berbew | 204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe
Size

128KB
MD5

9e5b268a5eca5a2704973d3533128b97
SHA1

516712964807de0416385ead68df773d03a5681d
SHA256

204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42
SHA512

b7386038fcaf5df969caaae862eb755d94464f8160d1c5ff14ca97bfc15ed1cf5bcac6d6f41c97db824a74b82e5e18fe89bfc8abeb97e4bc66115a0661838cdb
SSDEEP

3072:Ua4fvLSp3TNMYcCMeCw0v0wnJcefSXQHPTTAkvB5DdcgFM9o:UfKjNMYckotnJfKXqPTX7D7FMm

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgjccb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afdiondb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdjjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafdjmkq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pafdjmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Padhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obokcqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgjccb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 58 IoCs

pid	Process
2832	Oococb32.exe
2004	Obokcqhk.exe
2672	Padhdm32.exe
2688	Phnpagdp.exe
2692	Pafdjmkq.exe
2700	Phqmgg32.exe
2604	Pmmeon32.exe
2288	Pdgmlhha.exe
1376	Pidfdofi.exe
996	Pdjjag32.exe
1508	Pkcbnanl.exe
1632	Pnbojmmp.exe
1780	Qgjccb32.exe
2572	Qiioon32.exe
672	Qpbglhjq.exe
2368	Qjklenpa.exe
2248	Apedah32.exe
1608	Agolnbok.exe
2512	Ajmijmnn.exe
952	Allefimb.exe
1304	Afdiondb.exe
1028	Ajpepm32.exe
2964	Achjibcl.exe
2428	Aakjdo32.exe
3040	Ahebaiac.exe
2168	Anbkipok.exe
2732	Ahgofi32.exe
2824	Aoagccfn.exe
2840	Abpcooea.exe
2724	Bkhhhd32.exe
2584	Bbbpenco.exe
1848	Bkjdndjo.exe
2848	Bdcifi32.exe
1948	Bgaebe32.exe
2780	Bjpaop32.exe
1988	Boljgg32.exe
1604	Bieopm32.exe
1676	Bqlfaj32.exe
2340	Bcjcme32.exe
2088	Bmbgfkje.exe
1276	Ccmpce32.exe
1940	Cmedlk32.exe
920	Cileqlmg.exe
572	Ckjamgmk.exe
2140	Cebeem32.exe
1504	Cgaaah32.exe
2468	Ckmnbg32.exe
2224	Cnkjnb32.exe
2748	Ceebklai.exe
2912	Cgcnghpl.exe
2588	Clojhf32.exe
2980	Cnmfdb32.exe
1516	Cegoqlof.exe
1920	Ccjoli32.exe
2784	Cfhkhd32.exe
1272	Dnpciaef.exe
2348	Dmbcen32.exe
1016	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
1648	204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe
1648	204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe
2832	Oococb32.exe
2832	Oococb32.exe
2004	Obokcqhk.exe
2004	Obokcqhk.exe
2672	Padhdm32.exe
2672	Padhdm32.exe
2688	Phnpagdp.exe
2688	Phnpagdp.exe
2692	Pafdjmkq.exe
2692	Pafdjmkq.exe
2700	Phqmgg32.exe
2700	Phqmgg32.exe
2604	Pmmeon32.exe
2604	Pmmeon32.exe
2288	Pdgmlhha.exe
2288	Pdgmlhha.exe
1376	Pidfdofi.exe
1376	Pidfdofi.exe
996	Pdjjag32.exe
996	Pdjjag32.exe
1508	Pkcbnanl.exe
1508	Pkcbnanl.exe
1632	Pnbojmmp.exe
1632	Pnbojmmp.exe
1780	Qgjccb32.exe
1780	Qgjccb32.exe
2572	Qiioon32.exe
2572	Qiioon32.exe
672	Qpbglhjq.exe
672	Qpbglhjq.exe
2368	Qjklenpa.exe
2368	Qjklenpa.exe
2248	Apedah32.exe
2248	Apedah32.exe
1608	Agolnbok.exe
1608	Agolnbok.exe
2512	Ajmijmnn.exe
2512	Ajmijmnn.exe
952	Allefimb.exe
952	Allefimb.exe
1304	Afdiondb.exe
1304	Afdiondb.exe
1028	Ajpepm32.exe
1028	Ajpepm32.exe
2964	Achjibcl.exe
2964	Achjibcl.exe
2428	Aakjdo32.exe
2428	Aakjdo32.exe
3040	Ahebaiac.exe
3040	Ahebaiac.exe
2168	Anbkipok.exe
2168	Anbkipok.exe
2732	Ahgofi32.exe
2732	Ahgofi32.exe
2824	Aoagccfn.exe
2824	Aoagccfn.exe
2840	Abpcooea.exe
2840	Abpcooea.exe
2724	Bkhhhd32.exe
2724	Bkhhhd32.exe
2584	Bbbpenco.exe
2584	Bbbpenco.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aakjdo32.exe	Achjibcl.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Padhdm32.exe	Obokcqhk.exe
File opened for modification	C:\Windows\SysWOW64\Apedah32.exe	Qjklenpa.exe
File created	C:\Windows\SysWOW64\Bbjclbek.dll	Achjibcl.exe
File opened for modification	C:\Windows\SysWOW64\Bbbpenco.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bdcifi32.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Decfggnn.dll	Oococb32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeon32.exe	Phqmgg32.exe
File created	C:\Windows\SysWOW64\Kqcjjk32.dll	Pidfdofi.exe
File opened for modification	C:\Windows\SysWOW64\Qiioon32.exe	Qgjccb32.exe
File opened for modification	C:\Windows\SysWOW64\Ahebaiac.exe	Aakjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bdcifi32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Ngciog32.dll	Phqmgg32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Phnpagdp.exe	Padhdm32.exe
File created	C:\Windows\SysWOW64\Qiioon32.exe	Qgjccb32.exe
File created	C:\Windows\SysWOW64\Bodmepdn.dll	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Abpcooea.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Cmfaflol.dll	Qgjccb32.exe
File created	C:\Windows\SysWOW64\Cpqmndme.dll	Qjklenpa.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Oococb32.exe	204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe
File opened for modification	C:\Windows\SysWOW64\Pdgmlhha.exe	Pmmeon32.exe
File created	C:\Windows\SysWOW64\Mfhmmndi.dll	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bjpaop32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Enemcbio.dll	204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe
File opened for modification	C:\Windows\SysWOW64\Ajmijmnn.exe	Agolnbok.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Ceebklai.exe
File created	C:\Windows\SysWOW64\Ffeganon.dll	Obokcqhk.exe
File created	C:\Windows\SysWOW64\Cceell32.dll	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Incleo32.dll	Allefimb.exe
File created	C:\Windows\SysWOW64\Anbkipok.exe	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Padhdm32.exe	Obokcqhk.exe
File created	C:\Windows\SysWOW64\Pkcbnanl.exe	Pdjjag32.exe
File opened for modification	C:\Windows\SysWOW64\Pnbojmmp.exe	Pkcbnanl.exe
File opened for modification	C:\Windows\SysWOW64\Qpbglhjq.exe	Qiioon32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Pafdjmkq.exe	Phnpagdp.exe
File opened for modification	C:\Windows\SysWOW64\Qjklenpa.exe	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Bdoaqh32.dll	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Aakjdo32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Delgfamk.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Padhdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obokcqhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oococb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafdjmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiioon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phqmgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phnpagdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agolnbok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgjccb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngciog32.dll"	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekndacia.dll"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll"	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfaflol.dll"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agolnbok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agolnbok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Padhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgjccb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecinnn32.dll"	Padhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pafdjmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajmijmnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbgfkje.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2832	1648	204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe	31
PID 1648 wrote to memory of 2832	1648	204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe	31
PID 1648 wrote to memory of 2832	1648	204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe	31
PID 1648 wrote to memory of 2832	1648	204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe	31
PID 2832 wrote to memory of 2004	2832	Oococb32.exe	32
PID 2832 wrote to memory of 2004	2832	Oococb32.exe	32
PID 2832 wrote to memory of 2004	2832	Oococb32.exe	32
PID 2832 wrote to memory of 2004	2832	Oococb32.exe	32
PID 2004 wrote to memory of 2672	2004	Obokcqhk.exe	33
PID 2004 wrote to memory of 2672	2004	Obokcqhk.exe	33
PID 2004 wrote to memory of 2672	2004	Obokcqhk.exe	33
PID 2004 wrote to memory of 2672	2004	Obokcqhk.exe	33
PID 2672 wrote to memory of 2688	2672	Padhdm32.exe	34
PID 2672 wrote to memory of 2688	2672	Padhdm32.exe	34
PID 2672 wrote to memory of 2688	2672	Padhdm32.exe	34
PID 2672 wrote to memory of 2688	2672	Padhdm32.exe	34
PID 2688 wrote to memory of 2692	2688	Phnpagdp.exe	35
PID 2688 wrote to memory of 2692	2688	Phnpagdp.exe	35
PID 2688 wrote to memory of 2692	2688	Phnpagdp.exe	35
PID 2688 wrote to memory of 2692	2688	Phnpagdp.exe	35
PID 2692 wrote to memory of 2700	2692	Pafdjmkq.exe	36
PID 2692 wrote to memory of 2700	2692	Pafdjmkq.exe	36
PID 2692 wrote to memory of 2700	2692	Pafdjmkq.exe	36
PID 2692 wrote to memory of 2700	2692	Pafdjmkq.exe	36
PID 2700 wrote to memory of 2604	2700	Phqmgg32.exe	37
PID 2700 wrote to memory of 2604	2700	Phqmgg32.exe	37
PID 2700 wrote to memory of 2604	2700	Phqmgg32.exe	37
PID 2700 wrote to memory of 2604	2700	Phqmgg32.exe	37
PID 2604 wrote to memory of 2288	2604	Pmmeon32.exe	38
PID 2604 wrote to memory of 2288	2604	Pmmeon32.exe	38
PID 2604 wrote to memory of 2288	2604	Pmmeon32.exe	38
PID 2604 wrote to memory of 2288	2604	Pmmeon32.exe	38
PID 2288 wrote to memory of 1376	2288	Pdgmlhha.exe	39
PID 2288 wrote to memory of 1376	2288	Pdgmlhha.exe	39
PID 2288 wrote to memory of 1376	2288	Pdgmlhha.exe	39
PID 2288 wrote to memory of 1376	2288	Pdgmlhha.exe	39
PID 1376 wrote to memory of 996	1376	Pidfdofi.exe	40
PID 1376 wrote to memory of 996	1376	Pidfdofi.exe	40
PID 1376 wrote to memory of 996	1376	Pidfdofi.exe	40
PID 1376 wrote to memory of 996	1376	Pidfdofi.exe	40
PID 996 wrote to memory of 1508	996	Pdjjag32.exe	41
PID 996 wrote to memory of 1508	996	Pdjjag32.exe	41
PID 996 wrote to memory of 1508	996	Pdjjag32.exe	41
PID 996 wrote to memory of 1508	996	Pdjjag32.exe	41
PID 1508 wrote to memory of 1632	1508	Pkcbnanl.exe	42
PID 1508 wrote to memory of 1632	1508	Pkcbnanl.exe	42
PID 1508 wrote to memory of 1632	1508	Pkcbnanl.exe	42
PID 1508 wrote to memory of 1632	1508	Pkcbnanl.exe	42
PID 1632 wrote to memory of 1780	1632	Pnbojmmp.exe	43
PID 1632 wrote to memory of 1780	1632	Pnbojmmp.exe	43
PID 1632 wrote to memory of 1780	1632	Pnbojmmp.exe	43
PID 1632 wrote to memory of 1780	1632	Pnbojmmp.exe	43
PID 1780 wrote to memory of 2572	1780	Qgjccb32.exe	44
PID 1780 wrote to memory of 2572	1780	Qgjccb32.exe	44
PID 1780 wrote to memory of 2572	1780	Qgjccb32.exe	44
PID 1780 wrote to memory of 2572	1780	Qgjccb32.exe	44
PID 2572 wrote to memory of 672	2572	Qiioon32.exe	45
PID 2572 wrote to memory of 672	2572	Qiioon32.exe	45
PID 2572 wrote to memory of 672	2572	Qiioon32.exe	45
PID 2572 wrote to memory of 672	2572	Qiioon32.exe	45
PID 672 wrote to memory of 2368	672	Qpbglhjq.exe	46
PID 672 wrote to memory of 2368	672	Qpbglhjq.exe	46
PID 672 wrote to memory of 2368	672	Qpbglhjq.exe	46
PID 672 wrote to memory of 2368	672	Qpbglhjq.exe	46

C:\Users\Admin\AppData\Local\Temp\204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe
"C:\Users\Admin\AppData\Local\Temp\204f54f246c35fe22be11cad01479500a896f4c0c806b7dadf5ce460b27c4e42.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\Oococb32.exe
  C:\Windows\system32\Oococb32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\Obokcqhk.exe
    C:\Windows\system32\Obokcqhk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\Padhdm32.exe
      C:\Windows\system32\Padhdm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\Phnpagdp.exe
        
        C:\Windows\system32\Phnpagdp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\Pafdjmkq.exe
        
        C:\Windows\system32\Pafdjmkq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Phqmgg32.exe
        
        C:\Windows\system32\Phqmgg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Pmmeon32.exe
        
        C:\Windows\system32\Pmmeon32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Pdgmlhha.exe
        
        C:\Windows\system32\Pdgmlhha.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Qgjccb32.exe
        
        C:\Windows\system32\Qgjccb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Qiioon32.exe
        
        C:\Windows\system32\Qiioon32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Qjklenpa.exe
        
        C:\Windows\system32\Qjklenpa.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Agolnbok.exe
        
        C:\Windows\system32\Agolnbok.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
128KB

MD5
c576a8e79755c8198b337e2f1811d7f3

SHA1
bb5efc1b37fbe70f0f30e2c037133c899ec0997d

SHA256
98098529842c695b64a0a28766b1643fd6cd47f707bd0d04eea11040d53a8709

SHA512
8f88f06c19cc565249051cce8d5dbfd495094685edf1391093bbed17d4fd5a7d3e2ac43c3a89a37ee540fdd13c743c671c9e9e209685cef2019366508440aae0

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
128KB

MD5
d6850c8f30a3958c0145d6f010c70f44

SHA1
3d218b5e1f948c5073212aab6ebd90fba787f5bf

SHA256
f903572d99ad2f59384812537e22917106451ba23b145d92d3296e8c625a611b

SHA512
1f166600f6769e0f056051a9838efede7083192d194691e4490cd3ca454417f4737926624f488e2345307afaabd82a123e6a403d24ec9e80e4347ba6da7778b3

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
128KB

MD5
a27dd5a7f6bef25f5a6e137e68c1f0c6

SHA1
98aa1ee6fbe0fb219d16123ede2504db0656eec7

SHA256
2711fa276a0b90fc78339202cd9268ddc459c7fe4bd6ae50afa5f316f8ca8fc6

SHA512
1d953ada05d0b41557d0358501032cc7b685720aaa76593657980f1bc509131adcdf7afebfbde121b1a68f74477a4bd02fcc02a3399c9a2599b872c45615ace2

Download Submit
C:\Windows\SysWOW64\Afdiondb.exe

Filesize
128KB

MD5
43cbc5c4f6ddd1639101f2014a3c979c

SHA1
a60be3750d01ea4a3f23853bf9b4b2bcdb38a194

SHA256
029e4563f5d1220bded00f3e5763a12da75acf07dee6144218485b4b8e12be36

SHA512
a6400f7709ec2782e09908ee904e45524a268839e999e0f73b0a721dd9d717292367e68c99ef517e6d5e6c37d181a5bcdd4e16660ae6be03a29dcdbbc3d16400

Download Submit
C:\Windows\SysWOW64\Agolnbok.exe

Filesize
128KB

MD5
201229729706ae5cacea18a4f2b0ebf2

SHA1
1c38add3d9a3ab59c2055191c5d194164ddd6dbe

SHA256
e69024e59b08212ef6ab9798141bce8f60093237b813725d20039f0815e77337

SHA512
4fc49090cc709928515bb8eb3dfc58ddac181f07309f97cb5f647e0a8634cb94d1ea08a57e27b23e6a07eb76ee9e61339df7a9c8a469b295f45a7e2bd6c10ada

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
128KB

MD5
9a6df1adfb6f0e611445d45206735e66

SHA1
0ead1fefeeb7414c5b639660b16421ee44fb0901

SHA256
009bc93c936228d7dd44d6073dac8294548be423ef7846cec2b1e26bdf1ecfd9

SHA512
bdd697af590cdc63e11825a933112bf0572f1ef1eec6bdcd1bc59f3fd7fc1a2479f2fdb02e6040006905b6c5eb00acf4761cbb9305db37cab4040704628206fe

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
128KB

MD5
384e13832a232a8ea6325bccf7b9b7d9

SHA1
1edba548af1c965f70e4865b42bee298e39f2c1a

SHA256
5be834f2788748b071cb266d97d31bf2024baf1cd853521279213b3b811e4e08

SHA512
f4158bc23e2a501efb00ebbc41f2ae0d1da7ed8024747a52800523b264223cdc3d34c0429b92b884dd3d08d41b107a69a7c0d7b18b59fd2a550ffd112141ed98

Download Submit
C:\Windows\SysWOW64\Ajmijmnn.exe

Filesize
128KB

MD5
3635752cc5800c6825d10b27078deba1

SHA1
c725fa1a61aafa1fb058a89d6d62fa175b5379d6

SHA256
0547e870f3469c8763aa73b09e7564e9a5145d014fcccd1a4802466f1df0fc2a

SHA512
7fcc0c2562db759d9e410ce76c2129008fa602c08023099c9ed4ec6fa2ed3370d53457b904e6a5e72f9796385de77f3077bd6e091a6f486757757816e3a170c3

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
128KB

MD5
b379602382953edeed5dedd80c8c214a

SHA1
3d089f58051030fc9e00973df4cf9e954cca38dd

SHA256
f56796e6e35e67fa687a24064eea8eee599836ddef4ce511a5a090edd2706a05

SHA512
054510b1d397060a9b1ece472c3f92d013a811668f3c9f216a69a2a1ce5d6a4089157d4cf2c0c2b3be1f7b17c8b43fc5d8a466961ba7c5b6c80d56539ff871fa

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
128KB

MD5
9da1769606fa5a98a2a474cb621324b1

SHA1
87aa06114d856763e722503f7fcafbdcd6d3a38f

SHA256
ee7afb36c48b770b2603db6d3efe9714f06130784fb62d885307575247033b7e

SHA512
ee77e575cd0a70d50aa541041569efa3ba18b9c0faa3d5bf33e37df0d6a19f5e7b609e4d6c62a41a6ee53da25a1de74366582101bf2b602b18227f6c78be97ac

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
128KB

MD5
aac4c7f037b5feec14c64a6ec5e41591

SHA1
d9bf9336f8ba0851b9c04dcb7e7d6cb554ea805b

SHA256
2ad61f3ac59d9ed4e637735a19676eb40d06f9bc665186e7cd33f0c5cafe0eba

SHA512
a12e312661924103cccd83cc2f7582e34bd83d6344f18856988b14e823c275f2aad45237c1e0e2025aae3bedf981427db480a67d4fad294197113f08a17a50df

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
128KB

MD5
df4ce3059ac7b98043dead8b285b13c2

SHA1
1dd661983797266d1bf6d2b93ec2481c9bac2911

SHA256
6adb1c33ac1955d9a9a29d2d76554f1707ff3f1da158ca9867f5da9040de4dc1

SHA512
9c7b4e40b04a67eae3bbbb317efd2b1bbf8fc0cd621d2f03950f4dbdc41f61838082349121b32f8822007b2798f66a38096d3e0b1094b587b9843524ccc521cc

Download Submit
C:\Windows\SysWOW64\Apedah32.exe

Filesize
128KB

MD5
e424fe1319f9b6a2f85c89b030b35598

SHA1
f92aa04a68533d5c1bfc301b8da39d475f0e6d8b

SHA256
6743f3ce60fde487f4d78c650ad2025cdb3703b748285adc78d3712d0f23a5b3

SHA512
f0e7c9a13c45cc05d5384d5259f4d1cd2ad964301c3e42325bdbf555207b595936adcb4c70ebf524875da7eff849bbe01e888274083cf13bcdae4cc833cbc602

Download Submit
C:\Windows\SysWOW64\Apqcdckf.dll

Filesize
7KB

MD5
02b6756ae5d28b915a8d34bfecd3dfc8

SHA1
f8a89cf7d209fa7b1940998055c5df86cb674c10

SHA256
13e3408c967fd8d2e88370adbd8676057ed9a2e8220af44b6a21c76653fc88f5

SHA512
ffb8559ff3247208aabccc40b0794848551304cd01330371d0b6957579c6dfdc62e3a015b8e49ecde5c66848688aa184243971e4f2fbf8f465574092c29b8432

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
128KB

MD5
d17788f121d1822ebf5fcab6ca5bc6f1

SHA1
341a3258a71405f4038ea75ded8c43318e7fa823

SHA256
6d0ca17bc5ea74e49c5a8f8e7232ca9059e2911e84c8268a9af0ccdb2e732ae9

SHA512
3e7b9af7f69a3e2bfbbef26b1897a07dbb5c9746b734cd70c219057af4c902d94f2a0be5c03cf06702d146b56b181ad3fe14a401f19490dc43379526807052ea

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
128KB

MD5
ba79784574153ef61bc23c407174905e

SHA1
d7943f9b23d1ec81e79912e9e0bc71d208ebfc1c

SHA256
6bc5d45eecb4e2442a089727e1d337eaf2a26aaff429470f2cc7f1c9fcec112b

SHA512
0e5de111bc3437fa06a9053d44811d5072edd1673cf9e7da52120464e8817bd24049512d2663976e1cc31bc70cd64639d003b952def6dfe0c9bc47f3ff9fc3e9

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
128KB

MD5
486bb2124100e7eea132766799dd6655

SHA1
da58929ba429fb9e1c91b09345bf7fed4986fcca

SHA256
8bd1736a2c89d9a0dd30c5371d28b95416d6b4e27872c5a103f72b1193c63cd4

SHA512
da513c6b93c01abc46e1f62dd22759002b2b2a57325dfcea31da12dc4b0f5edf89a3dfc6f7a41a938fd6a083022acbf650e9b5c2badcd99b0ad43f5400d10b2d

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
128KB

MD5
5a10f5a8fb227596bb12713899622260

SHA1
841a779aa0026fd2108543e54b46bda9615aba4a

SHA256
3c64fa2d53a7930df5db80180766ec8c5bd5f8ffd0a8b87a5d87ed726cd97cb4

SHA512
85cc9d3470b9c3ea4cf68f57e5d5990518af7513804f5f8c61694e8dbb5ea5d425ca96aeb97ab56f5aa4738db25ff69fb3da8ec0df5040dd5a83dc514a38f7dd

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
128KB

MD5
8f7abebcb2e46974d1556f9a951738d9

SHA1
7ab0fc3c31cf8347961ad75fae14a34ca42180bb

SHA256
168d9c04fbdfaad848c612ed017bbe8fdaeaf0b19914808ce7441d83794dba7d

SHA512
f9b83ac6ef60abf0a54321c995d7a999a6eb9fd9dabceec95d13782c9fc1ccc91b9028e3fcda8e88e318739ad1fea1b6ace25a69bde2ca63b305b0b9fb87958d

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
128KB

MD5
9d4c9220cf4a0b0fda7b0ae027567e99

SHA1
8e47265104367188ab67aa9d33bb792358610fba

SHA256
a937e28a8fa30cdebb73a7c0d856810626c1aee103b53b866954fc977dd54a52

SHA512
71aea061210fd7e222b884e8848e3f14b7eaafdab9b27fbcf39836ed48af113b3a1b107101df6615df74eca226de2eed7b482ab4588844070a60d9141b4cab40

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
128KB

MD5
33399f414d0e2999bd81a6a5fef6077b

SHA1
cf9348142026eb1bd1ed73e0287724bc55d3273b

SHA256
49bf58f70cb5a6107c222235baa20de8ccbce9cc1e2fddca013e2f4d5e7f9c44

SHA512
c37b71aea1dbc6bb6bc069b4a0392e6348cb01e70f8d2c2371660b7507394fb642f178b978abfbb53a204c188086363f0fe946935a9d164eff8f28b72c57f20b

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
128KB

MD5
7b9869000e1174c3a8fa5f2f8772fb2b

SHA1
7005ba1cb486b47c5fa18c93ccc649159f5434a3

SHA256
f6611da7c09908f5625a4124915292df5c4a5673d4c8eca2a3ff8ebcb91cdeaa

SHA512
ea446049ca7aeee28bf4333cb119312e5934e09461779b272ca3254a20c9ed245f19ee565646c0401cb6f0507e13efddc7681ab11723375c595f6fd1adb8cac3

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
128KB

MD5
47d1a6e1ee52b7272d36c0c07871e64e

SHA1
6f1dfe8380e0ad09938cdf21bba985979c2f718f

SHA256
b5643a2ad68bc97d0f9762b1d3a708086b025c4ee41959d1acb505e8d939c93c

SHA512
a9b226222d55e167a3228a8e3406e0881f66609ab71a4146ca2e1e354cff81c11f3a164668e3fc55d2d691b868d11d45f2c678449053416413df6b99e5e4e19f

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
128KB

MD5
60d82342b3d64eeb281778f0b9a0e1a2

SHA1
a5fcae52dda5ca124a165b1175b12a888c9511c0

SHA256
99020bd7f8565674c0f3fec4a6ffd53cb7809b2b39e0fbb5a739f45842c129ac

SHA512
69e0a2655726f740843c9adcfb73ed3a49c9e4a4f2064ee05cf15bef7f82e64806a3f610b4593d5c20b0f78aa48de01753c7621ef0afa48148ff4d986df9e8fb

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
128KB

MD5
1ae1f9f24967d95f9f6dd2d2ddcbbeff

SHA1
630f3f7dbe6d12d2b8446c40b32e54bd443ec92b

SHA256
a3deb85b4db7447a7ee97b3290fa2c76071c6259b2ac5d19be69b9a24009025e

SHA512
a518b5a6d7e369103d7f97210d38628d16f60cbe2009ec4229dca2c504088ca6d263981db11f4bf989c437ce3c57e1bc427f3d68f0c97fe9fdb9db212eab95c1

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
128KB

MD5
b7e49bd257ded8d3e6bfe6df860febe9

SHA1
9565bf33d27c59ef80963bb230639f1ae1e8eb28

SHA256
63f77d40172236e6acdcd8d6491cb8cebc7c2c6117adb56c14284dcdc6e7a5e7

SHA512
5293d7b9687bf3a46a737bb46410939409293f15ab5b2d29804883216251c3a30ce7723d68fea71543721294d3f2cc6cd355bbb1b669dca63163cbad0b36f27d

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
128KB

MD5
fc67ca06be7622daf3565699d5a57e54

SHA1
302f6c91af647a999af41fe159c46ef9d400baad

SHA256
b7751201ddf5af2c474b2486296d63db1188479770716b63553fd8d3b074681e

SHA512
9977eec5ec7d1c28b63a62cfca38c069cb2fd87dec271e0ed3da8e5971df0454540d6a142e120dc42391c96fa2d27e31ab926a8534ff3b7556d2f8e1f6330f49

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
128KB

MD5
75f8052516503d91a38c6a33addfaa11

SHA1
c858f7a0a14522449ac21703600f9359a0442f43

SHA256
59ed3abf4b8c43f7f435198d8e9875ccefea80eb8f34154f79d194c8f4c48b5d

SHA512
5994d37c496942ecb353312d16e5d726b59284da3f68b43c3c67b3105e9c8b1ae8085671596016909c52ac075b3c249c489d125c7b0f6ac47278cd2dce4527d0

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
128KB

MD5
cc7b52410993bc62a53f84ca08cb93ab

SHA1
09ae99bd2d2fe88601a2f8b480cb6cca7f22e872

SHA256
620aedef3f8c3b960cb9554dcf69d930c9bd72577724cf1a664f321ba326b064

SHA512
490673e402829ff4281736f142195df012bba02c98091fe58c9ace928023f5b5033e7d3b0081aaf09ca7e263b52ff04dfbeab6bef616330fcd1d682bae69e5ac

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
128KB

MD5
38304b36284e10d4834b23404f85997f

SHA1
de7a11763d20ac3fee63caba6cb2d6ff498e0b60

SHA256
ca3bc28551cfdc1b093c9992f0acf83a641e69203c4a4a928b5a292eb7742f35

SHA512
abccd4ee83c0ae9565ce86e193e7b4c920bb988cf3a3a5fdd5dcdd0f96aaef6474a30e0f642b00f3c8e54231160e69defdbd2b2bd2662331143c2ce21b3b280b

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
128KB

MD5
e299fca253b08fda63281bbaf16532bd

SHA1
36a205a3b51a1b82adde3a4280d86cf1ca8015e5

SHA256
76ed4045e7a574977b3193705c07107d93cee5053c759ccbb6821444b4f20b02

SHA512
e0a04df02f64dc841b060503524cff0280d5db55c739f3b9901a03589972404a57d56f1bedb1634693ecced771b4ef84ab40aed54abe7d073368e9570550fbb9

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
128KB

MD5
6c65eb5a058220fbd44acd890b20243f

SHA1
7fbd189e5af73b9e7783600217798da29d376aee

SHA256
f20c7aa4ea53c2b0b578ca1f239f5a89d5d2df1336fecbc2c501aca80d4f1857

SHA512
022d11d60e81fb09f1d01be94b10894d3066698742148c44b95f24e21b7066ad40fe2704b6a9cbcdf621e9d7c22043979eeb73b18b4239ab19540133618722cc

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
128KB

MD5
cd4494ff727f8a4392fd6879c9323f4e

SHA1
fae9d34401744f51f5934254a7ec89cc20c3c014

SHA256
8610ee20e366515cce60bbf9e97fe3e09cefedcd9ff0568efaeed5e5c77159bd

SHA512
a2f4c5aa4700e17193af80a05cb6bcca60d86b5d66c3d347ec9aef9d08f7debc91075baec6c3d7632f01d709e1c1ca1a52876df960f4623527a7572b9471c6cd

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
128KB

MD5
7c4f930823a2ab24b7a2fd9aa1783a70

SHA1
d2db1d4e002bc0b51aaee8254baafca31b815164

SHA256
b4c8f5d306018d31b5173e6e1a32cf050fa8c215567df321d6056fefb01d6a52

SHA512
c4e208707290219aa8ab66e4fa73271ff5f628297aed6b3958e95c797aaa7308904f6c6539bba242c1bb3cb53d5bcaac0e60ea0fa3135b0aa7772aa32091de65

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
128KB

MD5
7dcd4f99958186f201a295655be9c21b

SHA1
94862ddd8efd644cbf934f2da16793968fd8727e

SHA256
611337e1784e786b9f0f2b0fc6a2f7b1be57ef54e74476931e6d2e084e9e628b

SHA512
1ffa63a2501151672263ec0c96cc45e60cb077158984d61c144168d94b26ca1f42277fae64272f39d62eb8b53b1081d5ef255c9cf9b40d9a8a68b616e694b047

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
128KB

MD5
43f69b0d84e8694e4dcffa6083db6c7b

SHA1
1d06bf1cbef9ef97f343961e5705b0a9d5469a07

SHA256
730ca081e008686ac076ca4cf1c6ecd6b6089b9a9f033bb88073f73d14bef8d2

SHA512
83d7702fc0f4feafc2c3a76566d75356ef6e0ecb257896179016fafd9b0a129112abec1bd7b01c4293a4cc89a7d299eb53ab9b4ad4578a97df91c5842a977269

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
128KB

MD5
f05a19c9cfb74c7faac192149f4fbfe2

SHA1
1e7b12b04101aa2f4e6a62c23f609c973721034c

SHA256
b164f4b745b79a02f1d5ca6ef720f0cf1f76a550f8100182e17a0a2a4e43b396

SHA512
06ca4803a76e7cfbb9b0a1d51d54a33769355ab0aac3a1c441612e33140662a284eeb8c90605666ee0d96c434b96b983eb54994165580d350b3f33d848a07f04

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
128KB

MD5
513c5b5e0d03696d648101063bcce524

SHA1
7ad8088715da14babdda0228d22ca5c6ca813d85

SHA256
dc8e4fe453af504d7e60ce50fdfa08393a5650221a577ddebe1e275392d7f929

SHA512
db9a08957211bc9ffaebaea5c54f445e9718d211d1ad17c15896afcb777fdf48f39f19cf94573bb88b90d9cb64bdb2993156f938b675c44905da1f30a9074932

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
128KB

MD5
669cca206a62296d09cae0925a53ce11

SHA1
6275fca54e9e54ab2993dd3bc5b4a8efcf40cfeb

SHA256
468eed2d9abdb0ab274b3167b51df2bfe7c9a436d6dfd247c2e1e0c85f387700

SHA512
0c2f6c58582231b1641871eb3db6519677f7d604434cf6a92fe94c498da3c8bd6ec5bb49f27e8df2e7b6596c01134b465bd4d0d1cd2cf5ad930a32c8c3034a66

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
128KB

MD5
d1cdd0a6c8f718847328a0ba474bd99c

SHA1
7886b81d4a4ebe6f2c44ece91218790f7b08d08b

SHA256
ef0a7d3cc039b68a47ddd2b8d221b1cbde367ce8d7fa70651fe27fac48123231

SHA512
17d2aabdc17c572bd0aafb0ed4b13246206b14ecb6a58b9e49ec65baa5385a680d47d9a15ce58a9a1197a7f10eaa9097df1e482cd2fe17eff2054846a9e7ecb0

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
128KB

MD5
ff5c628b1656b3564796d832df7c59a9

SHA1
2403881c60b8630f42ed8d2a257c67867a7b6d41

SHA256
c75fc24759fc8ef82c3d35d55036ffe8f45e9cd51363ccf253f16950088603a4

SHA512
6b126848cd030e04dcb035bb7c9f5c9a2653ba1fdb7180d60bc6e1c30cf97a38cb7b8741d6db3ec5463212ee3ef48b02029ed1f652469b9a725ccf94f2248cc3

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
128KB

MD5
7eb73bc5fa4ea319de806f8ba581a3ce

SHA1
8fcdcab11be77298402923143d979db0666d61ce

SHA256
62cc831898f9148da5a429488eb56e8270f9315dc3f5f0ad28254fecf15c0c7b

SHA512
e60604309b64764b81b2dc93b2314e340bcd4efa8bd48db1175214611236f80a4bcddf79ca6e3715f982708205eff3b9e0c67b3c71d86ef378541ad2f6b7cc57

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
128KB

MD5
406a977c30707c013aed3f845229998e

SHA1
6db0787cd6d5c1e3bd7d95357c2b30a8384aef99

SHA256
9b23282a2f2d96a349491a4b6330203d1db76767ffd2b9c8aaf8311a11cac166

SHA512
a5e6eb065a01a50f54280991901aa19f1c8694b7c2af5c71ea66b74d49f71114f447a9e2cb8b4a76abad8b6590c0a4b21c16be8d499a41e7866ec563f76ab5e7

Download Submit
C:\Windows\SysWOW64\Oococb32.exe

Filesize
128KB

MD5
39747ee05e51764ffdf29b62613953f9

SHA1
76f30047e9ab1b11c9d3360191d20f9fd2407d8b

SHA256
8ca77b86f108df7b427c66716ebfdd45450f7eaf9230f2e8777499bf1b4db72b

SHA512
0d56e20771b3018243e6908fb6cfa35335c0dbfd12ca410bd5646eaf830499224ff00572bdffe6326bf01453ec28db809414282afb0477b2b9149eb9f213d207

Download Submit
C:\Windows\SysWOW64\Pdjjag32.exe

Filesize
128KB

MD5
34430b4a20f7dd4220f6b9d2e1b3bc1e

SHA1
c0b34267b14f555db2f406708db057b128bb3225

SHA256
03a841af2312aae55dcdb80bcdb9474cfe0cea9dbdd1cfbb7636e0dcba0280f0

SHA512
4a80d0d7f9e0c9a7a151debcae79ccd1dc541939eed0daeb9642e7618390b70077f389d4719d7e1de6386d036199e8c6aa4baf6ac751d2a1cf05287cf03707b4

Download Submit
C:\Windows\SysWOW64\Qgjccb32.exe

Filesize
128KB

MD5
e9eefa253a13dd8da06437b369aa3c8f

SHA1
e0c3b4f9e9294dc0dd11f290f5c4e52a088d342f

SHA256
982ab911bee389fdd4b783e22eab097148c04340950cf2e07d92ae0f0f6c30d1

SHA512
b414b1353ab959801d7adc04beb1c8f10d0af4feb18e78f6845318ed23b5ffd8845245556bdfc1528e2c0e06bc5df3cf5b4aacacdca91791d27c74582987eab4

Download Submit
C:\Windows\SysWOW64\Qiioon32.exe

Filesize
128KB

MD5
0ac06ceb449f34dba0e46fba15eb9184

SHA1
7a159e3748f65043aa6c4b597fab36cbd49fe578

SHA256
0b407450aa3748c4c3b13977180a38694f6e059ffd65eabf74ea3e8011bc0382

SHA512
252076b4f1b9c8221299e9d9dba6e188ca08b00b9e96178cf1f2879c3ad2f702acb3f12b09e369ee5d061c1c113387d0b9be5145d50f17ec223c6416a8c0f491

Download Submit
\Windows\SysWOW64\Obokcqhk.exe

Filesize
128KB

MD5
24af117272b2a03f4f337d86837d4b06

SHA1
78154e171cf8e6179893bdbaf3999c19002f03b2

SHA256
dfe5817654166e465be6566c101e454b726e0d553321a9e9f7b072e91084534a

SHA512
83e55d0fe92a964ee77347a6c6dd9889dff54667b271d7606f9f069186625c0253ddc0fcd02107a60328b183c293365372fe468cd70b01917356c11ae9ae91eb

Download Submit
\Windows\SysWOW64\Padhdm32.exe

Filesize
128KB

MD5
ef1baf65f1199e8dd627da99915523fc

SHA1
e1a9b07ecd411e610e21c695ab573388e7756d0d

SHA256
f5fa5d55dda820915db190fd2e2338e633c6b02fc43d14d743b72f72d70c8885

SHA512
ee43c67a2a478c1d8a9f7602575d282cff23d62491833b8fef146aa9d9e10b30230da0274e202b1bdea91c30a36a61a71e8583b1935d109cfde839982acdcf6b

Download Submit
\Windows\SysWOW64\Pafdjmkq.exe

Filesize
128KB

MD5
8e90bdffc1f6e22e2fb8ee4795f8f87a

SHA1
ddd29d9b338a3a1a620359f9efcddc73902fec3e

SHA256
1a90e8236ba6410d9adf1cfebdd64e040739da5525c37af296776c0d93f20e6f

SHA512
93a2019911c48cfdedb47251c31b423c904d588e7278130d06f446403058e8ec4885ee7d069960d5e0ec399819c6aed088f94959948fd71fc0dd1df7d59e4233

Download Submit
\Windows\SysWOW64\Pdgmlhha.exe

Filesize
128KB

MD5
7067284b70b9994b28ad041dfbfb6e3d

SHA1
08209d45f05079f22c245d36cf3faa731b7dde68

SHA256
505f91d5be7c4a3139129001f4d44594f6794b92e4dfcbe060bb78d2a9980c29

SHA512
48f2a9c6db4c10eb3dea9bfd16c7e7f55f9adf14b584d88a641ef865b33ff79d5cf56dd9ef0b327d952d165f88f76cb752767d5faca7a113f03a8b7ffe29007d

Download Submit
\Windows\SysWOW64\Phnpagdp.exe

Filesize
128KB

MD5
9a2698b36b09ef03a09976d641d5b62c

SHA1
24e8fc1db544518d37e2868c61616305268d79cd

SHA256
7cc473d13ad27d92cc45af6c2047a0811e6b37a6491c1078fd5aa0117c426143

SHA512
378f239c5a338dca0109e9b325e4ab759e9eac8536d41bb08ae646e7eb7a65fd76f39cf3d290026aea9ea9b41dbb8e4745158b951ebf9cc5c3335f26ee3348ef

Download Submit
\Windows\SysWOW64\Phqmgg32.exe

Filesize
128KB

MD5
493846a7ef89a2ab059215fb1934c07d

SHA1
8562d6544600a2e2862f7ef4d8b3ed04f1d1774c

SHA256
587e7b753e955d743620ffc10e6edcc757ea5f73b66a840ebbaf153890bcc09d

SHA512
76ece54b895584868e8b00f12ec942f52f598ec9fbef0d63ad9628d7b595a3aeabe9eef5eb15010a7481b3d39ae90fc70ae9357aa53b64212af57cbbb1407fcf

Download Submit
\Windows\SysWOW64\Pidfdofi.exe

Filesize
128KB

MD5
2c73b6dfc4b2078ac7dc25fe8fd1d906

SHA1
c14cc59434e23eb03c4d6f505e8e2142d2f17359

SHA256
c6c6710b07d287a6ab2840405cac02acf1bde00c28b23fd14ddfc879db100cf8

SHA512
0afbd804cd025243466fe9b08511bf2154408ac793de0959253245fa0ca3177aa0993f39da7ec272be422033a833ff913244d094fbb39f60d83aab1218f98536

Download Submit
\Windows\SysWOW64\Pkcbnanl.exe

Filesize
128KB

MD5
4167985180921384ea067bfa2606dd87

SHA1
1a2e4c5be30ad03351dd0a7c09a2d461221e5f7b

SHA256
a88d208e596232945d8597e529f354e196f1ccfd6cfb9ec1dcf9e208fb231c2b

SHA512
be6d6ffde77ce86daf114d7ee9423c8ea75082fb40a7996fc4b68e91c49524ba6a69f931c7c5b491b6e4ead7f1ba916dee5ef30379d0a86f822f11c9b29c2dc6

Download Submit
\Windows\SysWOW64\Pmmeon32.exe

Filesize
128KB

MD5
a7be103b13687868dd4f06c5ca72b604

SHA1
9a317d54146ecb33272c7c6dfad9ee6ffcad546a

SHA256
cb24b8435277cf6e8b369e42d4d56bcdfd2176d013d2cb75bda223ae7590040d

SHA512
dbbc4e4a766973974a9c02f22b4353b4cb87f39956eacea34db79cf3f65b5eb5a2b81f574f9f7db29d30ffeea1c506e659b8a0d6a67dad1182fa1247b4f71e69

Download Submit
\Windows\SysWOW64\Pnbojmmp.exe

Filesize
128KB

MD5
6e5bf42f414983dff0c68dba0da08eaf

SHA1
e3ec94343cd5dbdc5a10cbe86958d32ca6fefccd

SHA256
f6ca6021308b1c8e5d5771bb7b783c990958947a693ec6283e024e5ac93fa90a

SHA512
a5c05fe5a07399e4ea2704e2aef9fc45da8bbe9486330b5175e847be11f7f156ac9e1bfdece5e05fe5c18c11557402076dc08ae449974c758c8a3fdafd82960d

Download Submit
\Windows\SysWOW64\Qjklenpa.exe

Filesize
128KB

MD5
e5a2aa9a2b287b67117575bdb57a60b7

SHA1
05736c9b689ddaebd88f29055e34590b5acd4f90

SHA256
cbca28f9abc9123103ee818221118050f03d773da4fb347ec707caaef0a2c5db

SHA512
4ddea1b7868a231dfbb4929c673e927cf833aecab6c23dffe273fab0b0827e2d2403aeb448a32343b4bd63af179cbda2acc9e92165cf7eb1356df5fec09cac53

Download Submit
\Windows\SysWOW64\Qpbglhjq.exe

Filesize
128KB

MD5
ea0e77c09c3ae5639a8c2f1412e3df3b

SHA1
eabfb0fe2d4f8b6f6e0cd89e25a6792b089e3eef

SHA256
e195427b21c3ea6094f2e0cb3e8bc46970d74ec8857f398ddbe9e779940f8149

SHA512
6a8e155c5ded06e274a79547ddd995cc1b533c73094d8dd142518528a63f6e0051203de2241365fce09eb875b21b4e9798b015580cb9ae7a48bb19e27dc12a57

Download Submit
memory/572-511-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/920-509-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/920-510-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/920-503-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/952-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/952-260-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/952-256-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/996-465-0x00000000005E0000-0x0000000000623000-memory.dmp

Filesize
268KB

Download
memory/996-461-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/996-132-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1028-280-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/1028-271-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1276-481-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1276-486-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/1304-269-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1304-270-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1376-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1376-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1508-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1508-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1604-442-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1604-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1608-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1608-235-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/1608-239-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/1632-487-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1632-158-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1648-23-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1648-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1648-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1648-346-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1676-453-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/1676-443-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1780-488-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1780-502-0x00000000004C0000-0x0000000000503000-memory.dmp

Filesize
268KB

Download
memory/1780-178-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1848-388-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/1848-379-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1940-489-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1948-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1988-420-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1988-430-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/1988-431-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2004-26-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2004-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2004-33-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2004-377-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2088-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2088-480-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2168-321-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2168-322-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2288-113-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2288-438-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2288-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-460-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2368-210-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2368-217-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/2428-302-0x0000000000370000-0x00000000003B3000-memory.dmp

Filesize
268KB

Download
memory/2428-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2428-300-0x0000000000370000-0x00000000003B3000-memory.dmp

Filesize
268KB

Download
memory/2512-249-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2512-248-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2572-191-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/2572-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2572-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2584-372-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2604-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2672-51-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/2672-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2688-60-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2688-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2688-53-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2692-405-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-86-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2700-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-367-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2724-357-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-333-0x00000000005E0000-0x0000000000623000-memory.dmp

Filesize
268KB

Download
memory/2732-332-0x00000000005E0000-0x0000000000623000-memory.dmp

Filesize
268KB

Download
memory/2732-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2780-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2780-419-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2824-344-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/2824-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2824-343-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/2832-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2840-355-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2840-356-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/2848-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-289-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/2964-290-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/3040-312-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/3040-301-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3040-307-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads