berbew | ed6504177a911533041129fab8d2661e595b4cabc5e3b871e241253a03832e9e

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed6504177a911533041129fab8d2661e595b4cabc5e3b871e241253a03832e9e.exe
Size

896KB
MD5

c5a3c77bd27f9ec180189a5549693927
SHA1

829ca88043958862be9b85fcfd759329f4c76136
SHA256

ed6504177a911533041129fab8d2661e595b4cabc5e3b871e241253a03832e9e
SHA512

f331dcfe7122d231224ac3035b5aed46f8a914abfbe851b0b3fd65aed7086fc1ef46c2b20c058af2ceca1d020b47fbdec25873ea9122da6ba2b1779532bc0900
SSDEEP

12288:xhRj7EhByvNv54B9f01ZmHByvNv5VwLonfBHLqF1Nw5ILonfByvNv5HV:B7ECvr4B9f01ZmQvrUENOVvr1

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opclldhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boldhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgeenfog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	ed6504177a911533041129fab8d2661e595b4cabc5e3b871e241253a03832e9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ed6504177a911533041129fab8d2661e595b4cabc5e3b871e241253a03832e9e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmnbfhal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akdilipp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opclldhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfkpp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 52 IoCs

pid	Process
5084	Opclldhj.exe
904	Ocaebc32.exe
1652	Paeelgnj.exe
828	Pdenmbkk.exe
4916	Pmnbfhal.exe
4376	Pdhkcb32.exe
2984	Pmpolgoi.exe
4336	Ppolhcnm.exe
2296	Qdoacabq.exe
3148	Qdaniq32.exe
5016	Adcjop32.exe
1956	Adhdjpjf.exe
3048	Akdilipp.exe
2256	Bhhiemoj.exe
2648	Bpfkpp32.exe
4920	Baegibae.exe
1692	Bddcenpi.exe
4740	Bhpofl32.exe
4456	Bnlhncgi.exe
1812	Bahdob32.exe
4576	Bpkdjofm.exe
1960	Bhblllfo.exe
4460	Bgelgi32.exe
2372	Boldhf32.exe
2960	Bajqda32.exe
2956	Cdimqm32.exe
2784	Chdialdl.exe
868	Ckbemgcp.exe
1392	Conanfli.exe
2656	Cnaaib32.exe
4236	Cponen32.exe
4584	Cdkifmjq.exe
2584	Cgifbhid.exe
4100	Ckebcg32.exe
2940	Cncnob32.exe
4500	Cpbjkn32.exe
860	Cdmfllhn.exe
4640	Cglbhhga.exe
4356	Cocjiehd.exe
4312	Ckjknfnh.exe
3288	Cnhgjaml.exe
1892	Cpfcfmlp.exe
1364	Chnlgjlb.exe
3512	Cklhcfle.exe
3256	Cnjdpaki.exe
1088	Dddllkbf.exe
4492	Dgcihgaj.exe
4484	Dojqjdbl.exe
1260	Dahmfpap.exe
632	Ddgibkpc.exe
748	Dgeenfog.exe
4928	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qdoacabq.exe	Ppolhcnm.exe
File opened for modification	C:\Windows\SysWOW64\Cpfcfmlp.exe	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Kfcfimfi.dll	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Jgddkelm.dll	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Ciipkkdj.dll	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Pmnbfhal.exe	Pdenmbkk.exe
File opened for modification	C:\Windows\SysWOW64\Bpfkpp32.exe	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Nflnbh32.dll	Conanfli.exe
File created	C:\Windows\SysWOW64\Dojqjdbl.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dgeenfog.exe
File created	C:\Windows\SysWOW64\Cpbjkn32.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Ocaebc32.exe	Opclldhj.exe
File created	C:\Windows\SysWOW64\Pdhkcb32.exe	Pmnbfhal.exe
File created	C:\Windows\SysWOW64\Occmjg32.dll	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Bhpofl32.exe	Bddcenpi.exe
File opened for modification	C:\Windows\SysWOW64\Chdialdl.exe	Cdimqm32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbemgcp.exe	Chdialdl.exe
File opened for modification	C:\Windows\SysWOW64\Cgifbhid.exe	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Ampillfk.dll	Bhhiemoj.exe
File opened for modification	C:\Windows\SysWOW64\Bahdob32.exe	Bnlhncgi.exe
File opened for modification	C:\Windows\SysWOW64\Cglbhhga.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Cocjiehd.exe	Cglbhhga.exe
File opened for modification	C:\Windows\SysWOW64\Ocaebc32.exe	Opclldhj.exe
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Cklgfgfg.dll	Boldhf32.exe
File created	C:\Windows\SysWOW64\Cpkhqmjb.dll	Cncnob32.exe
File created	C:\Windows\SysWOW64\Mgnddp32.dll	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Nalhik32.dll	Cnjdpaki.exe
File opened for modification	C:\Windows\SysWOW64\Dgeenfog.exe	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Gadiippo.dll	Opclldhj.exe
File created	C:\Windows\SysWOW64\Lngqkhda.dll	Pdhkcb32.exe
File opened for modification	C:\Windows\SysWOW64\Bhblllfo.exe	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Pcmdgodo.dll	Cocjiehd.exe
File opened for modification	C:\Windows\SysWOW64\Cklhcfle.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Ennamn32.dll	Cklhcfle.exe
File opened for modification	C:\Windows\SysWOW64\Ddgibkpc.exe	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Fomnhddq.dll	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Ckjknfnh.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Gdmpga32.dll	ed6504177a911533041129fab8d2661e595b4cabc5e3b871e241253a03832e9e.exe
File created	C:\Windows\SysWOW64\Paeelgnj.exe	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	Ppolhcnm.exe
File opened for modification	C:\Windows\SysWOW64\Qdaniq32.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Akdilipp.exe	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Chdialdl.exe	Cdimqm32.exe
File opened for modification	C:\Windows\SysWOW64\Cdkifmjq.exe	Cponen32.exe
File created	C:\Windows\SysWOW64\Dgeenfog.exe	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Cedckdaj.dll	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Lbandhne.dll	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Cgifbhid.exe	Cdkifmjq.exe
File opened for modification	C:\Windows\SysWOW64\Cocjiehd.exe	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Dllfqd32.dll	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Baegibae.exe	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Cdimqm32.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Cncnob32.exe	Ckebcg32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjknfnh.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Cklhcfle.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Ekiapmnp.dll	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Hlohlk32.dll	Akdilipp.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Bajqda32.exe	Boldhf32.exe
File created	C:\Windows\SysWOW64\Dahmfpap.exe	Dojqjdbl.exe
File opened for modification	C:\Windows\SysWOW64\Ppolhcnm.exe	Pmpolgoi.exe

Program crash 1 IoCs

pid	pid_target	Process
3552	4928	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cncnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpolgoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfkpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbjkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgeenfog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adhdjpjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhiemoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bddcenpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahmfpap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpkdjofm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhblllfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdenmbkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdhkcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppolhcnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akdilipp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdimqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbemgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkifmjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opclldhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmnbfhal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cglbhhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocaebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnjdpaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdoacabq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baegibae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfcfmlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed6504177a911533041129fab8d2661e595b4cabc5e3b871e241253a03832e9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paeelgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgifbhid.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghien32.dll"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampillfk.dll"	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgncclck.dll"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occmjg32.dll"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll"	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adhdjpjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biafno32.dll"	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	ed6504177a911533041129fab8d2661e595b4cabc5e3b871e241253a03832e9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giidol32.dll"	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgfl32.dll"	Cponen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjijkpg.dll"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	ed6504177a911533041129fab8d2661e595b4cabc5e3b871e241253a03832e9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjhbli.dll"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmdgodo.dll"	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgeenfog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bajqda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedckdaj.dll"	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lngqkhda.dll"	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddllkbf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 5084	5004	ed6504177a911533041129fab8d2661e595b4cabc5e3b871e241253a03832e9e.exe	81
PID 5004 wrote to memory of 5084	5004	ed6504177a911533041129fab8d2661e595b4cabc5e3b871e241253a03832e9e.exe	81
PID 5004 wrote to memory of 5084	5004	ed6504177a911533041129fab8d2661e595b4cabc5e3b871e241253a03832e9e.exe	81
PID 5084 wrote to memory of 904	5084	Opclldhj.exe	82
PID 5084 wrote to memory of 904	5084	Opclldhj.exe	82
PID 5084 wrote to memory of 904	5084	Opclldhj.exe	82
PID 904 wrote to memory of 1652	904	Ocaebc32.exe	83
PID 904 wrote to memory of 1652	904	Ocaebc32.exe	83
PID 904 wrote to memory of 1652	904	Ocaebc32.exe	83
PID 1652 wrote to memory of 828	1652	Paeelgnj.exe	84
PID 1652 wrote to memory of 828	1652	Paeelgnj.exe	84
PID 1652 wrote to memory of 828	1652	Paeelgnj.exe	84
PID 828 wrote to memory of 4916	828	Pdenmbkk.exe	85
PID 828 wrote to memory of 4916	828	Pdenmbkk.exe	85
PID 828 wrote to memory of 4916	828	Pdenmbkk.exe	85
PID 4916 wrote to memory of 4376	4916	Pmnbfhal.exe	86
PID 4916 wrote to memory of 4376	4916	Pmnbfhal.exe	86
PID 4916 wrote to memory of 4376	4916	Pmnbfhal.exe	86
PID 4376 wrote to memory of 2984	4376	Pdhkcb32.exe	87
PID 4376 wrote to memory of 2984	4376	Pdhkcb32.exe	87
PID 4376 wrote to memory of 2984	4376	Pdhkcb32.exe	87
PID 2984 wrote to memory of 4336	2984	Pmpolgoi.exe	88
PID 2984 wrote to memory of 4336	2984	Pmpolgoi.exe	88
PID 2984 wrote to memory of 4336	2984	Pmpolgoi.exe	88
PID 4336 wrote to memory of 2296	4336	Ppolhcnm.exe	89
PID 4336 wrote to memory of 2296	4336	Ppolhcnm.exe	89
PID 4336 wrote to memory of 2296	4336	Ppolhcnm.exe	89
PID 2296 wrote to memory of 3148	2296	Qdoacabq.exe	90
PID 2296 wrote to memory of 3148	2296	Qdoacabq.exe	90
PID 2296 wrote to memory of 3148	2296	Qdoacabq.exe	90
PID 3148 wrote to memory of 5016	3148	Qdaniq32.exe	91
PID 3148 wrote to memory of 5016	3148	Qdaniq32.exe	91
PID 3148 wrote to memory of 5016	3148	Qdaniq32.exe	91
PID 5016 wrote to memory of 1956	5016	Adcjop32.exe	92
PID 5016 wrote to memory of 1956	5016	Adcjop32.exe	92
PID 5016 wrote to memory of 1956	5016	Adcjop32.exe	92
PID 1956 wrote to memory of 3048	1956	Adhdjpjf.exe	93
PID 1956 wrote to memory of 3048	1956	Adhdjpjf.exe	93
PID 1956 wrote to memory of 3048	1956	Adhdjpjf.exe	93
PID 3048 wrote to memory of 2256	3048	Akdilipp.exe	94
PID 3048 wrote to memory of 2256	3048	Akdilipp.exe	94
PID 3048 wrote to memory of 2256	3048	Akdilipp.exe	94
PID 2256 wrote to memory of 2648	2256	Bhhiemoj.exe	95
PID 2256 wrote to memory of 2648	2256	Bhhiemoj.exe	95
PID 2256 wrote to memory of 2648	2256	Bhhiemoj.exe	95
PID 2648 wrote to memory of 4920	2648	Bpfkpp32.exe	96
PID 2648 wrote to memory of 4920	2648	Bpfkpp32.exe	96
PID 2648 wrote to memory of 4920	2648	Bpfkpp32.exe	96
PID 4920 wrote to memory of 1692	4920	Baegibae.exe	97
PID 4920 wrote to memory of 1692	4920	Baegibae.exe	97
PID 4920 wrote to memory of 1692	4920	Baegibae.exe	97
PID 1692 wrote to memory of 4740	1692	Bddcenpi.exe	98
PID 1692 wrote to memory of 4740	1692	Bddcenpi.exe	98
PID 1692 wrote to memory of 4740	1692	Bddcenpi.exe	98
PID 4740 wrote to memory of 4456	4740	Bhpofl32.exe	99
PID 4740 wrote to memory of 4456	4740	Bhpofl32.exe	99
PID 4740 wrote to memory of 4456	4740	Bhpofl32.exe	99
PID 4456 wrote to memory of 1812	4456	Bnlhncgi.exe	100
PID 4456 wrote to memory of 1812	4456	Bnlhncgi.exe	100
PID 4456 wrote to memory of 1812	4456	Bnlhncgi.exe	100
PID 1812 wrote to memory of 4576	1812	Bahdob32.exe	101
PID 1812 wrote to memory of 4576	1812	Bahdob32.exe	101
PID 1812 wrote to memory of 4576	1812	Bahdob32.exe	101
PID 4576 wrote to memory of 1960	4576	Bpkdjofm.exe	102

C:\Users\Admin\AppData\Local\Temp\ed6504177a911533041129fab8d2661e595b4cabc5e3b871e241253a03832e9e.exe
"C:\Users\Admin\AppData\Local\Temp\ed6504177a911533041129fab8d2661e595b4cabc5e3b871e241253a03832e9e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\Opclldhj.exe
  C:\Windows\system32\Opclldhj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\Ocaebc32.exe
    C:\Windows\system32\Ocaebc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\SysWOW64\Paeelgnj.exe
      C:\Windows\system32\Paeelgnj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
      - C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 412
        54⤵
        Program crash
        
        PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4928 -ip 4928
1⤵
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adcjop32.exe

Filesize
896KB

MD5
0971311d49769e9fefbd090071775bb5

SHA1
5b7347da67ef738303ecd0bef96fabbb937d3411

SHA256
0d6b023c61a072710b647b1da040c1bebd1d26dba2e75c43ac881c89fcc086b8

SHA512
60a7c60cc3a19d7fa2f986e2eca5023440ac494d07ee0fe178f8f083da258791c4d63dcae2b2231baa0492d6bd4e6565afe1ec1b489db30b55f283719db12518

Download Submit
C:\Windows\SysWOW64\Adcjop32.exe

Filesize
896KB

MD5
d7c34b66601d3f96349b0a601b2bd2d5

SHA1
ff8a14742d582c3cba1a9afa7b9113d23be59511

SHA256
08a6ed52554bd98036d5617922599303c4202097e43a4ce591ee220a86a71fda

SHA512
03802380953d2848d8c98aa73eef26c1838bc44a54910200ae40713e97941385ba4f007fd20c5dbc61d5b3a958bba77c78c8b7b58eca3f74c1c237f887765034

Download Submit
C:\Windows\SysWOW64\Adhdjpjf.exe

Filesize
896KB

MD5
73af9fee87f02cc5d1bd8eb436b085fd

SHA1
7ebf97b36f231cefbfec4fb997dbc0abda18df01

SHA256
402c3cb070b51a93773ae445202480a8fc3bd885410a324c2452e11e8a275352

SHA512
81f695bde3e37322870ff6a154a51708d4158df9b32ac998b685595885e1b6f563bd6f02c5d45253cb668e55e9ce7a029f6466dd044b51a27205f076153f7b6a

Download Submit
C:\Windows\SysWOW64\Akdilipp.exe

Filesize
896KB

MD5
593f3f0855fbbd84fca08c1d16b5cfc3

SHA1
2aa0e043c9a61a89ce3f77e7c5dfc5566fe6af05

SHA256
99fde9e3b7464e4eb4b249716b2457858bdd66022bf2fb6be34e6777a1ee4bfb

SHA512
a55cb5b712bc6babe7d556ff469dc736344defa1cf1b2aa71fce36fac9d6204994d9f427c038277c13e14cae319560d7c68b34780c7d2379ee314bdb157a32ed

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
896KB

MD5
3d282f0abef3fec6dd61d6445b4c92db

SHA1
8754767d1f8f8a4912b7b6c456a17f2facdaa77d

SHA256
d35cb2099b65be64e51f06e582f515b660349b755607d668fa8b7488ab8bf641

SHA512
0ebe8d6129e2a1bfd8f4528c410ed0e0ab3462cd3943c1fc038a550fb9a3b545fd004f779d8a78b9f5bd396e1541bc43536d3d5401f1095670673196ff580bd7

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
896KB

MD5
77dfc314da2396de8f834050255f08c4

SHA1
35a4607c20d93c75ab8873579c0079fba88b0061

SHA256
ec1f58fe429e16cec04eca3153aab07766144c5e28ca76c6d84d3ee7faba168a

SHA512
3f67dedc1c0f68234bc25e0d0b6d7789a3ca8a25c0c5563f21dbbc349a20efe68b76c602880824d175f07875df03a6e2a4f6852def963337f16dee7daf113043

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
896KB

MD5
0e8a03398d9fba089d9114e9706f7f3a

SHA1
0c966b601ab81eb3dcd838990e33ff37bc14810a

SHA256
e05b4fd58e81774a161099b99bc5ad29ec303029eb6e452109df60c04fffe700

SHA512
2eb4057593e6ddcca545060f0eef53010d1f0ea78afc605a7ef8e23f84262fcadaaef87ecaf82da07aec87ff6685a7ccf802bcbc7f4fca494dfbc8bafeb0a77d

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
896KB

MD5
a0ed45cde23a080012aeb3d06c5a6963

SHA1
58c8f85d8d2c625485cbb45d6b8caa61c6e4ff2d

SHA256
ee9908d2d3fcaf89a0322a6c813d05220ca8e3c86be0eb2d154111f3637f704f

SHA512
35c5b6195799afa6f45bee1d2369566ca737747871e409b894c16668d67ea678115192cd0ffecc5e6f520b0759074daa6bd745339f38f044269a4e611ac5558d

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
896KB

MD5
98051edec1efd3023e53ae79409cd6df

SHA1
7cb58f282d0e491e45665ec390d634eab340a45a

SHA256
9c35ce339123cc281b5f0bdb598cf48581a8b2fde4e1ef79217e64c3ceea7ca1

SHA512
593b53c963e4b204a25cbaac1642f9e18442d9a32e432886803f029a1188e08b97b7673cf8f7204ccfcaf0901b93b0fe7f9f2e5d5df1417b9aa5db452251c4ed

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
896KB

MD5
5624f0a7d8f91ee02ac78a939c80f93a

SHA1
71e805ffca8d561e7e8f64de21d45e40b9e0b51f

SHA256
2e0ad645d1a9ddec6379359802205c9c0367f777b7d1ea3f187e9c7345ef46e1

SHA512
304a0c10a699b6f0b1791b05d3676afa50450688c04086c2f2de9a0f0ed33a9ea55f7b2be24e5a4d8a219f58df539f9e3ccca414e092bab82bd1180cb6139cd0

Download Submit
C:\Windows\SysWOW64\Bhhiemoj.exe

Filesize
896KB

MD5
93bf05b0223f5311745312f2d3b8bf59

SHA1
4b93c710792a9e7c4b2be322379a43379c63cbf5

SHA256
2f209729ec7b117acbe5c965e6a41cc0f596bfc96c02356d2a9b688707fb226e

SHA512
f166a46e6a514c74df01bcdb74ba626da27d9b00197d48d960d0c415ed3604446b30e3425848c342be81cf4a0518219346ead1d92941414215b5ca99f2c34a3e

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
896KB

MD5
fe8d7b11251a7dec9be5192d8d54d553

SHA1
4d11c617a464b94a1df4027cbc5684e221fa993d

SHA256
b151e2f4a4f570ebef329fa2cf822d45167d37811a1fe14ca392cbf0a5fb69f2

SHA512
59cf5435c21d5a67c4a322fff319d1916447541af4d031b2a945a9373782ebe2b725303e9b77a7ab5f25897d8284b46b367fd240918c04f7a7ece2cad61d8512

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
896KB

MD5
e85a9d52a419bb1e66301af107587274

SHA1
756fe29c4d4470ec1a95d35e900eecec69313b1b

SHA256
741daca33abe3f1a3c334efcc401934ad9ad89168606aa6948138a94846768a6

SHA512
cdc5a1889a4e109abf02e18dcc1f68413394eca4cc17ee389bbc8c43fffd2a7424a3b6752d4671c83fed577b7f81eb21989d01e87e2e854cd5d51a0f6feb9841

Download Submit
C:\Windows\SysWOW64\Boldhf32.exe

Filesize
896KB

MD5
0ff114eaa1a47ecf3739770e253cb4f6

SHA1
062b4b14b1a1f9e3c9543bfe45a0e204910cf979

SHA256
7c145a40a156aae856d2ba20779112fbcd74988fb28161cd9e854b89cacc914b

SHA512
15bf514ae5de989b29dd0100a456441715b7112bedc65a041fcd23607a98d784d39bd813f1b2aa77c2c7112748735fd9f41d91b76a2745a18f5f2568156cba8c

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
896KB

MD5
1c6e0368ad5a1c8e40c9d78f4a6be152

SHA1
c0e19c7cdd27995a6b64909e30f6104cd60d65f8

SHA256
78c46c6b31016784a535409940975d32203aaaf87df2a703060d5eeccf51c0d5

SHA512
0ad98bc2144e4c2f3dd4fe01d0bb7364a39fb3df4478ddd185b7571175b434d412225ed0695a8966700dd9a8080f157f12ed11c7ed00b20b3d6944e0011dabc6

Download Submit
C:\Windows\SysWOW64\Bpkdjofm.exe

Filesize
896KB

MD5
14ffe1ff634ceac515b3a5ab94dc7466

SHA1
20cb352004ab74e90b25491ba8398e956003fdd8

SHA256
511b42396834b936871cf8060b39d04681073286da275504df2ae1ea0108c352

SHA512
e8fa4dcc4294a94b8658c1579cc57e6c83bf3179463055a56b76aa584e963434cbeb40a0499390a3066d861493b5938a8ae500572845a22fe96468f552623001

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
896KB

MD5
dd1f8ec8ca2eddc9520df0d61c762561

SHA1
bd8d4900f5c2eccda516caf62bb76c606ce49e24

SHA256
e169b93c832e50cba854b8e6f84ee6d2b55b71684493537a75edb9f2c7773a1c

SHA512
bdb248663c59a8e4dbfded0a4c7d248eefc78a8d808dc2488af312d6a53d7940a8ab7fe86d0ec2cf840f723262fa1b2a69448500380878206226e1a6461c602b

Download Submit
C:\Windows\SysWOW64\Cdkifmjq.exe

Filesize
896KB

MD5
708b5a93ffd2963150ec30814be8ac1c

SHA1
d22f1a5df679080cd3c3019c82d8dbcf20159250

SHA256
d63f8214a5b582df87b15f0fab4dd63e1fa186e860b7d93e5170db32edf205c2

SHA512
9b336c1cb51da450c1c93dfc1a0d2c5610fdcd5cd8e02f5e912db19b3b1caf4586ab4409594b4130b085569c4f540b93ba19716d39be9c5a80a8ed44448f9da4

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
896KB

MD5
3abc94e0da4250f901be13c13a5855b5

SHA1
c59b7047d920857eeca5513c45f1069b5e264c43

SHA256
3d00166adc892fa81dd6daf708c40c1947a64394964e38b021d44a9cba989d55

SHA512
c27fd381dfff0485bbba69e6d1165d7989ccab658be7516372b31b609f04e983c5bfd02703313f5d8e4c58e691b03a08334ed456bc307fb348713965f4f43bc5

Download Submit
C:\Windows\SysWOW64\Ckbemgcp.exe

Filesize
896KB

MD5
a31f3f398314b8324c114e1c0b8d6f6b

SHA1
eb20617c6c299588f4f408f3b2b0367d760d5935

SHA256
46db0eba3361f52c77fcb00cbdb3634151cda6d5495e47e1be4537a739d6e807

SHA512
7ae4a63fd3a70c31827541b71fdec385ad760fc07c614dd77fc212cff41e271fdfcfbec999dabf70e21ae64f0e567361f978c210b67312faee6a63bf43a8bca2

Download Submit
C:\Windows\SysWOW64\Cnaaib32.exe

Filesize
896KB

MD5
fbe032b73395755eedc9578f579685be

SHA1
fa3afb2fa0774a82236d1b90654b73ef03d75e91

SHA256
5e134838b75378925183dcf3de2b276c2ffb93bf2aff01360fa0f605de966f64

SHA512
02f9cb2b6f30bc38341f87a8b109729d6905e6cdd364287a2811d19ab71046991f2d154c9611220c5cb428ad824d1417ff5fa1237df56a42b7065f9c26cf76b7

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
896KB

MD5
3528c968ef60a902e7b5505214a35eb5

SHA1
dc4bbbb7d6459a57fb2d240c7051ae3c967ce074

SHA256
ed3391b3badd27e30898ff5f7dee842a1c0a9a93e3f876117c915650d853155c

SHA512
286fac6c254806a12faaaea1abe4c9dee70c187b074561a2134f85c4eed973c6cb50b62f8f09c642290b2dff0561eeb8c873e98e1a925e9bfc8973773e2d0303

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
896KB

MD5
2aeac35a1944b94b44d15931367400a0

SHA1
dd01f977c443c6f660435bdb49131642e13f9a29

SHA256
04b7d40a2dcd02c8ba69b4283618d370ba9094cdf014dfd8e583c0317a5e3a28

SHA512
24bfd9af93748f4a284a031c8286779759242c8e0803eff26b802deceaaea2e71405943c69992b40f6c65b93e799fb68e1c04af22a2f6cd749925ed0c0055c22

Download Submit
C:\Windows\SysWOW64\Kfcfimfi.dll

Filesize
7KB

MD5
97f15e44430553986dd767d522e5e996

SHA1
19dd4d4702cc0288c8c9246582f2066babfca340

SHA256
7daf4f5099786048dbd092f1eda5e22e3e639b570193fc6639cc3573f952eef6

SHA512
de91918a1aedbb26681c4db762304361bb3ba3206bdaa11b04a250dc78e76feb3c270262406094e8ec90b6f1bd707828f29c925d44700823eb7c15fe1929ac96

Download Submit
C:\Windows\SysWOW64\Ocaebc32.exe

Filesize
896KB

MD5
3af7956d1b8d71d9fb8c39d4acca548b

SHA1
b2f84afeb961deba9063110de74c0ff041c37dde

SHA256
1616f9996f220f6655f43fa0d18b86445b0f6ecb2592720f730d2791ebdeba24

SHA512
462e3d7870df60e121372c288e5606e92fa4bbb6620fd3360911510502c8293ceeb8f516f47225234cd91e87cdcf3944b5f9d7b61668ad7db5fa88abdf86003a

Download Submit
C:\Windows\SysWOW64\Opclldhj.exe

Filesize
896KB

MD5
a86359f1bb522f3d3d536b650ab0d63e

SHA1
86c188cdc44dea97434da4565874950f794f719a

SHA256
ffbdeb3119c0dd3dd862a1d7a8b497b0380e3a0c9972fc5dfee8bf9af501df11

SHA512
5689842f8adfa51e9c5e5d4179f6550d7c225e51fe4968bfc574c6a4f43a66f239f96f555a310a55c9e543296491d18cc8b39de8fbc11e0282d163652894fea8

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
896KB

MD5
f7515d0ba97f28da70cf5d28e9a98914

SHA1
a7779dbac6716b4e58c47c80707b304a73adba96

SHA256
23447842e99dffced15e6b218e59199092003044ce18665275286dcf26c70d5b

SHA512
de7d1e6b4ef2a1e9f897aae4dbf7168b42cc85cb3f92b5b142d2680122b78a5e927eb1f4965bb7578ef2ac301292cdaaad0a393ae946358760ae19840f81146b

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
896KB

MD5
61bdff73d68e288c07882256808768e9

SHA1
188f9cb59a7e36ae2bfd91d40f97a8e175d5c2d7

SHA256
5c4633b18a957c646da5546927dd6b0ea910656e8d9be7c0b6de761c68d58a58

SHA512
1d2165fb70697cd25e9734d26bfb1135b51fb910606ccdc8f8fee15bf50e1498a71a6ba54f95d298c9be96c1d58d8a19bf0d9499426a7aea7bcc46695739d743

Download Submit
C:\Windows\SysWOW64\Pdhkcb32.exe

Filesize
896KB

MD5
2d3d37d2907c8f32a1f7a51930f9cfd7

SHA1
3ca64200cac26e461d88ccff95dfc7983114fc65

SHA256
e9e15f41b451b86314d9c29c339bb503e3d134714d4c030fdd17ee18083e6119

SHA512
3f846d1a629111935509225c283e5410ff43599d29e3ab21c136c10507eaf1dcb1889221bdeb35b845674a4fa8338637dca82a2f4ab5dc5607c1d20d8848acda

Download Submit
C:\Windows\SysWOW64\Pmnbfhal.exe

Filesize
896KB

MD5
f8c3ad80e96c772c3bf6e671fc7f1294

SHA1
83d5d878f548e9f7f87acfdd98b5769a2ae28acf

SHA256
9abe3d02846edf5b39055466724b559eb0327e5f0592f63ccaae4fc0379d7fb8

SHA512
6a3c3a3d426d52ffc460f7dc833ac07da78d6b3ca8bd9824a6f09133a70c3cbdc7f60cc6cdb1e96cf33bd52891511c3b9307e995574111adc12275c791c48ae3

Download Submit
C:\Windows\SysWOW64\Pmpolgoi.exe

Filesize
896KB

MD5
fbefa35f6c8154fdad11321033fdfd1c

SHA1
de7b6cc220e7e3be8737030fad648cb3cfe12187

SHA256
bd675adb25231124f7dff44a36cb0d41b5aa8c3fe6baabfbdce8a0df12d67958

SHA512
6b8c8b43aff9590914e220a06db4e20b1252ed429710672bdcf07570c51e4c4a8888853428686122038e3e46d881ab4d2fde4aaa0b7537accdbc3970fb165a4d

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
896KB

MD5
3c5ff099264dd6a44ffb259e96e372ce

SHA1
8d59cd64ec267b3b9eabe5de1e4377df9b1e594d

SHA256
6f6d78acd285cce69a8259a531ae58e91880664224eabc1bba0fb54c70840c1c

SHA512
0537747c827f3c698b9c598a37e713c9680b1297bbbd0c8015d38a2c176001e8e1ede5a132f4bd8e8fde0c95574a5b06f6d9b85dc59efe1be89a56f4063960f1

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
896KB

MD5
0d14ba81c51c59475730b8d26a68d13f

SHA1
fd20ee09baf4ef51ec301a89d64440b4ad538de0

SHA256
966b6ecca5c0d92d2102cfadd517282da73f1042fd6f4209b6d50f34d00fb484

SHA512
d79b391f07cd702c59d2dba9bf48f7785f9fa87dd397f7a9b33b2dda8e6364ad6e644e92d3707058d389184679eda044e31c18c297e3fff764aaa8c868f142e4

Download Submit
memory/632-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads