90
PID 4336 wrote to memory of 4928	4336	Bpdnjple.exe	90
PID 4928 wrote to memory of 4528	4928	Bgnffj32.exe	91
PID 4928 wrote to memory of 4528	4928	Bgnffj32.exe	91
PID 4928 wrote to memory of 4528	4928	Bgnffj32.exe	91
PID 4528 wrote to memory of 1020	4528	Bmhocd32.exe	92
PID 4528 wrote to memory of 1020	4528	Bmhocd32.exe	92
PID 4528 wrote to memory of 1020	4528	Bmhocd32.exe	92
PID 1020 wrote to memory of 5044	1020	Bpfkpp32.exe	93
PID 1020 wrote to memory of 5044	1020	Bpfkpp32.exe	93
PID 1020 wrote to memory of 5044	1020	Bpfkpp32.exe	93
PID 5044 wrote to memory of 2476	5044	Bhmbqm32.exe	94
PID 5044 wrote to memory of 2476	5044	Bhmbqm32.exe	94
PID 5044 wrote to memory of 2476	5044	Bhmbqm32.exe	94
PID 2476 wrote to memory of 4360	2476	Bogkmgba.exe	95
PID 2476 wrote to memory of 4360	2476	Bogkmgba.exe	95
PID 2476 wrote to memory of 4360	2476	Bogkmgba.exe	95
PID 4360 wrote to memory of 1928	4360	Baegibae.exe	96
PID 4360 wrote to memory of 1928	4360	Baegibae.exe	96
PID 4360 wrote to memory of 1928	4360	Baegibae.exe	96
PID 1928 wrote to memory of 4852	1928	Bhpofl32.exe	97
PID 1928 wrote to memory of 4852	1928	Bhpofl32.exe	97
PID 1928 wrote to memory of 4852	1928	Bhpofl32.exe	97
PID 4852 wrote to memory of 2832	4852	Bknlbhhe.exe	98
PID 4852 wrote to memory of 2832	4852	Bknlbhhe.exe	98
PID 4852 wrote to memory of 2832	4852	Bknlbhhe.exe	98
PID 2832 wrote to memory of 3960	2832	Bnlhncgi.exe	99
PID 2832 wrote to memory of 3960	2832	Bnlhncgi.exe	99
PID 2832 wrote to memory of 3960	2832	Bnlhncgi.exe	99
PID 3960 wrote to memory of 928	3960	Bdfpkm32.exe	100
PID 3960 wrote to memory of 928	3960	Bdfpkm32.exe	100
PID 3960 wrote to memory of 928	3960	Bdfpkm32.exe	100
PID 928 wrote to memory of 4516	928	Bgelgi32.exe	101
PID 928 wrote to memory of 4516	928	Bgelgi32.exe	101
PID 928 wrote to memory of 4516	928	Bgelgi32.exe	101
PID 4516 wrote to memory of 1372	4516	Bnoddcef.exe	102
PID 4516 wrote to memory of 1372	4516	Bnoddcef.exe	102
PID 4516 wrote to memory of 1372	4516	Bnoddcef.exe	102
PID 1372 wrote to memory of 4272	1372	Cpmapodj.exe	103
PID 1372 wrote to memory of 4272	1372	Cpmapodj.exe	103
PID 1372 wrote to memory of 4272	1372	Cpmapodj.exe	103
PID 4272 wrote to memory of 4920	4272	Chdialdl.exe	104
PID 4272 wrote to memory of 4920	4272	Chdialdl.exe	104
PID 4272 wrote to memory of 4920	4272	Chdialdl.exe	104
PID 4920 wrote to memory of 1424	4920	Conanfli.exe	105
PID 4920 wrote to memory of 1424	4920	Conanfli.exe	105
PID 4920 wrote to memory of 1424	4920	Conanfli.exe	105
PID 1424 wrote to memory of 4332	1424	Cammjakm.exe	106
PID 1424 wrote to memory of 4332	1424	Cammjakm.exe	106
PID 1424 wrote to memory of 4332	1424	Cammjakm.exe	106
PID 4332 wrote to memory of 976	4332	Chfegk32.exe	107

C:\Users\Admin\AppData\Local\Temp\5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2.exe
"C:\Users\Admin\AppData\Local\Temp\5d3a5705e5fe001653d33d81c0fd89f4dc0839079802cc02057324584c369cb2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\SysWOW64\Apaadpng.exe
  C:\Windows\system32\Apaadpng.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\Bgkiaj32.exe
    C:\Windows\system32\Bgkiaj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\SysWOW64\Bobabg32.exe
      C:\Windows\system32\Bobabg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
      - C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 400
        41⤵
        Program crash
        
        PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 724 -ip 724
1⤵
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Apaadpng.exe

Filesize
97KB

MD5
89cb84ba6e2b7931d5c2ed4c21bd9146

SHA1
2065ff08afe5a27503b2daf9fb51b4b3a44e48cf

SHA256
b9b1dd49b76adbdc013b56ef21377e9dc70936bb5a07289125a2c5122f45aa34

SHA512
0676d5f2eb9e69db744bb8d66237a4b82185f425bca2a74e331b1325dd01ed822d62b7568da9dc4e02a21364b8133c6589afe430ad7097c74f438aa19b09119d

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
97KB

MD5
4be63c3eb2f4ad61abaed4ec7a274a53

SHA1
ac8c0f89f78b70aec986d295b304b77d07d866eb

SHA256
bd18298f7644e6c64cbe2898aa956624d584738e23663fd2b7cbeca2b61cdf3d

SHA512
a0e09c42d1f7f89d1caf6b95eb8a9f47a52464e4a5c12a4e636e4b7eadf5701a8add389d1c9afc84c9a7ab7c0b55a22c8989c595453cb7397e741a656ef6375c

Download Submit
C:\Windows\SysWOW64\Bdfpkm32.exe

Filesize
97KB

MD5
7cd3372ec2400eeda2d958989b13fb97

SHA1
2d5588fd256d28cad8254e71d2fed2109cfbc5cc

SHA256
edab0d8753c2610957967f7e3f254d87bcf4312c5a2cd8d67a41d1d476046246

SHA512
93b3dd6c0672e2879233d739f060de7b8ccfbc74bd52a66977ee6b1458f2e14983007a4300b93fab2622e2411f1cac29e15623b3e61c1f48a66b462a3fae72fd

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
97KB

MD5
b3ab164ef44cda613de5c329179216ac

SHA1
cfcb1485369b72c92e2711a8d32884fc3e6d2675

SHA256
94a76866d8150cc40eddbf681a0318d8814b149e545e174548bff26a7e9c7726

SHA512
d48bedb964d3497affa1a20b1a865ee50cd3e158d47f86ad822e9b27cab4f447730fefae342a5e12ac487089a4dd84ac7d948a1e2a21b3b8cb9335faed5f198f

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
97KB

MD5
c379672d34a3b793d64b22d9f2723e57

SHA1
f34616b585c62fa94e77c5a20117b17a2652974c

SHA256
39926999b98f3b2ab1dfa8fa8cc280670d18c3caa60f55973412f2d887946e3a

SHA512
1730f7aceb66eb9b19d18a8bdfcedf7a3ca3da26a47661864fc25d9b3f0cffb6b8f0d69a82a74ce4c2db9abff852ebf808a0aeff13f314cfc7050474d90bfbb3

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
97KB

MD5
29e396a7664f42edfb7059c1500dcb77

SHA1
d65a9f77bed18dae570094e9e19b912bf2464285

SHA256
669191d5a58ce81091d0bbfc89506ccad12551af158e5b940532d5dd4e7479e8

SHA512
878bb362ff70add8753ab8be2514c92858951280ff6cab3141fd08f04fdb9f034afe13673c54fc49bdadc674bf3bf1ea72121f9cee2da531177fe79fcd344a09

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
97KB

MD5
b9a59b72cf91d1a6abb7054aaf6c58b0

SHA1
ad4f17d41e7faeff1504feae2dd9d8eefd3ece98

SHA256
b85c2ce5356e9efd135b36e28215236a487af299e997d77ad79629c59bdd0274

SHA512
1c8680d897bc3c2c6cc22d8e29a95e341b00a64b28acfb4865d7799f379b1ad19812dacb67ac883639410d90ca9bbb186564d2a5ac0b5dd27ace913df5be7044

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
97KB

MD5
9ab0a3445a9efa6373726d339ec7f19b

SHA1
2e2fb032eefe453c2587bb57f46bf6c096ea44be

SHA256
c25608d250938cc0223c185da4a2e25ea898e20b443f304ab61306692b0c84ed

SHA512
8191f0de4b009aeafa9de3c23591e69625a825ce0348e86d6ff512ed19638e81cebd1fd4f1455d1e8a6c7d778ce4d77a80ceefedc3fe6c86598724b8d3cce295

Download Submit
C:\Windows\SysWOW64\Bknlbhhe.exe

Filesize
97KB

MD5
6631c3841c624f55bca269fb97db9d78

SHA1
c59e2710bf2c64a4eea0112ef392f32714b1c965

SHA256
0a6640027cd762e4ebbd77f6897031c0d7956eb2b9597647f6e296d63a5e7511

SHA512
e5c51b5790144c6215f866563903559e7bc80c29e037b80a9ff7a056cca4313665c966f5e68cc18edb63b90e9097029fb4dd894257a78f33200e705ac03ba60e

Download Submit
C:\Windows\SysWOW64\Bmhocd32.exe

Filesize
97KB

MD5
1d559869dfbaa375eb3c896523717d7b

SHA1
6196fb5aa21ebdf0a8f7353f4d16d9ecb8cb35d7

SHA256
542ac5168ba0358556c23cf85a5267eb9dfe74f1c193cbfc29d35d8d2fcad305

SHA512
16c745be781a689daa5aaa690d34fdcb9b2c05ade4566f99fd454167465f46424a2893653cc3fa75ab619f036350557cd3198bdeb80de52e8b8427a169d8b845

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
97KB

MD5
db7558d05f8bc0c348acb44477309bbb

SHA1
b58aa9c357905fd24fa2c54720ce46f123ce1b2c

SHA256
d27f0cfda4d7a3a3d591d050911daf4a54e37d7c24d0bbd4270b86dfba01b365

SHA512
9cbfeb4e209a4bd0419e741f9a14a2b149b1a8bbd36fb2bd26144c32c51e329e0cb2e97e3b34ef69e0d4a4ebaa1e8ec66b910db78dfa2e79bf456f396cb0165a

Download Submit
C:\Windows\SysWOW64\Bnoddcef.exe

Filesize
97KB

MD5
054114882d58dff5fa773e1ee2e7fca3

SHA1
55fc4d8c3cbb6d9b41f7c6b78a2e001d31cdb6af

SHA256
b45d59dd611c377ec383bb97ac85a163beddf21c357cc0fa70e523c3154eedcc

SHA512
c1ff656d2aa724df7a084e1097e39d86723a77694f52e8e5bf39b72ee1860fc7e4e8b4703acffdd7b94c50d526bc860a0064e92970fde78371350a1784e010c6

Download Submit
C:\Windows\SysWOW64\Bobabg32.exe

Filesize
97KB

MD5
2ba99ab7c1f294f059ac86d5875cd407

SHA1
a314aa8c3e5800f3018af4cc0a8cfd8a27c0bb3b

SHA256
7e2bc089f76eb2cdecb59809692e0ce6a89a21edf581d2aa5cf1b77b88532062

SHA512
c8c6413ad0cfa9b283fa87dc2f9f9209352e78db72a405b296b6620ca05b80f783fe4254029d30e31765519985cc678fd7e2ab59c4ce4b3c306a87057b5e563a

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
97KB

MD5
516e21ac147ba2bbb52f265f2e73748b

SHA1
88e1cda5076fa7278dc1e94477c18b69ea4296ab

SHA256
5177a474feb608af9367a5c0b5b1d51a4dffddb0a349f922c5c92eee7b6c759d

SHA512
dccdb0f2f73a2f73a21e7dd1e6dbf291d7a707c15a567e1e27006a6ae8b16c936834ce701719186034f9baabf2ba3062f2bc4c78858d0c776e08e4c22090cc2a

Download Submit
C:\Windows\SysWOW64\Bpdnjple.exe

Filesize
97KB

MD5
6d7ba512a70ac39c39441c2898dd9280

SHA1
87b55db18040ae16d0b7835787c5be4b6ae00074

SHA256
44aa1c995487b04e485460e9e2441249b5a13089563dfb0b4f76833723a140ed

SHA512
5c3f8d81997d25cea9f7a253f932cd7fd3fd94e4371f790ef1d4ac120ac464a9e80780a96ad1b359a2eb361bb9a5d57581543cff0658e2925ffde653247c9f7c

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
97KB

MD5
b0909d47a521731a6007fe37e153cafe

SHA1
4f5135cd5cfbdcd805dc4b154a29bd04c00e6a8a

SHA256
596e42ddbdc7d206356e778362e140df38ea506a9b2f6f8b752914981472b216

SHA512
0191fb3c0fc970cf917b89057b5a77a5188646babde753799a317de192afb10e02a5eb2dade7c4f43395650a2e597861d8791356424e4a6b73a1455a8b845efc

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
97KB

MD5
f427b0bde87c2d2a0bdd116837eb1143

SHA1
8b1a087d327131fd7e40cfc1f969f7f6fac01b2e

SHA256
696f810d580c30aaaefecd609cdcd24c0a21bb60ce5649025377d7757baa650f

SHA512
a9307e38d640c7798d9c5e51fcdd62f33614c69d3c4202fa087828301a1286cafec67402be9795ede60db4a5b6aac1c0a52aa67a58edfe966ff217b95a92399f

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
97KB

MD5
1fe550a3881042ad20bdf3b6f4daa01e

SHA1
50be3025cb94421611ecb7fa68d0e69f34ff64a5

SHA256
a625d94c41e3db4f69dbda2958058921ab396f565e207515e6ec42d9bec8de3a

SHA512
82273225f8d8acff3e548acc1d568dd06cb800a0bf58b183c53276a6910f0b62cc44606bfd7061242ad2b0496b9e98afc523fddca6dfbf519e5997b21dc6bec2

Download Submit
C:\Windows\SysWOW64\Caojpaij.exe

Filesize
97KB

MD5
2d640ef95cb86df24d4ab661ed2e77e1

SHA1
b9dd874dd286f52a0b62eefad60e2658950aed19

SHA256
913432a380061fd3e463f2b65e4c9891b963a6d53a7ac66354539650e95ca907

SHA512
138d4c65cefad75cc3b2372211ea63b0758561dfe62dabea85a670404dd3f70dad072c429654943d7e309a67319e3b92736faadd58063a12e6a2171b32ccf945

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
97KB

MD5
c44134745d2392031d53e0e7ac43204e

SHA1
b344e6ae00461e036459ad0d990e9f2b809a0eac

SHA256
dd618e9fcac05955d475cd3b09b268d798df2264b058ca667fdcc16689d76bda

SHA512
d8e86100ccd36c2d0e3ccb8e9e03a2c42e7322bad228e3f400ee7e0ea3c33fb8f33141f385d486233bba988a0912c2a7d5dc6dcebd02e34bf77d7d4909af5d1a

Download Submit
C:\Windows\SysWOW64\Cdpcal32.exe

Filesize
97KB

MD5
dd5f4411e26709418fe84d83af12fdb0

SHA1
a3e0dbf0b91402902151211fe7e5f403b57cf27a

SHA256
7a5015e068af283e53f5d86f8ac3aa7006f7e8317d1a919dc5217d097c3479b4

SHA512
bda173a33ffb3d6b2a03f7490f93504f24611b7f6e1fe276f886a7f25edf39e3bca52133c1afb7b56c7c7804e17ffbc1145c80684f2ca8e1c2df4f64aa3edbbf

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
97KB

MD5
14b4df0ee4178d5df77801173390187a

SHA1
1f9a6641cf1c99a5abc18f35395eaa825fed3fad

SHA256
100adfd566b88d4a9958b6a4d6e0ddc5a3c1e4a960befefe52dc7a0ed1ecb961

SHA512
e8de4586888e95277864b224cc5154cf00bc1658d46cdacfbc90b67a13aad4e76576e8b7c0be28c367f9aa4b1fc12173a73d5072cd85b290d873ca694e9e2153

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
97KB

MD5
9ab99c6a2bd2020c2f8e517fe50b040f

SHA1
d6abab0cead347909c4074cced0d6c749e52a91a

SHA256
00d3178706590fa0f3219bf957cd7901a6e0bb07c6e3c4edfb5521e8c3e7592d

SHA512
6a55b65969b0d63b4cb2f7c70aec21effc7dacf80e01192d14c32714024cfad04735b970bba8c8b3802272b2bb1a831a28735c371ac5557747154a7b91d41bb0

Download Submit
C:\Windows\SysWOW64\Chfegk32.exe

Filesize
97KB

MD5
75a55ac090ae7f1482584700f6a7bbde

SHA1
4c49319014f552055ef7480f890cbd87f33fce60

SHA256
382c0b6dcc59dd8a0bc83aa851e8d60cbd0fab76aea4639f1ac3d7350e02bb6b

SHA512
d35c5a1c37379715f277902e960a997b3c57fadcdeec512268d09ad268de487ac0aa9042712f268a8ad326610555cc1cf18478abc8a6cb1eaf657e3a2043d71d

Download Submit
C:\Windows\SysWOW64\Chnlgjlb.exe

Filesize
97KB

MD5
6e510fd1f7d0b515656c2c510400dbae

SHA1
8cf8593f446a86572911702d22a62fa51460be1d

SHA256
c82b1fbe911e2f89b9f50c876df662d40030bba8b412999bc09dadefad574b9b

SHA512
50855353a5c6c12d9b6ed868c831e1d694d6dde6ff7c9b810f0f7a625e70827e4eb8dc1fe4131f6f5c160ac34edd09e475635bc15d38fae808f5d2c921c58003

Download Submit
C:\Windows\SysWOW64\Cklhcfle.exe

Filesize
97KB

MD5
690bcf6fbbc801992d70e2308e4891f2

SHA1
674eb25efe4eedf9abec0e9df90f04ca871c352c

SHA256
034e9e2043f44111889d6ee38637cd155132fd565526f16e7d4d0c90b5015a24

SHA512
8fc89c81417ec12ac1083306c74f52e0c0a861099aea1ee18eb62cfae12c2fa36febf7a39e28a619959675079c3d86cae902d0dc27ed8300e8816b4f39427e6d

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
97KB

MD5
298ecd45e6911a4935c364c44fb938d4

SHA1
69164202770efa514e7346ac6ded8506d3a34023

SHA256
077c58ed63b9e5d04aefa5ac0283cc9cc9659e6ed7430660391b75781519b290

SHA512
a6492b58532c9fd5d221ef4a9bef11fa9e40fd16d5f5751f59145867a2d27a223e0b4eaec48248249523d40f9466327e9f55ac62c9b7a12fc9fef044bd19cea1

Download Submit
C:\Windows\SysWOW64\Coegoe32.exe

Filesize
97KB

MD5
fae2752ce766ba3c7bd7edcb00c96d58

SHA1
aaf361c94064b16b9cda753965789f9e5f5353b5

SHA256
28df148322bed8aa8dfed358c921a46df1cc3b736833bcf78ebc9c6dbe2bb62d

SHA512
a6fe452230adbb1bd5775b1b1f6b8bcc84f164c98b4cc4e8590a808660aaf65380d4b0892c65725f4d894b8c4f452681b64875bc84356fc087c44d2e443d1bc3

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
97KB

MD5
e0aa52d74f7268a204e3971a713d5bb9

SHA1
070b690934a93322535299a9a766f1eb37424e3a

SHA256
ffbb34fd0685cde20812202a3a2fdfdbd1ebc4dd8f8512dd89d03ea1020f9bb6

SHA512
d37cff34fc8d504d77711c38c23d9faa741af1864e7601ee2e733b8ca8c769d6e8ef11edc001705d0df0b26c16c0f6110db9c31bebf6778aa3270f19b38fccd3

Download Submit
C:\Windows\SysWOW64\Coqncejg.exe

Filesize
97KB

MD5
43e5390cfc3a4f6bf0c5ca46fb4912cf

SHA1
861243515b15c99388d9ee1d6f056a3a16da2cd0

SHA256
13ab76b047cacc356683038e4353423c4f3f84d77e8822570bb2075165cd5954

SHA512
c5b741b7992b0ad6b2c9cacc1d7f1200c5b406b61750ae35494b65ffdd7bf929be2128d94293bc88296ba556b956984f77f2f347ce74bde772774997d5b9c333

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
97KB

MD5
20534f95b2348772fff50589ad802067

SHA1
239ad6e721ba85dc122337b3b834cdfac32d354d

SHA256
02211a0f8641ea68d8f559aa09273b44273b143b94c8d09de4dc80c87ad420d6

SHA512
05e10d4b7f7e789ac469608f1cc75bba9b2324d6864bbd53f1dde2b27bedfeb5b60053a6dc410f74ceb10cfcbd0253ae46f386d27bb47d6d717918a69fab63a4

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
97KB

MD5
c277f2f5c5cd87549ecefb5915c23c7f

SHA1
d6ab3eecc586e27f75ed0ec444b3e721b7b50dd1

SHA256
b0af69a5914647afbc0d48a25cd4bdaf32d8ce66c91debab6aba847329816405

SHA512
a0802f49de7b58512aa88f171012a94109ae5e4f64f8d61f13bb6e14ccb60ec67e382ce2d31b7aed9bca5e9db73dd888af45b8138ecef9355eecd644e30541b6

Download Submit
memory/428-194-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/544-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/544-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/724-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/724-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-306-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/928-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/928-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-342-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1424-336-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1424-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2180-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2180-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2476-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2476-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3688-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3688-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3988-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3988-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4104-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4104-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4272-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4272-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4708-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4708-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-366-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads