berbew | 874a379e895947d681e212b23747118ebf61419bb650b712f55db7a9f2b8a9cf

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

874a379e895947d681e212b23747118ebf61419bb650b712f55db7a9f2b8a9cfN.exe
Size

790KB
MD5

fb94f29c97402e40e3e5385f33284eb0
SHA1

7e93eca8f5e17a0daf1fe89437c864580d29a8f1
SHA256

874a379e895947d681e212b23747118ebf61419bb650b712f55db7a9f2b8a9cf
SHA512

d05341f61801a201e5c56dddefcb82ff7f7b20ac51c702f50c15a4ce2b44fb51418eed898bc53859259641f08dc1b20c92330c901eff444e2cb80888fecc77e8
SSDEEP

12288:c3oRAFB24lwR4P87g7/VycgE81lgxaa79y:FgPqoIlg17o

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkjphcff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neiaeiii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgjccb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgjnhaco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pljlbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjcomcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qiioon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppkfhlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odchbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mobfgdcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nplimbka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngealejo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agolnbok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgjnhaco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oeindm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkjphcff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbagipfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplimbka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbagipfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oeindm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	874a379e895947d681e212b23747118ebf61419bb650b712f55db7a9f2b8a9cfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciihklpj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 58 IoCs

pid	Process
1860	Ldbofgme.exe
804	Lklgbadb.exe
2720	Lnjcomcf.exe
2732	Mobfgdcl.exe
2892	Mgjnhaco.exe
1908	Mcckcbgp.exe
2172	Ngealejo.exe
1916	Nplimbka.exe
2644	Neiaeiii.exe
2024	Nfoghakb.exe
2012	Odchbe32.exe
2664	Objaha32.exe
2132	Oeindm32.exe
1588	Pkjphcff.exe
2828	Pbagipfi.exe
1584	Pljlbf32.exe
1912	Qppkfhlc.exe
924	Qcogbdkg.exe
1796	Qgjccb32.exe
2372	Qiioon32.exe
2924	Qcachc32.exe
2456	Qeppdo32.exe
2656	Qnghel32.exe
2140	Accqnc32.exe
2064	Agolnbok.exe
1572	Ahpifj32.exe
2188	Aojabdlf.exe
2776	Aaimopli.exe
568	Achjibcl.exe
2740	Alqnah32.exe
2772	Aoojnc32.exe
2076	Aficjnpm.exe
2588	Aoagccfn.exe
1372	Bkhhhd32.exe
2036	Bdqlajbb.exe
1348	Bccmmf32.exe
2268	Bjmeiq32.exe
2252	Bmlael32.exe
2944	Bdcifi32.exe
1300	Bfdenafn.exe
600	Bqijljfd.exe
2192	Bbmcibjp.exe
1800	Cbppnbhm.exe
2248	Ciihklpj.exe
2344	Ckhdggom.exe
1524	Cnfqccna.exe
3036	Cfmhdpnc.exe
2660	Cgoelh32.exe
2680	Cbdiia32.exe
940	Cgaaah32.exe
876	Cjonncab.exe
2700	Cbffoabe.exe
1964	Cchbgi32.exe
1948	Clojhf32.exe
2020	Cnmfdb32.exe
2840	Djdgic32.exe
1968	Dmbcen32.exe
2848	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2316	874a379e895947d681e212b23747118ebf61419bb650b712f55db7a9f2b8a9cfN.exe
2316	874a379e895947d681e212b23747118ebf61419bb650b712f55db7a9f2b8a9cfN.exe
1860	Ldbofgme.exe
1860	Ldbofgme.exe
804	Lklgbadb.exe
804	Lklgbadb.exe
2720	Lnjcomcf.exe
2720	Lnjcomcf.exe
2732	Mobfgdcl.exe
2732	Mobfgdcl.exe
2892	Mgjnhaco.exe
2892	Mgjnhaco.exe
1908	Mcckcbgp.exe
1908	Mcckcbgp.exe
2172	Ngealejo.exe
2172	Ngealejo.exe
1916	Nplimbka.exe
1916	Nplimbka.exe
2644	Neiaeiii.exe
2644	Neiaeiii.exe
2024	Nfoghakb.exe
2024	Nfoghakb.exe
2012	Odchbe32.exe
2012	Odchbe32.exe
2664	Objaha32.exe
2664	Objaha32.exe
2132	Oeindm32.exe
2132	Oeindm32.exe
1588	Pkjphcff.exe
1588	Pkjphcff.exe
2828	Pbagipfi.exe
2828	Pbagipfi.exe
1584	Pljlbf32.exe
1584	Pljlbf32.exe
1912	Qppkfhlc.exe
1912	Qppkfhlc.exe
924	Qcogbdkg.exe
924	Qcogbdkg.exe
1796	Qgjccb32.exe
1796	Qgjccb32.exe
2372	Qiioon32.exe
2372	Qiioon32.exe
2924	Qcachc32.exe
2924	Qcachc32.exe
2456	Qeppdo32.exe
2456	Qeppdo32.exe
2656	Qnghel32.exe
2656	Qnghel32.exe
2140	Accqnc32.exe
2140	Accqnc32.exe
2064	Agolnbok.exe
2064	Agolnbok.exe
1572	Ahpifj32.exe
1572	Ahpifj32.exe
2188	Aojabdlf.exe
2188	Aojabdlf.exe
2776	Aaimopli.exe
2776	Aaimopli.exe
568	Achjibcl.exe
568	Achjibcl.exe
2740	Alqnah32.exe
2740	Alqnah32.exe
2772	Aoojnc32.exe
2772	Aoojnc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oeindm32.exe	Objaha32.exe
File opened for modification	C:\Windows\SysWOW64\Pkjphcff.exe	Oeindm32.exe
File created	C:\Windows\SysWOW64\Ljamki32.dll	Qcachc32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Lklgbadb.exe	Ldbofgme.exe
File created	C:\Windows\SysWOW64\Ngealejo.exe	Mcckcbgp.exe
File created	C:\Windows\SysWOW64\Oomgdcce.dll	Nfoghakb.exe
File created	C:\Windows\SysWOW64\Agolnbok.exe	Accqnc32.exe
File opened for modification	C:\Windows\SysWOW64\Ahpifj32.exe	Agolnbok.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Lklgbadb.exe	Ldbofgme.exe
File created	C:\Windows\SysWOW64\Nplimbka.exe	Ngealejo.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Alqnah32.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Qcamkjba.dll	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Qoblpdnf.dll	Achjibcl.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bjmeiq32.exe
File opened for modification	C:\Windows\SysWOW64\Neiaeiii.exe	Nplimbka.exe
File created	C:\Windows\SysWOW64\Qcachc32.exe	Qiioon32.exe
File created	C:\Windows\SysWOW64\Qcogbdkg.exe	Qppkfhlc.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Mgjnhaco.exe	Mobfgdcl.exe
File opened for modification	C:\Windows\SysWOW64\Nfoghakb.exe	Neiaeiii.exe
File created	C:\Windows\SysWOW64\Qiioon32.exe	Qgjccb32.exe
File created	C:\Windows\SysWOW64\Qeppdo32.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Qnghel32.exe	Qeppdo32.exe
File created	C:\Windows\SysWOW64\Aojabdlf.exe	Ahpifj32.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Aaimopli.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Eddmlhaq.dll	874a379e895947d681e212b23747118ebf61419bb650b712f55db7a9f2b8a9cfN.exe
File created	C:\Windows\SysWOW64\Olpecfkn.dll	Qcogbdkg.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Alqnah32.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Qcogbdkg.exe	Qppkfhlc.exe
File created	C:\Windows\SysWOW64\Aaimopli.exe	Aojabdlf.exe
File created	C:\Windows\SysWOW64\Kjfkcopd.dll	Pkjphcff.exe
File created	C:\Windows\SysWOW64\Kbdjfk32.dll	Pljlbf32.exe
File created	C:\Windows\SysWOW64\Hcopgk32.dll	Qnghel32.exe
File opened for modification	C:\Windows\SysWOW64\Aoojnc32.exe	Alqnah32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Mobfgdcl.exe	Lnjcomcf.exe
File created	C:\Windows\SysWOW64\Mcckcbgp.exe	Mgjnhaco.exe
File opened for modification	C:\Windows\SysWOW64\Qeppdo32.exe	Qcachc32.exe
File opened for modification	C:\Windows\SysWOW64\Qnghel32.exe	Qeppdo32.exe
File created	C:\Windows\SysWOW64\Bkhhhd32.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Oaoplfhc.dll	Bmlael32.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Edggmg32.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcckcbgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiioon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agolnbok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgjnhaco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mobfgdcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odchbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbofgme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkjphcff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngealejo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neiaeiii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklgbadb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnjcomcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgjccb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplimbka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pljlbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Objaha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbagipfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oeindm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkfhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874a379e895947d681e212b23747118ebf61419bb650b712f55db7a9f2b8a9cfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfoghakb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpecfkn.dll"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnjcomcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjeeidhg.dll"	Objaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pbagipfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qiioon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdkid32.dll"	Ngealejo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfkcopd.dll"	Pkjphcff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pljlbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Achjibcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdecggq.dll"	Neiaeiii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oeindm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pljlbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qppkfhlc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgjnhaco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nplimbka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfoghakb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lklgbadb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkjphcff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qcachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lklgbadb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngealejo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Objaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdph32.dll"	Ldbofgme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aoojnc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1860	2316	874a379e895947d681e212b23747118ebf61419bb650b712f55db7a9f2b8a9cfN.exe	31
PID 2316 wrote to memory of 1860	2316	874a379e895947d681e212b23747118ebf61419bb650b712f55db7a9f2b8a9cfN.exe	31
PID 2316 wrote to memory of 1860	2316	874a379e895947d681e212b23747118ebf61419bb650b712f55db7a9f2b8a9cfN.exe	31
PID 2316 wrote to memory of 1860	2316	874a379e895947d681e212b23747118ebf61419bb650b712f55db7a9f2b8a9cfN.exe	31
PID 1860 wrote to memory of 804	1860	Ldbofgme.exe	32
PID 1860 wrote to memory of 804	1860	Ldbofgme.exe	32
PID 1860 wrote to memory of 804	1860	Ldbofgme.exe	32
PID 1860 wrote to memory of 804	1860	Ldbofgme.exe	32
PID 804 wrote to memory of 2720	804	Lklgbadb.exe	33
PID 804 wrote to memory of 2720	804	Lklgbadb.exe	33
PID 804 wrote to memory of 2720	804	Lklgbadb.exe	33
PID 804 wrote to memory of 2720	804	Lklgbadb.exe	33
PID 2720 wrote to memory of 2732	2720	Lnjcomcf.exe	34
PID 2720 wrote to memory of 2732	2720	Lnjcomcf.exe	34
PID 2720 wrote to memory of 2732	2720	Lnjcomcf.exe	34
PID 2720 wrote to memory of 2732	2720	Lnjcomcf.exe	34
PID 2732 wrote to memory of 2892	2732	Mobfgdcl.exe	35
PID 2732 wrote to memory of 2892	2732	Mobfgdcl.exe	35
PID 2732 wrote to memory of 2892	2732	Mobfgdcl.exe	35
PID 2732 wrote to memory of 2892	2732	Mobfgdcl.exe	35
PID 2892 wrote to memory of 1908	2892	Mgjnhaco.exe	36
PID 2892 wrote to memory of 1908	2892	Mgjnhaco.exe	36
PID 2892 wrote to memory of 1908	2892	Mgjnhaco.exe	36
PID 2892 wrote to memory of 1908	2892	Mgjnhaco.exe	36
PID 1908 wrote to memory of 2172	1908	Mcckcbgp.exe	37
PID 1908 wrote to memory of 2172	1908	Mcckcbgp.exe	37
PID 1908 wrote to memory of 2172	1908	Mcckcbgp.exe	37
PID 1908 wrote to memory of 2172	1908	Mcckcbgp.exe	37
PID 2172 wrote to memory of 1916	2172	Ngealejo.exe	38
PID 2172 wrote to memory of 1916	2172	Ngealejo.exe	38
PID 2172 wrote to memory of 1916	2172	Ngealejo.exe	38
PID 2172 wrote to memory of 1916	2172	Ngealejo.exe	38
PID 1916 wrote to memory of 2644	1916	Nplimbka.exe	39
PID 1916 wrote to memory of 2644	1916	Nplimbka.exe	39
PID 1916 wrote to memory of 2644	1916	Nplimbka.exe	39
PID 1916 wrote to memory of 2644	1916	Nplimbka.exe	39
PID 2644 wrote to memory of 2024	2644	Neiaeiii.exe	40
PID 2644 wrote to memory of 2024	2644	Neiaeiii.exe	40
PID 2644 wrote to memory of 2024	2644	Neiaeiii.exe	40
PID 2644 wrote to memory of 2024	2644	Neiaeiii.exe	40
PID 2024 wrote to memory of 2012	2024	Nfoghakb.exe	41
PID 2024 wrote to memory of 2012	2024	Nfoghakb.exe	41
PID 2024 wrote to memory of 2012	2024	Nfoghakb.exe	41
PID 2024 wrote to memory of 2012	2024	Nfoghakb.exe	41
PID 2012 wrote to memory of 2664	2012	Odchbe32.exe	42
PID 2012 wrote to memory of 2664	2012	Odchbe32.exe	42
PID 2012 wrote to memory of 2664	2012	Odchbe32.exe	42
PID 2012 wrote to memory of 2664	2012	Odchbe32.exe	42
PID 2664 wrote to memory of 2132	2664	Objaha32.exe	43
PID 2664 wrote to memory of 2132	2664	Objaha32.exe	43
PID 2664 wrote to memory of 2132	2664	Objaha32.exe	43
PID 2664 wrote to memory of 2132	2664	Objaha32.exe	43
PID 2132 wrote to memory of 1588	2132	Oeindm32.exe	44
PID 2132 wrote to memory of 1588	2132	Oeindm32.exe	44
PID 2132 wrote to memory of 1588	2132	Oeindm32.exe	44
PID 2132 wrote to memory of 1588	2132	Oeindm32.exe	44
PID 1588 wrote to memory of 2828	1588	Pkjphcff.exe	45
PID 1588 wrote to memory of 2828	1588	Pkjphcff.exe	45
PID 1588 wrote to memory of 2828	1588	Pkjphcff.exe	45
PID 1588 wrote to memory of 2828	1588	Pkjphcff.exe	45
PID 2828 wrote to memory of 1584	2828	Pbagipfi.exe	46
PID 2828 wrote to memory of 1584	2828	Pbagipfi.exe	46
PID 2828 wrote to memory of 1584	2828	Pbagipfi.exe	46
PID 2828 wrote to memory of 1584	2828	Pbagipfi.exe	46

C:\Users\Admin\AppData\Local\Temp\874a379e895947d681e212b23747118ebf61419bb650b712f55db7a9f2b8a9cfN.exe
"C:\Users\Admin\AppData\Local\Temp\874a379e895947d681e212b23747118ebf61419bb650b712f55db7a9f2b8a9cfN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\Ldbofgme.exe
  C:\Windows\system32\Ldbofgme.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\SysWOW64\Lklgbadb.exe
    C:\Windows\system32\Lklgbadb.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Windows\SysWOW64\Lnjcomcf.exe
      C:\Windows\system32\Lnjcomcf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\Mobfgdcl.exe
        
        C:\Windows\system32\Mobfgdcl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\Mgjnhaco.exe
        
        C:\Windows\system32\Mgjnhaco.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Mcckcbgp.exe
        
        C:\Windows\system32\Mcckcbgp.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Ngealejo.exe
        
        C:\Windows\system32\Ngealejo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Nplimbka.exe
        
        C:\Windows\system32\Nplimbka.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Neiaeiii.exe
        
        C:\Windows\system32\Neiaeiii.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Nfoghakb.exe
        
        C:\Windows\system32\Nfoghakb.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Odchbe32.exe
        
        C:\Windows\system32\Odchbe32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Objaha32.exe
        
        C:\Windows\system32\Objaha32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Oeindm32.exe
        
        C:\Windows\system32\Oeindm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Pkjphcff.exe
        
        C:\Windows\system32\Pkjphcff.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Pbagipfi.exe
        
        C:\Windows\system32\Pbagipfi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Pljlbf32.exe
        
        C:\Windows\system32\Pljlbf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Qppkfhlc.exe
        
        C:\Windows\system32\Qppkfhlc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Qgjccb32.exe
        
        C:\Windows\system32\Qgjccb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Qiioon32.exe
        
        C:\Windows\system32\Qiioon32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Agolnbok.exe
        
        C:\Windows\system32\Agolnbok.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:600
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
790KB

MD5
d0ab7539a2cb6921e94a0229fbbeba89

SHA1
b79e30c0e014eb343ae826f2587517eca501da3b

SHA256
2eeae8f0d0a2799cbbe21b0108ffb8d39dbf2a929e40a9e37ad722fbcee620c8

SHA512
41d922b5de8b7adb3ab87ac200919b69bf37a9579f8da4a52170baad304a728e4609f0b91b6595855e58d25672f227d4d60b696bbd11f2cf62f740781e1a3631

Download Submit
C:\Windows\SysWOW64\Accqnc32.exe

Filesize
790KB

MD5
468b6564b4a6664c2f7180cd67dd218c

SHA1
8824813cc8733506c3b10c3fd96dbc03db59d1ba

SHA256
304c919e7c5b69982d17f32a08553e66b370180b991174675a34dc7ccc95634d

SHA512
986213244cb15ad13235166ff522b3f6ea6d3cf0c83a81cf9c6d9f070bdbf63f46f2e55089f1759e58dde28e6741ad02d49d33201cb00932e39b876decb16dab

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
790KB

MD5
3aaa9d4b63b3f72c2c78226254e44971

SHA1
ee70d0edea19a226883a3f83ff83184df521e5c2

SHA256
b673d93fb3d9244ca9a00a032ae5b8883140d24cbfeed8a94d1ac6b11876dd5f

SHA512
35804db43d00ad0433b1ad11bf056e532e517578f2e89294f79e49c2a192b2edc46dbd4df5931cf72398b253ca8b26d450c11a06e59534efbb57595b51ff96cb

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
790KB

MD5
f1ba1777dffcf0b93b8de5506ec05f54

SHA1
a255903546647f13cc5359027a37e688beb952cb

SHA256
49c9563a085195609d37d478bc7ffc963c1fe80e0cd4ef248644cfbb2000d1a6

SHA512
b0f3e956347818122974423fcaad6c6dd6a9dcf97dec3597e9869eec5572bb9839e609f6ae7442da79f58e2769b1f527486c5e29504a7180282d5d32cb7e170d

Download Submit
C:\Windows\SysWOW64\Agolnbok.exe

Filesize
790KB

MD5
55f4d616c1042835751670bb47b8af86

SHA1
7ee1d5efdeb4fbb0eb4da02aaa95c7a2df8a1d26

SHA256
a0fe7c3c5967e2c5a29e3a6fa84a39ffc447a6f583f0af8e063ce974ababdc1c

SHA512
9783a99b1534a17ae517256a2d3f8e9bda636b7c3a6af0abb04ea3f89257cffc310dd3ccb5ade3376e74161a49eb8496360b93f3f28c34e1f1c7e07e05d92a89

Download Submit
C:\Windows\SysWOW64\Ahpifj32.exe

Filesize
790KB

MD5
0a18ee60081bd3173422228f7c6c9df5

SHA1
4cf3e2dbd09c97eb8718382e7f6dde894cf6a1a8

SHA256
d23bec2f5019c17bd8465cad311106a5dabf65418be6a5c349bd2617199f4da1

SHA512
65d6d61751e7e4dcc7a2d0895a649b7c209a3ccc8e23ee7fc68c5bb50f74767877c2d57bb7616b00d794eff8a1020af0e44762879288cab7d7f49fd571056319

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
790KB

MD5
0761e8d9a8ae5a3ff14d68191232f695

SHA1
ac2eebc3280924ef22ab0cb47c9d93206873b8f0

SHA256
d7f96a8374f4ce19f78062e9ea54af7feb1a8ec1a5a2f3877de9c738cdc8a6eb

SHA512
5ee79be75b1722e54e499804d817730fc8c7293f88e74d922c96072da18a553e9d1e919fcbfbf03da2952e0baeddfdbfd2033bae626899a27cbdebb92c585fc7

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
790KB

MD5
3af192bcd77d0d3376a418732a5c6b23

SHA1
ada7c118f6a38c6e4458f07cbbcc46fe3a65e126

SHA256
acdf42688e0f3b109d0ca33a406d58d779c87a7d32e138e80519183b5ae5e858

SHA512
87ab3cb3ff1177e474395346633bb64111c7e2df62f807cf19f80fda34307750134deb5048537b8224aa182e60121d2b25698ffd997d158c10f0898e05c59992

Download Submit
C:\Windows\SysWOW64\Aojabdlf.exe

Filesize
790KB

MD5
ec88c265eda0d1abb2cd5c2752290c82

SHA1
f7e3719dc086cded21d7c0cf1ce760090738d5c9

SHA256
ad8e0e291b2771f6bc5315d2cd63b91df2866c142acc8f436ce0b9102489bfda

SHA512
3569a48c18b660b214618a4d4e86b160fc06aa334ae5d52591c14ebca9929c3f70276dfcefb778ad8a3cd9e2404d7b6df566b146a4a10e6bfedd4b40710ac3da

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
790KB

MD5
7228d899bf000fc0ae5344f8b283ad30

SHA1
7b3e233119a3757844ca0721fa1e1bed52928310

SHA256
8359cbd7d5fd03b2c9af209b5ff338dea31c8bce3670fc66fdd90f7bda18ae78

SHA512
9c1436330a083ee9745a671a5e81b1009f20c99cb4ff7a6ed97bb0c6808ea4461850905771b27382a00f371b291489e84ee386c725da15297a293c9140efce20

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
790KB

MD5
1ea76b7397a68c4f5d684c1c51a9e903

SHA1
b5d059d3b3735043a67c31a9e342b8d9b1b7af2e

SHA256
1dc62785080f5b94be0175c5ed0fce2c2c68e8b9f29e5cc85a906c9bab27a500

SHA512
d47d1c181dfb7def9747d65c1e0bf84aefd0f96c51c6c1f8c2bd00b070e2f98dca38a0b34e28e7f373d1f7a7b0ac30518788498a6f4a00b965800fd67abdcad5

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
790KB

MD5
000f15783c4e7d0cb9e3d9a9c4d48664

SHA1
13c7b2b9b25a10baed04b85a4cce6e95b4ebb067

SHA256
19a44765039f59dd69eb129bfe2fdb0da8198c3459b3266559a42662ac5bef18

SHA512
0823284eb3fb371ddda6ce8747c865f6afcf6c3ef0648618362794389c446dec5f733fc6e6697c89bb2bbdfe67e63505831a3f38c410e68218ea323867d3671a

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
790KB

MD5
b9e64081752af4aa923ee4e6e8f3b204

SHA1
8c4752889c60dd34dff1bb475fef39e4a8239b0c

SHA256
88db6686ac6bd2de67d5bef6d22a0541d5159ba1a4ba6d4be63007e9945577ad

SHA512
fa4632d0caa9ae9efb155ff8c66d36849e3e392537a68b2acc27e93680718eb2805b92e8064861e8df44bd30d5418cff9f22b222d328bf97503db1590f7c69f1

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
790KB

MD5
c26b6f8820d39a9d221193ddd54a89c1

SHA1
3908a1049835d9e40bc1a6192ef8fab38e932765

SHA256
a9fb68487a02bf46b4a6dfdc1133c04ed3c3b33d6488c4e0891dd1854bc4de2f

SHA512
6cb98dcf1182ea2868ebb99846b906f07b50da52b88bca25159fceba07f7a5dc80cd2684d44206083879f9fcab2a5ecdc7ee862d25fe5b16a4ae220bb7c37f3e

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
790KB

MD5
b49148465518f55b2d97ab18e740d034

SHA1
e8402617cf8a5e81b05409c14be3589b8c89b80e

SHA256
9cba90c25433a94e3995f000efeb4d668e2e6dbfc418f27ad4a2be3778fdd432

SHA512
76cbfcf60fa09c27fe45ca099fb36887c66e07fc0a7b4aef538113cd097cb5e0b9e54d91b18c16525f6cc057c896a4cbcbf764da2cdc1f6df56569f836075baa

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
790KB

MD5
6abe850b91d07b3ae870315a6cced377

SHA1
d7c424039e9119510fb2a855cb99e6df6b93ca48

SHA256
70d3752ae72852a072f15431b6cc1476e8eecf59960514da07ff8d08dcc605dd

SHA512
da0d61a33d69c921ad3af942d1be3cfe344e6eacf8e40b176e12ec860c000d48a5628bdb8050ef02572baf3baac4cde75ad3df17e149e04a863f1f8d523f8d4a

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
790KB

MD5
84f255833a794e4e175ab48ff3202a10

SHA1
46ed3a7337116c9d3cc50a6c2b7b43097370058a

SHA256
57e7ed31c3d91880c9c62f2147a509250c1b1ac0dd9718be12bedf8ba7401afa

SHA512
af9ee1912eac73c906701bc6a9946d7f1e28d2a612424e0b678d02a3ac74fd9a87fc6fc0c89f3800fe53214cb3e5590b0bcc2ce29f713fd08167c688162891bc

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
790KB

MD5
75a6785e56884fbcb1ca4c0e9cc2b9d1

SHA1
fac0a78aaa29d497571d73dcd99368c69d5116ba

SHA256
a6998fe3d29884ca9e95b3220069d0d33b5c1f5b486541526e1714313707aa5a

SHA512
cd75c782aa573306364f5bd9f86f1f940b55a00b97fd31595ed54d5bba53a00108b1352aae76f182e3f5af129ad92c6d9ba941d2be9909e4ac3229567106c0fc

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
790KB

MD5
33936dfc97ce224790126a17a569dfa1

SHA1
eead68d9484cbfa7bfa80657cbcc2ca664ecbfb1

SHA256
cf3def451921ec4d170f078f8ef86b5dd5fa4238046d6e697014b44eaffb223d

SHA512
1b1c7fe6ec9bc65376b01952d26c8dc0ccee452c03eccc77bb2a090261c5b8375a031d99d7856fe3a66813fa2b61f40a573d42e0f124309bd5e20ba868cc31f2

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
790KB

MD5
da873e9876b7e0ac50d551a3d83774d0

SHA1
45963a9a9d9e775e5d662b9e620ac5354eb04c1c

SHA256
a29757bd67838248091340aef112afb6f922da200a8b9ca039abc9aecdc70edf

SHA512
b1fe32d2778eb946c0d979a7f8b902cf2466130bebcacd8f09414fced23285a75557979f9248dea7a89d008c7bbe2c00c71b63cbfd352c543585ec5121267ec4

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
790KB

MD5
6c83060d089a67293d76b518f2ac363a

SHA1
6a1ccdb1e76b52e5a721dcf60a87d0aaba616f56

SHA256
3a150cf36eea5fea11eec53122efb7465e0f1640f0322defa4ac393422dc9f6e

SHA512
694a30d0f02fa7b256aab8724953b6617a5cd3f8cecc156408bcab7586e2378744f607d17eb122edeeca3aeb2d4edd8e4a15126ea44e25805e35bd45c239f5a8

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
790KB

MD5
ced30ebaee625402ed016570c8645efe

SHA1
f6b2446a4d771d7a48fa2a31ccef7728aa9f523d

SHA256
6b0fd80994e0abadf4a7efc13aa38c66c20997d25f8f0face72ccd622d0a7b9a

SHA512
1a2731f261a6db6434fb463065c4a5cb594a0cfa90f74a7ced70f933123efff6daaee9874341705e79e2cbf359bb4f2f4b2ac9684b3e007c0377138bd3e70a12

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
790KB

MD5
25f48c0259a4dc6fe76c3529e263d597

SHA1
71d4827300141bc10da5296ac0bad51e7eaea064

SHA256
b77535bbb5c70430e8b62063fe847dee9e266214598267dd959ce475e9c394f0

SHA512
2ed1b2978c3dc8e8ab63da1a91485d65f6fface5f57ddc1ee7238d5d6c3a517ce7493e0e4c31d5d026d485847b6db6f171afd2bbb30e8b610ec3ca8b9095ee82

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
790KB

MD5
eccf9e3f7aaeccadf3f60804942d148a

SHA1
adf778fa14ac52e9c247cc6299c5bcb550eaeaff

SHA256
5eaf6447f6f8845eaa873a28a07ac956a0a78cc44691c49cf47278418ba8db5c

SHA512
9fdfef6bb422975565586d57e87b793d614dda80c89aa940b04148e02452ed2faa602af5429fccff06bf48aa80dad28eeb80afe6cae01e0022a4220cd60ad171

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
790KB

MD5
4106d5735c67b1834d13e8c94dc860ee

SHA1
a3522d2a848e470ea3cd9aa8171a1d713df04ed3

SHA256
b8aa7f044d1866afa53ac8d4221426acb2ef4e9c8ff388ed9de6850355cb775d

SHA512
e579d459c309db407c756e314b6b1b35c03068476bc1ef51ffc2bd171f7453d33c94873a0281de78ea770754b96d6641a8fd4c35fae0e969f97a6aec522ba1bc

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
790KB

MD5
308093b75e65646f29bca39099c5e3f8

SHA1
a016f46659b48214a609fb22db42fd3fba2f402e

SHA256
b1c77395e427271259b5394ca6e35093a371cfe3beb07da906fa32941ac54c42

SHA512
dd7d520494d36dacfd2ca40d8476d8113e381fdf197a6c082836294a087cfbef2e1bb5a79ce1a6ed7f34bd579aca7f9be10e77a4bfecc1787233599b58aa0af9

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
790KB

MD5
46c04f949dea7e50dd7076cc57c8f75a

SHA1
e07a1ee9529214ec62234b605fd67afed2eecdf1

SHA256
6b4387f10681da55a33a145f3c3441bf1f0fefd7b13e6dbc0821a4c74dccfa92

SHA512
1d6e4c5c6b3752c6db28b411b10ee8e7f23e2b6b9cebcf6361874adf5b9dce4d5f3933ba9c09e089f2b43789cbaa1373bb796e7f20614bd564e9b64c676dee0c

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
790KB

MD5
3e5719d42c379efb5866f8539fde14d4

SHA1
4c8fe43a14b49029b0c0ae345ca20726cf8cf1b2

SHA256
06fa57b9c437b86cdfc3cb94b8b060063f375dc58e58a2d29b8d42b1361ec898

SHA512
48c7e4b9e7fa4ef50d3e54a945896ba3b1ec7385baf80febaf71e5e2c43626a29be44f55e6419acdd31eb1033b4e52534ae6bf223fdbea2c02102812248ac428

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
790KB

MD5
964af53d09127cfd1a3e11cd31a00463

SHA1
85da462a122242f4c09ee7addbcb4794848972e5

SHA256
59b6a205f6d4ccbf12684cb6f274c47703bf93305ce2bbba52505a40f5caf76e

SHA512
6435c94932cc9b778acfdad8e6e74880d81f033d2908d7d6e2c9a17f8faab07b4f813e443680e8c6d213f32fb633501c395b4d813ec3ed203524da67f9b57130

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
790KB

MD5
0cb061a21673f625ff7fda0eb2ea7d0f

SHA1
11598cf52d6494a8a053062e9137c6791a731e0c

SHA256
15ca32ef4805b426900ef0b2400b582355ed10f674dc421b83567645d5137479

SHA512
4f559c68c85384d7a579407038b7df8d36eda42a5b7e96c7032697cae7e4a71146912f0c640a77afb83440d36288d1466b417019e2e5714e2b8d443ac2e8d7ea

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
790KB

MD5
ebed3a00a6f8be34b91a51268625c5ee

SHA1
4bd44003a499532ca6f5641809bb7d73a7475ee8

SHA256
c41a0ab601dd521806dac91e5b3d91b6d9c1fb8b0eef9622dd7d86e008b99553

SHA512
3fd676bf78eb2d967d9ec835783de79c39cd94f38e809db2aee1cee2104d66552c5942d3aef01d35c7c55069add27b6aaec0606d9e221baa2a5b408aa037c4e3

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
790KB

MD5
e899fa4429db6f57fda9a782a43f2256

SHA1
9ac86ba781ed4dc6e0eded4b3a030689267df071

SHA256
b70e0d287e98f7430ed0b541190aa74cb5d167c7fef242f941d9185d1e4a96b9

SHA512
9c661874e43d9034976aab9a543cd4bd660bc67d0dc8e9bd4117487d2b6f0ccbc33cae87b497785ef041ab2097342841f738d6de4d0ace2af59cfd1196649dae

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
790KB

MD5
7605e5246a629f5fd481bcb7786336db

SHA1
6d78afe555cbe3e23e191146c870bfbbe370dd02

SHA256
bf62d9868e675e1c894501de2cb20f2aac6864a911b78f7bfc5eaab998c336c7

SHA512
66e0fad4aaf2b20833912d4eaf7584597b45d974749cea1e9828f7cae2f9a096c49a9be4433fad36ca6297562589cd1230aeb20eb47f6ab14fbec5aafd2e10e9

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
790KB

MD5
bc6962a6e922d077c9868ee700df5551

SHA1
6be531b52ec206f70e58d036350e89c20bcaadd1

SHA256
f3bc80976828d644bf5928cf936f175d45d9456a93c645ee86299cc078cc6d3a

SHA512
13620ccb9a2e599d7d3420cd712aae1477833f17dafa6c1a33a9c7979e1a694648bfe85f2a925f3189886b852b3cf2c2db2cab850227102459086c096740bc1d

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
790KB

MD5
9bb81d98e6e988181bb099d74d6533a1

SHA1
e367861cd75ae3babd395f6938f9541f1ff524f1

SHA256
a7cc4e94ebea68def6fc421aa39f0a879ef627197a727dee19aa9539aa67e70c

SHA512
cc1b891475f03f938d1c2f4fc451ffd6a465d4de8afb07964eef6beb14755296c8e35fe9d74f6e1bd2909656fbf27f4939dcd97ffd1b9d2091961b824575918b

Download Submit
C:\Windows\SysWOW64\Hcelfiph.dll

Filesize
7KB

MD5
11229edc757bfb40d7e5dc9015bf2304

SHA1
009b598296ac8ada659d2bccd52b08b534112fa0

SHA256
e120e545c2cb35fe831d3c463061498b3922373cdf033c968e41d9a050674a35

SHA512
dbabfdf6d30ddd5d151b0d112d3645f979ebf5b57388c2cfc7f380c20826bd0574e7e077250d1e46e8b946c8984c236ea4db429a19ecebdf32f9a43919a336fb

Download Submit
C:\Windows\SysWOW64\Lklgbadb.exe

Filesize
790KB

MD5
99e7bfe9732a05eddf708d8be51dc556

SHA1
421d017b204a4ffbac549080911cd413dc74007d

SHA256
56adc6623779a2038b240661f6065cad0a47f45c931ef86437ff339d32511c6b

SHA512
c06cb258b551957c5474515400085d3d87bd81638d702adf8b2d213edd65ef966fc20af5528064cbf40bcc290dca0a00efcd5b8fcc99ffce01dbdcdf96a242aa

Download Submit
C:\Windows\SysWOW64\Neiaeiii.exe

Filesize
790KB

MD5
73e3a5c8fced26c155970fd77095badd

SHA1
f4da55fae7a50168a1ead2d06b56cf80360ec332

SHA256
cc32f3d8388f77fa7dd352ffbfb3ef9f52e4e142cc7cb63720431ffd2a762356

SHA512
12ba9761de04221c242b5b2834de7f0ec0488173b5220639f0818c94094ab92d8665fb44aa86db664b103dea24c7aa51042ae9ed6b5a5b30ea559987b92e227b

Download Submit
C:\Windows\SysWOW64\Ngealejo.exe

Filesize
790KB

MD5
d968761ca48b6352fa6e87e608090406

SHA1
2ec23a66f67a17b7b35ca4b82a32e0b01d785903

SHA256
60561dfe3d6f429cb1692a69cd65e612a07e3a570855a5ae53086ae05533da7c

SHA512
84105997f230cdf928f15139333c4c4fae186a03efaa55da5d8762e3c89ed0f6886225de9c912d21ba6dd89fe63380885f107538f3a5a2a020edd0c0ac9a752d

Download Submit
C:\Windows\SysWOW64\Oeindm32.exe

Filesize
790KB

MD5
9da6a875a0ab9ed3edf0b4cf7f71af12

SHA1
e41c23c4e5d81ee7d71107f481883104101f3644

SHA256
9d0e061760747c94d3d01dff7db09cb30da696a50b0df300bc896a4eabe1cbf3

SHA512
1580605e25d1481b5987a6236ca0031bc90e8fc96f16b4be9e12c443eab44d864804cce463a871e425c0a1bd207032aa35c8d403d5e33a65486632bda6c2a12d

Download Submit
C:\Windows\SysWOW64\Pbagipfi.exe

Filesize
790KB

MD5
8c5a413066d693acb1b9d90bfe19676e

SHA1
7da4962b2f98d83a1d8834465ec7138d833ab95a

SHA256
5df4333b583943b113fdea97ae63978f748f3062e7a105eec840a235bfdeb4e1

SHA512
15c2e02b852c3b196bc38f844270362b37d297560f21676bf8f9aff28d4ebcb1b88126d6e9c1fdbc23e04eb1f6bbcf43e19d1eead50b1afb7e78b4b2ff2e20f2

Download Submit
C:\Windows\SysWOW64\Pkjphcff.exe

Filesize
790KB

MD5
55795afd5dc2863e701e9838ddc69b62

SHA1
c7b58abb71fcbf2cca317f4bd107dfac4a4567be

SHA256
46fe0168775f1299af6b5153cd96af25f805b03a2bbd5ebf30c6256f587e3b94

SHA512
9372c878f20f5a3622c77e018b05892ddec0a619f1b1e73507b1e5c45ea6ef6fe50c12c67b5a896f0a37bca5385005c70e79d0913274d550b25241de2c9fa30e

Download Submit
C:\Windows\SysWOW64\Qcachc32.exe

Filesize
790KB

MD5
f7f42f4dc6750b165656ea6b9644c4c3

SHA1
b0953b575685812b6a512322707118f32cbfbe7b

SHA256
32519642481acce237c2212300cdb37a8123f8d868a4a3ca2fbb3dede4aad359

SHA512
3e0e3c00cd7bf1966cac2a435a94e33e54c4c0021c20730d9f6976b0dce8adaaddd8e6f0285bdb0a4dd10b6f5328a2239624eeb33db7270a079a71ff290dc131

Download Submit
C:\Windows\SysWOW64\Qcogbdkg.exe

Filesize
790KB

MD5
798493d553f02847cb4d437ab4d0f73d

SHA1
4647c805f7a5bc0210ce93a2053894c31c2b25a6

SHA256
6555809fa4735866fcb16a26dc5a5f789f987a7b43d1af9c5eb57a2e251969bb

SHA512
33b964c7b5050403de392a6d68194e4085318d720665bc9c70c928441b80de990e8e7d4cc0da78c1a7f735ac46ead809e0a72fa20f7745c55a0e4c276208d4a6

Download Submit
C:\Windows\SysWOW64\Qeppdo32.exe

Filesize
790KB

MD5
fa3341828071cb1b0bf43c12b2387189

SHA1
290c2e221631b67db54178aea5df00fc83f50afc

SHA256
4c8cc5399715e9cf5fa37a57569834be2a3e84b2247ef926295658c309de590c

SHA512
554e5b2cf2f85cf5cc9648473927b08594c2b954fe8265f799629a68eaaf7ca2c55297cae04fa6df5d4156f0ad552fc8b6e0b0c6bd2a921713101ee111c7306d

Download Submit
C:\Windows\SysWOW64\Qgjccb32.exe

Filesize
790KB

MD5
9097df848a14973706f07972ecc4b2b2

SHA1
4b045eb9ec502f0b072f42d576e2e75b3b50b064

SHA256
31422047a0e65ad76b7aaa4020172ea471bd2aec2264189f47cc866e209472a9

SHA512
e0798b540c909443682a46174863c9de3168c765b6577a378db4f0d89767f9d41f12c97ecce83a50be22b31eb82e68d85e01b17847ffcdc08a09596d53c54f11

Download Submit
C:\Windows\SysWOW64\Qiioon32.exe

Filesize
790KB

MD5
f632c9430e35fc797c99b108b45944d2

SHA1
7b2965a35b023928aaa03ca302f454283bc660e8

SHA256
95fbf9e6b40587e5facdc60d2cc9833f7d8c04ca4202c7ee6e7b617b9bf3ad0c

SHA512
375dd2e5942538d4e657fb998647dec19de1438b02a621d9e2ffefaac24f2c1c61e2c97bb068de3a237812cd42977abab82b70c60bfd1b427133079c136eeecb

Download Submit
C:\Windows\SysWOW64\Qnghel32.exe

Filesize
790KB

MD5
3b9fb5e05ba36fd3f321dd2b1cbbaa36

SHA1
7687a334254bc81149cef0ca1407df8abae279d6

SHA256
b4f645050d01c35f0b230fd14457080fc8c5cd5815a98b140bd452b8efe7242a

SHA512
eaacba835e19ce18dc5bdec1576b8397b562e009b273e35930e8e05d5ccf82ce4b7980d7ee47e6c0f49d52b37b5a41c37b10def0fac746f99ac14faa60711399

Download Submit
C:\Windows\SysWOW64\Qppkfhlc.exe

Filesize
790KB

MD5
ee21634b488d97fd64f851dacc5e4d65

SHA1
508ca8051c6756270312de22ef288a6713d1787d

SHA256
a809d759b2fbd4e6d095e658beca753da079182de013f7df6d92ce95f8d5544d

SHA512
420d4c7d112b977e5ae0da11869666dd957aa4f4bd6d08591bcfc83b1aacd101ce1067a576968088e90c7e4f6ba79b32e7cd8005d03b7bc0094e55690074afb4

Download Submit
\Windows\SysWOW64\Ldbofgme.exe

Filesize
790KB

MD5
368ce2898c6e2c567f6f8677ffd3d479

SHA1
0b28781056767827aea864c930ef45270b1d53d5

SHA256
1c21cda38ab35387225b3ece1128ebfe9d2940305179d3c3ca49a360802998d7

SHA512
bafe497d9dc7b8e3e9864d697ce1bfc623de8fd058306086268c4ed37db780ba7418f90448fdc190bf80b79ef61c0d7c0301933c0ab6d6e8f0bd335a53b0d990

Download Submit
\Windows\SysWOW64\Lnjcomcf.exe

Filesize
790KB

MD5
6e76a1c3a072355c09ea500dcfee6b17

SHA1
27d1cd86108c03394006c7ac4ce194f2d3ed5c72

SHA256
0f8ff8da0b544e673c03d8f86fb1d96ea774c33144fa0bcd49461a6c3cb7cffc

SHA512
51d81d4e637ca5c837e26cad9afcdb3286d24950a6f3d9868943807aced0630d41cdbd0ab609db3e0e5f0ba86197c2e0fc38d988d779be5ef89fcefe4e0710e7

Download Submit
\Windows\SysWOW64\Mcckcbgp.exe

Filesize
790KB

MD5
6186a29dfa4753d2a318c64023ff8dff

SHA1
0f03ac372d02c0535efcd9d19dfd0098434ff7b9

SHA256
b5d394b47bc556f47d84f0b06dce0fec8570217fe3a90a6428532169d29540c4

SHA512
5477fab535e12bdccbb1873ec18a26c9c3341242fef4df7294c63937dde716fe728f8483ca77662096930b8d138da7ee11d0349c6f6a7b8c36cbd579a0c2aa58

Download Submit
\Windows\SysWOW64\Mgjnhaco.exe

Filesize
790KB

MD5
cefa9b8dcf6b1ae007139e6ce5f8b4c5

SHA1
dae42f0d7d0f3849176fbbda25f84313422855b4

SHA256
d9b5fcb38e5a0f8574d958065eee611022ebc16863fff1793531890b95414f08

SHA512
4aacf26b3dbb97aca5ae951c3f7754eca8d00649fad5afe7110f1bc0a4670f8e0bcacb12d75f09310bd7fb555be0bad2f0713e4ac86812f2f5b731af4232ac7c

Download Submit
\Windows\SysWOW64\Mobfgdcl.exe

Filesize
790KB

MD5
7f5000c1866bec3792519c856bf13acd

SHA1
7137d6d4b3c3f00ae17fabcd4771dba871ae5a2d

SHA256
6b9b5b96c84372e93bbc00bfa763477502c97139bea8a8ca1364b29403d0da17

SHA512
7ea638b24632db24694df92d3623a87f0d74c8d876389acdda803efbd86a0c29584050f6e0ce85f9d755095322f211ff2614d3b313a1f5d00bef42d18206fdf0

Download Submit
\Windows\SysWOW64\Nfoghakb.exe

Filesize
790KB

MD5
b880b4ce851f70b273698c62d71aec87

SHA1
c86bdeabc339033cfe0d7cc79aa079e0508ecdc0

SHA256
2e2be8f71306d993828f2a603e2a2150df734c78c5ddf2ba034ed5766ca4d6b7

SHA512
9c0ab835ab3f00fca72f8239f0c19a251a17398384fe20479a21ab4d20178f1a8e52dceea24d26920be0d3cfa2781a0ea4af7889a034b24ea38c46a28e6a6e4b

Download Submit
\Windows\SysWOW64\Nplimbka.exe

Filesize
790KB

MD5
f2f50c8a4adf3534330eeae26c503c4c

SHA1
1f59551b79f65f9432fde2b071408578c7f8e881

SHA256
4d82d1f68a23f07a7a3227f660ba85afd8b89fbbe3e18e693f0ca1de2346d52a

SHA512
4bec2545cd40b6ebb973762c0846fe819fef788e3e50bdb64eb2f9cc07105bfe7b7707d308d43591e6a25e565c6f93892b68b2f465668cac6e56b3dfa754ae1a

Download Submit
\Windows\SysWOW64\Objaha32.exe

Filesize
790KB

MD5
408b6c6411e18c2a44884ee717f100b6

SHA1
5b56c7ddbb57ce784f3cb926a2081099070b219e

SHA256
0494e9f0480af48b83682cf7e0393b079d834364ceb3490a1b4afac07e97be5c

SHA512
318669a7762861719b38f474f6d4e5441a1bc1092b6c5ef211f6ac777daaa262410e8d461e1c02ec454cd2be4ac9a98d28a20bded8b542e529a76b101a784b19

Download Submit
\Windows\SysWOW64\Odchbe32.exe

Filesize
790KB

MD5
8f540089e699357075fb456b870e5fb7

SHA1
3a9abff740122d8ce042bf7f1a3613bc110b76ef

SHA256
1d23bf9ab712b74b53d2f56850f1fe7d4ac545080312af32424cf4bc94fb643b

SHA512
bf9f326fe9fea168c91ea71692d0bd119c35605ffb949f89a61f6ec507d17a349f70f301be45ed685246042702d44c454eddb52c26bce27e334a6f621eea618d

Download Submit
\Windows\SysWOW64\Pljlbf32.exe

Filesize
790KB

MD5
bc6998327bc627bfce685ba44b5939f4

SHA1
59af644fad9496a455444149785901f8809fa854

SHA256
a81a09d9b52e693a4c50995f4639315bf40279b2ce607cbd1a01c9b6b4454032

SHA512
4bfcea7805d14033d66f105243f88420e1270786065083e21749c0e65f3ea1f4d95ee11c467e102ca0399b6024cacc801c68d3806c01e584490768af64c63947

Download Submit
memory/568-361-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/568-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-36-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/804-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-243-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1300-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-477-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/1348-438-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1348-434-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1348-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-412-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1372-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-698-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-324-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1572-328-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1584-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-224-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1584-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-199-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1588-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-252-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1800-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-27-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1860-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-350-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1860-26-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1908-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-96-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1908-91-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1908-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-234-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/1916-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-118-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1916-123-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2012-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-146-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2024-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-448-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2036-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-313-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2064-317-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2064-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-394-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2132-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-306-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2140-302-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2140-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-405-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2172-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-106-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2188-334-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2192-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-500-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2192-501-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2252-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-456-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2268-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-339-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2316-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-340-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2316-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2316-13-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2372-261-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2456-282-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2456-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-286-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2588-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-132-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2644-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-137-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2656-295-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2664-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-55-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2720-56-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2720-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-369-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2732-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-64-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2740-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-82-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/2892-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-275-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2924-271-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2924-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads