bf8e81e0073d343bc898327003abd81f090148eee328d886c15ed4d148e07635

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2796931376b3fa57546b47cff42ee380N.exe
Size

72KB
MD5

2796931376b3fa57546b47cff42ee380
SHA1

bc562124b9e62158b79dfeb8bd70abfbd728e1ec
SHA256

bf8e81e0073d343bc898327003abd81f090148eee328d886c15ed4d148e07635
SHA512

29da50d9747d784d9ecc3552573e06eeb38594c3040f195d50d6336be29a009c81660e5d14089465c9c25c2c1ef19c3eff7632c5d3b7580206a0547554938206
SSDEEP

1536:VsPrAis+lYYaFMdSOkpwaVs3XEjTxRQXDbEyRCRRRoR4Rk4:OPrAis+lHaW4JvyXEjdevEy032ya4

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2796931376b3fa57546b47cff42ee380N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	2796931376b3fa57546b47cff42ee380N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe

Executes dropped EXE 28 IoCs

pid	Process
2164	Adnpkjde.exe
2668	Bbbpenco.exe
2800	Bdqlajbb.exe
2736	Bgoime32.exe
2640	Bjmeiq32.exe
3064	Bceibfgj.exe
2740	Bfdenafn.exe
1892	Bchfhfeh.exe
592	Bffbdadk.exe
476	Bieopm32.exe
2008	Bqlfaj32.exe
1080	Bjdkjpkb.exe
320	Bkegah32.exe
2440	Coacbfii.exe
2396	Cfkloq32.exe
2104	Ckhdggom.exe
1124	Cbblda32.exe
1804	Cepipm32.exe
2956	Cileqlmg.exe
1448	Cpfmmf32.exe
2108	Cnimiblo.exe
1480	Cinafkkd.exe
2024	Ckmnbg32.exe
1340	Cgcnghpl.exe
2712	Clojhf32.exe
2288	Cgfkmgnj.exe
2696	Cfhkhd32.exe
2564	Dpapaj32.exe

Loads dropped DLL 56 IoCs

pid	Process
3040	2796931376b3fa57546b47cff42ee380N.exe
3040	2796931376b3fa57546b47cff42ee380N.exe
2164	Adnpkjde.exe
2164	Adnpkjde.exe
2668	Bbbpenco.exe
2668	Bbbpenco.exe
2800	Bdqlajbb.exe
2800	Bdqlajbb.exe
2736	Bgoime32.exe
2736	Bgoime32.exe
2640	Bjmeiq32.exe
2640	Bjmeiq32.exe
3064	Bceibfgj.exe
3064	Bceibfgj.exe
2740	Bfdenafn.exe
2740	Bfdenafn.exe
1892	Bchfhfeh.exe
1892	Bchfhfeh.exe
592	Bffbdadk.exe
592	Bffbdadk.exe
476	Bieopm32.exe
476	Bieopm32.exe
2008	Bqlfaj32.exe
2008	Bqlfaj32.exe
1080	Bjdkjpkb.exe
1080	Bjdkjpkb.exe
320	Bkegah32.exe
320	Bkegah32.exe
2440	Coacbfii.exe
2440	Coacbfii.exe
2396	Cfkloq32.exe
2396	Cfkloq32.exe
2104	Ckhdggom.exe
2104	Ckhdggom.exe
1124	Cbblda32.exe
1124	Cbblda32.exe
1804	Cepipm32.exe
1804	Cepipm32.exe
2956	Cileqlmg.exe
2956	Cileqlmg.exe
1448	Cpfmmf32.exe
1448	Cpfmmf32.exe
2108	Cnimiblo.exe
2108	Cnimiblo.exe
1480	Cinafkkd.exe
1480	Cinafkkd.exe
2024	Ckmnbg32.exe
2024	Ckmnbg32.exe
1340	Cgcnghpl.exe
1340	Cgcnghpl.exe
2712	Clojhf32.exe
2712	Clojhf32.exe
2288	Cgfkmgnj.exe
2288	Cgfkmgnj.exe
2696	Cfhkhd32.exe
2696	Cfhkhd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Obahbj32.dll	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	2796931376b3fa57546b47cff42ee380N.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bjmeiq32.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bgoime32.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	2796931376b3fa57546b47cff42ee380N.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bbbpenco.exe	Adnpkjde.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Coacbfii.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Bgoime32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Ogdjhp32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	2796931376b3fa57546b47cff42ee380N.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Clojhf32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Eanenbmi.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2796931376b3fa57546b47cff42ee380N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2796931376b3fa57546b47cff42ee380N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\ = "C:\\Windows\\system32†Eanenbmi.¾ll"	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	2796931376b3fa57546b47cff42ee380N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	2796931376b3fa57546b47cff42ee380N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	2796931376b3fa57546b47cff42ee380N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2164	3040	2796931376b3fa57546b47cff42ee380N.exe	31
PID 3040 wrote to memory of 2164	3040	2796931376b3fa57546b47cff42ee380N.exe	31
PID 3040 wrote to memory of 2164	3040	2796931376b3fa57546b47cff42ee380N.exe	31
PID 3040 wrote to memory of 2164	3040	2796931376b3fa57546b47cff42ee380N.exe	31
PID 2164 wrote to memory of 2668	2164	Adnpkjde.exe	32
PID 2164 wrote to memory of 2668	2164	Adnpkjde.exe	32
PID 2164 wrote to memory of 2668	2164	Adnpkjde.exe	32
PID 2164 wrote to memory of 2668	2164	Adnpkjde.exe	32
PID 2668 wrote to memory of 2800	2668	Bbbpenco.exe	33
PID 2668 wrote to memory of 2800	2668	Bbbpenco.exe	33
PID 2668 wrote to memory of 2800	2668	Bbbpenco.exe	33
PID 2668 wrote to memory of 2800	2668	Bbbpenco.exe	33
PID 2800 wrote to memory of 2736	2800	Bdqlajbb.exe	34
PID 2800 wrote to memory of 2736	2800	Bdqlajbb.exe	34
PID 2800 wrote to memory of 2736	2800	Bdqlajbb.exe	34
PID 2800 wrote to memory of 2736	2800	Bdqlajbb.exe	34
PID 2736 wrote to memory of 2640	2736	Bgoime32.exe	35
PID 2736 wrote to memory of 2640	2736	Bgoime32.exe	35
PID 2736 wrote to memory of 2640	2736	Bgoime32.exe	35
PID 2736 wrote to memory of 2640	2736	Bgoime32.exe	35
PID 2640 wrote to memory of 3064	2640	Bjmeiq32.exe	36
PID 2640 wrote to memory of 3064	2640	Bjmeiq32.exe	36
PID 2640 wrote to memory of 3064	2640	Bjmeiq32.exe	36
PID 2640 wrote to memory of 3064	2640	Bjmeiq32.exe	36
PID 3064 wrote to memory of 2740	3064	Bceibfgj.exe	37
PID 3064 wrote to memory of 2740	3064	Bceibfgj.exe	37
PID 3064 wrote to memory of 2740	3064	Bceibfgj.exe	37
PID 3064 wrote to memory of 2740	3064	Bceibfgj.exe	37
PID 2740 wrote to memory of 1892	2740	Bfdenafn.exe	38
PID 2740 wrote to memory of 1892	2740	Bfdenafn.exe	38
PID 2740 wrote to memory of 1892	2740	Bfdenafn.exe	38
PID 2740 wrote to memory of 1892	2740	Bfdenafn.exe	38
PID 1892 wrote to memory of 592	1892	Bchfhfeh.exe	39
PID 1892 wrote to memory of 592	1892	Bchfhfeh.exe	39
PID 1892 wrote to memory of 592	1892	Bchfhfeh.exe	39
PID 1892 wrote to memory of 592	1892	Bchfhfeh.exe	39
PID 592 wrote to memory of 476	592	Bffbdadk.exe	40
PID 592 wrote to memory of 476	592	Bffbdadk.exe	40
PID 592 wrote to memory of 476	592	Bffbdadk.exe	40
PID 592 wrote to memory of 476	592	Bffbdadk.exe	40
PID 476 wrote to memory of 2008	476	Bieopm32.exe	41
PID 476 wrote to memory of 2008	476	Bieopm32.exe	41
PID 476 wrote to memory of 2008	476	Bieopm32.exe	41
PID 476 wrote to memory of 2008	476	Bieopm32.exe	41
PID 2008 wrote to memory of 1080	2008	Bqlfaj32.exe	42
PID 2008 wrote to memory of 1080	2008	Bqlfaj32.exe	42
PID 2008 wrote to memory of 1080	2008	Bqlfaj32.exe	42
PID 2008 wrote to memory of 1080	2008	Bqlfaj32.exe	42
PID 1080 wrote to memory of 320	1080	Bjdkjpkb.exe	43
PID 1080 wrote to memory of 320	1080	Bjdkjpkb.exe	43
PID 1080 wrote to memory of 320	1080	Bjdkjpkb.exe	43
PID 1080 wrote to memory of 320	1080	Bjdkjpkb.exe	43
PID 320 wrote to memory of 2440	320	Bkegah32.exe	44
PID 320 wrote to memory of 2440	320	Bkegah32.exe	44
PID 320 wrote to memory of 2440	320	Bkegah32.exe	44
PID 320 wrote to memory of 2440	320	Bkegah32.exe	44
PID 2440 wrote to memory of 2396	2440	Coacbfii.exe	45
PID 2440 wrote to memory of 2396	2440	Coacbfii.exe	45
PID 2440 wrote to memory of 2396	2440	Coacbfii.exe	45
PID 2440 wrote to memory of 2396	2440	Coacbfii.exe	45
PID 2396 wrote to memory of 2104	2396	Cfkloq32.exe	46
PID 2396 wrote to memory of 2104	2396	Cfkloq32.exe	46
PID 2396 wrote to memory of 2104	2396	Cfkloq32.exe	46
PID 2396 wrote to memory of 2104	2396	Cfkloq32.exe	46

C:\Users\Admin\AppData\Local\Temp\2796931376b3fa57546b47cff42ee380N.exe
"C:\Users\Admin\AppData\Local\Temp\2796931376b3fa57546b47cff42ee380N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\Adnpkjde.exe
  C:\Windows\system32\Adnpkjde.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\Bbbpenco.exe
    C:\Windows\system32\Bbbpenco.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\Bdqlajbb.exe
      C:\Windows\system32\Bdqlajbb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgmdailj.dll

Filesize
7KB

MD5
c3643ed35cee84456270d098481d55b7

SHA1
9c28110fecbab1d64c3af35da2b02230cbd05087

SHA256
dd704a7d8886e89f35523c54440252918228df1f7b4f37ca20a7f5082ba73911

SHA512
9c97304e2dbae03f1af278d8925b57f2f9849917ac70e9a81f3f5c9c6cc89214a0a96514c5f87e98181ba1e4c1877f75f6df65e3746867a2a8769e26f0787cd1

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
72KB

MD5
eeb06eb2337f426d0e92b93b1a850ae1

SHA1
6992b9ed79e5010518f389cea0cd08a1ab22366e

SHA256
75a0198d74a488e1c526cda095033998d989770371447df338c279a197368aa8

SHA512
e0fc4ac8f612b6697c6c6c37197e62f8d45276530f7029c579e7aeedd2a0271cf56ef1a20910119be83a2022d2f158b1f3b74a28ec64df294c8d276f2527aecc

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
72KB

MD5
3114e5446b0751112d06ccdedd36edd5

SHA1
dc8891f5fe2ef5a26dc52b5ae08516c925c2cdc8

SHA256
f5156e8c5acba76b05a7c53b221befd06f0541f3e417c000b65da7afd81df561

SHA512
4d2259acfdf23f4bd279739f2b54f7df30457426ce34117d49421c9143c954f04bd7fb1b50ca44874ae40f044a606ab43c1aab619df936b2647c3be25eeda7b5

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
72KB

MD5
b430559a4fae748be595f418a5f5ac33

SHA1
22825d13b3a0a6d880bfb0bc7d1fbee710910b3d

SHA256
ea3a5d23468a7f134be3b5abd7696976962ab01a12e67d127b9b90fca76ea1e7

SHA512
9a351acb8077ecf279bafd3ebba73e5c401e9b11f21f1e02a5cfbcfaf794b1fe204ca4aedc8e26d28774ea5e9e3efc36cdf42154279990ca1edcce03ec121f0d

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
72KB

MD5
d6260274341199f31653f33a483a0e27

SHA1
9659b2b0c28e29b62a4cd94020974f70ed12c5ca

SHA256
4e958bd8b686fe486ad2a1116d600c6fc01eec9c215915473e34286ddf8d3aed

SHA512
14428aad6a317cc25a6c34e56b4cff5687a5472a39b16ea8092154e0ddd626c835091a1d9154dd6f77724789f579bec5a839bf72197c89d30fc8f73dadd72283

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
72KB

MD5
455b209d1015039afa552f73637bab1f

SHA1
1f5a7021a739bde50dfa8e6f3c840fa59b5439ca

SHA256
ee392c13da131413898ca5e45306ce7d16846f55b9618501f6464222094f3f7a

SHA512
c06c1f15d3335343d741ba63a78036ccb9dc2b116aefb387fa3f07810b8ec3963e1ba3c15df635126a9e6d696d124fb4b47312d6eae03ae9c1e5da6ced520b78

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
72KB

MD5
3c00c3a0fac557c1a4566e054754ebf5

SHA1
dcb5d8408eaf263cfaa04631c15b1400e6effcb0

SHA256
4d0dfa5bb99f3f719977a668d89f69e61db0c4c1128603536c9deb4c85b50ec4

SHA512
4efafc7ef08fa838832e5bb033e0b977a8dc07eb769b1918b184e17bbb7f2c2d1e40bf03909387c1ec1bb042d5ae27dab17348cb7b56f7e7c5b8aac8e560c400

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
72KB

MD5
0041da54d4e722fbe3a3f9c25e666990

SHA1
0198aaabcd51707edb19f48ba957135c02ff4bb0

SHA256
06e92d5c3bc1550964898f607a858449c98035b3b268a1b2c664b421a36cdf9d

SHA512
de35755b417d137c1b561ea44707212282c533e54e9a58269e2158e84992459e9604ab0ba6c12b154cfd853c0216b280bb732a5ed7ef81261dd4809d1a9af81b

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
72KB

MD5
680e6e85b2731d1b4bcb18020c54cf8f

SHA1
6d75b957d2d11765602e35c7ba5588be1269cc14

SHA256
fac8b8d364739fa4088af7b3408d4aed1720e6248d950c7eb1abbc00c3ae7f5a

SHA512
1266028be5ff4693249e1eb8b60066c5d80568fe62a305ddc3079a895bf3fa5e9f1c45d163515027ec62baf7a23c9a78c1822b1b610db55154f2839a5590bd04

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
72KB

MD5
308a1683414fb3afa1af87920af363e0

SHA1
b92be0ea7b4735a38b274fd425459e45979a5e5b

SHA256
369a899a0e594172de8c920aef7b3da30e91f0774e8c0e3c00750a29071bce2b

SHA512
02eaca1de2d7019dec3cc7a9e72a522619aa0b0ff8db3795cff7f403dcce51670d4bd6a4a829a13490d1226dd6b20157525b8e4ec0e3b4f3bb0f752504fb843c

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
72KB

MD5
905c0eb6d7c807df336f0e9f8415e52a

SHA1
8e2a08a27241b7386322a0c17d8dfa4820b88d02

SHA256
280915c3fe5c58afddc7baff5db0a4aee0de47ccd62f775f3ee51f9608cdfe2d

SHA512
71ae57c1ece6dfd5cdcad8eab651a391a6154e6c2807ebb87ae499e55baef8c2c2e05bcf691f4f9e6c9d1aaecfa187f5e329634efc8a87e443ce1a769d663e5d

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
72KB

MD5
90c37070a1b7f510087a7693c30d47ed

SHA1
617b7e6d15d1a171e297cbe6cfb5ca9760132ffa

SHA256
4d433999f97d58c6a5e74714447fb762c7328fc4915994e452ec668586a92093

SHA512
b18983c24ea1a83077358a584f816a9a0339bbe20007607ca5f2ed844abfe22a9e4d23a3f1ca147a2607c04784375ac244aa378891ad67d28b5f4c11f967d831

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
72KB

MD5
416fb4922f9a99813d284a493bf3c0c6

SHA1
554b68da1d577a940e4ade6d1f585dd14f9f6e1c

SHA256
60acbef846134aadeb4d498f445c8d51de2f6f26fd66edefe17e5bcd235f6b72

SHA512
66e5c2c1c0bf8e5938f63d6d530e01ee78574b7d96764f7292f02749d0bc47a222929a84cee7c60d2facbd3f8aeec4914e9b225b7370fc8ad3d60cae8b1f646c

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
72KB

MD5
a46e94f84b21c61f2da2889d47e78cac

SHA1
2e66e1917be39a3269c270663f623731c1fc6a44

SHA256
6465df879b1baf207248ff2f7494310f2deef6089647f4814085e0a2a65b271b

SHA512
19cf0e9a8ee00a85d26cef75bd16bd5a50f198dcafdd6cba541cb1932d5e35827828ad396c2b7946f67e441ba753e8fda74b797203d174e8e9a6503f68710630

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
72KB

MD5
c7afa3eebf7abdba50365e5a67ff9d5e

SHA1
28a442a4d53ad7beeb7e96ced26e30f8ba617269

SHA256
07491435d88b8e2850f85494e8786d733c30ec45b04cc418f21bec80f4aa683e

SHA512
20d1b3d3609266c9aac21a89d7e7e4e5c686db0bc5e4a1ede340b93a77be6af4ed0be3894937f289fcaf0dccb6804fc2ed94d31d1fc855681076bba39d2c3a4a

Download Submit
\Windows\SysWOW64\Adnpkjde.exe

Filesize
72KB

MD5
0586f32367d6ff36552a212a36f78df7

SHA1
c898b674907675b4842a72b8e23c7d1e8908ce7b

SHA256
3083615ff317ee2a64f2ee958f853c760e990500d60e9df31f05911707050221

SHA512
9d2c7e5d289a554fe5d34ed4b029d709af2069ac41426b2987081519dbd3161fc9485b7461dcbe52598ae50b7e7e77ff8f6e5fe71876ed6935158dbef61230c3

Download Submit
\Windows\SysWOW64\Bbbpenco.exe

Filesize
72KB

MD5
6f78381b7e05f8ffe345c904392492e6

SHA1
1f19c2d7211c4e289082b5127ec6e16b6131c656

SHA256
d843a6cfc9b1548ccb2ac62ff41afb14109b79389d92c95b04a3720518508dc3

SHA512
ca6325575f72d44a181a210a77cdd5483d007768588cea12af76b1cfb59dcdee3e10842d0bb87305c09726c83a9b508a174b7f6400801e48bbb97a973c48a787

Download Submit
\Windows\SysWOW64\Bceibfgj.exe

Filesize
72KB

MD5
a513a108c6cdedc45da63e134747ba66

SHA1
94ff336e0d45eb16ee54b0f6f2ce4a0e861af3b4

SHA256
0893b3d8d20087270e76f6e94fb1b605bb63e60be288d8cfc121d186daa9e1a7

SHA512
9ff24517f59a92793f3e1f79f276113d97df12f6ff09dad0e1b7f7696ed9721f468007c8b154c1ed3ec81183c677caaa6d6e0884f5cf2d4b7002fdb56971eb1b

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
72KB

MD5
874c6a514dab2585885c5fc6c695b9e1

SHA1
2d8a3d4eeed37f491975652f63561fed10486422

SHA256
43ddce5d3579c767f27d74897fb95e369fdf4be61bee561ad07c9937578bfa43

SHA512
0868763dc5a201efb172ada52c1bd64a298305cd2548d067dd381dfb4e2523924b7a2a398521d2e7594e70421392caf82d974362a90f9d2a31011e5d55929633

Download Submit
\Windows\SysWOW64\Bdqlajbb.exe

Filesize
72KB

MD5
109b8101049b06cd51712de504b07957

SHA1
a10d3bfb37f674532d3b4aa6de0e6b3a09f789d2

SHA256
ede1b1c33599d7d9efda7a0da01d3d69f60195b5ce42fbea635ccbd45fb45ba7

SHA512
6073a6c0729e1fbe6388e370cb3993c554cb7c3fc55929169278459e39702c0c0a9611724e7b905a74c7e094ac034509aff7425d4ee36f8143a3b75184e286ec

Download Submit
\Windows\SysWOW64\Bfdenafn.exe

Filesize
72KB

MD5
f606691d25ab3520f156365e919ec89d

SHA1
87ab5881fade69a109f2338aa7e17c62b8b39755

SHA256
afe4d2f42a4e192fee715877db0d0ca4fd82a0cec52e64dcc6056a8fa622bcc7

SHA512
237ce26e4e114c923d5c1d850e533b8ca33205ea0cfe6eadb1227197eab021c1eb15555e1b38e6cb67b03ae87f891aa9f9080378330814ba2edeb4392a965ace

Download Submit
\Windows\SysWOW64\Bffbdadk.exe

Filesize
72KB

MD5
fe7623666fd2888acdce9c1ca779a62b

SHA1
72f41a413e3fef7119d6d488ebdfccbbe79acb26

SHA256
41923d794ff37347b6f4fe8ad2f798a4189c9b5d2d02e9b2abcce2700fe650cd

SHA512
73a687fe54575866e1e7fade2bf44778617f3a62ed9afb7cfc0a52420e15d60fbc931f231fa1d7571565e2e1153f6e3a32a9e83652b98c702d9965f510b27bbf

Download Submit
\Windows\SysWOW64\Bgoime32.exe

Filesize
72KB

MD5
b624a8f975fc6adba897a71a3929113b

SHA1
b5b9ac3124caff17556c0f13e4adf2d69c7a0416

SHA256
ea873177c9ca3a8a1a1c04e8df39c703d36c27e2a8592eeab4ba4eeb24b8fd4c

SHA512
9826ffb6e3d64b80648f84a3faeae3051abfdf5105d731211955931e4a57c673b19841365ae852c47159062982a9282e4dce915e56a44e515d1a23249861293a

Download Submit
\Windows\SysWOW64\Bieopm32.exe

Filesize
72KB

MD5
61341b73dd7ccaeb7539da9dfcdf1c34

SHA1
945398948c12b04ba3bb5ac8e6c1fa562f38e98b

SHA256
1cb3cf1d8f8fbfc0e2723277ed9cb44b0e5f076bb2def101f8bfcb3256be6be0

SHA512
40c6eeb9db454b440ed9ba9f2bd7fc0522895050f593292dfcdb541f1c8968a83e9e1b87fad920c2a77d30a33f95c27d67bad3dd6b602f618e6955aa5e32a819

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
72KB

MD5
b445cfb331559383cc30f545ac4c1045

SHA1
481d0468ea882d51dd2213fd2cb41f2c20970152

SHA256
5b9afd22d507c69bead98072fd8f1e96ce58f5fc6d7a4e4e2efa99e8eefe41ce

SHA512
b609ac00eb673c11cce52aede8556f347459ece91324e756667742810b99c92b455864f6e0975adc1d90bd98af5502f34331781935ad0b0376d37078cff234a4

Download Submit
\Windows\SysWOW64\Bkegah32.exe

Filesize
72KB

MD5
7936ab03ac1645ef94a83e0ee43d2a17

SHA1
5e8f0429d0a204d34a01104041e86d5d81211db9

SHA256
344d498921a94af8d9560f71a4f8efc2d0516f7e0ae8e145d1e900c64e402202

SHA512
ec4a206e93021b651d0ef423c9f1943be2bbb6a6b44afa3669219015da749b3e4067cf65be02f9dd1a70d28215099759f3d2b53ee42b78f7c39de820b378c1d9

Download Submit
\Windows\SysWOW64\Cfkloq32.exe

Filesize
72KB

MD5
1ad4b4942ccdf9caee407a2345a493b7

SHA1
d59b82ad1dcda17921301a47305c928680eab813

SHA256
5e7d5fb9d5f73969a845bce3907802be8ccffaf03a0d3d166805e01dc203b53e

SHA512
0f4e56f493a3a8c7419eeeaa33c638303213dd35b8196c9d9e1b897676e66c93fb80ed41f8fe9b79eaa7c7ae2fddad4a477a7b3881a48e2079f866200f7de6b5

Download Submit
\Windows\SysWOW64\Ckhdggom.exe

Filesize
72KB

MD5
6a15a763c20e815f8318e1f15c0d979a

SHA1
fddd28ad25c75aaa9b8d9105c7b39a5c16ca7d0d

SHA256
daa8ddf3e8fcafb1fe56abaafd63461d1c36ea76cdca366f656d8834f2599978

SHA512
f420a037b2a758846ae3b4abdededf50d134f8d15d84f75eb888d9e43952037be02163ed6abd0db9a6029ddc38970615a015c7bfd8adee00f7d353424fdf996c

Download Submit
\Windows\SysWOW64\Coacbfii.exe

Filesize
72KB

MD5
50e9cbe5268a858565b0815cfd8c50cf

SHA1
0f72c54c8e8149eb25c2829f2fb2fb737b32ba5d

SHA256
301c0a2ffa7cb94e2234d39209badaeb447ce3cd8e70ce9ee581fd07d40ab82d

SHA512
2b4422a4d6c87d10b66a52e896bf97f951f55a21e1622ffebbfbe7d5b0fb534d83059ec6caba1a7f32acad4055fa3bc34bff1e780b66cde1c998c5018b7b90b4

Download Submit
memory/320-173-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/320-347-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/476-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/476-351-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/592-132-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/592-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/592-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1080-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1124-228-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1124-356-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1124-222-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1340-305-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/1340-304-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/1340-299-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1448-256-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1448-258-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1480-282-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1480-283-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1480-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1804-238-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/1804-232-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1804-346-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1892-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1892-352-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2008-147-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2008-155-0x00000000002A0000-0x00000000002D9000-memory.dmp

Filesize
228KB

Download
memory/2008-354-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2024-298-0x00000000002E0000-0x0000000000319000-memory.dmp

Filesize
228KB

Download
memory/2024-284-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2024-297-0x00000000002E0000-0x0000000000319000-memory.dmp

Filesize
228KB

Download
memory/2024-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2104-348-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2108-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2108-355-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2108-276-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2108-268-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2164-363-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2164-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2288-342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2288-323-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2288-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2288-327-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2396-349-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2396-207-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/2396-199-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2440-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2564-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2640-364-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2640-79-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2668-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2668-360-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2696-343-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2696-328-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2696-335-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2696-336-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2712-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2712-312-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2712-345-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2712-316-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2736-54-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2736-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2736-63-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2740-94-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2740-357-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2800-53-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2800-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2800-362-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2956-246-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2956-344-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2956-251-0x0000000000310000-0x0000000000349000-memory.dmp

Filesize
228KB

Download
memory/3040-361-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3040-12-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/3040-13-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/3040-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3064-353-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3064-81-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads