berbew | 1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354N.exe
Size

276KB
MD5

2f37fbe9ccc03245916880463fca8430
SHA1

021d2174c3391cd4acd5f3304c9660c9c27a4513
SHA256

1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354
SHA512

3c0368b8eaf8f72284f37743454dd0572fe8c5b071ee42086aa12a8de768687a85e6d83111cfc4be74b676cef1742c4835e487d488d4424601413512a8468d7c
SSDEEP

6144:BZNjVjj4dWZHEFJ7aWN1rtMsQBOSGaF+:HRJO2HEGWN1RMs1S7

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omioekbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oippjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omioekbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oippjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oibmpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oeindm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phlclgfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opnbbe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oococb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oococb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nabopjmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnnai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppnnai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 58 IoCs

pid	Process
536	Nlcibc32.exe
2132	Nlefhcnc.exe
2124	Nabopjmj.exe
2768	Omioekbo.exe
2556	Oippjl32.exe
2688	Oibmpl32.exe
2612	Oeindm32.exe
2008	Opnbbe32.exe
1948	Oococb32.exe
736	Phlclgfc.exe
780	Pmkhjncg.exe
2848	Pojecajj.exe
2128	Pidfdofi.exe
2840	Ppnnai32.exe
1320	Qkfocaki.exe
2780	Qeppdo32.exe
1552	Ajmijmnn.exe
884	Allefimb.exe
3044	Ajpepm32.exe
2996	Alnalh32.exe
996	Adifpk32.exe
2992	Ahebaiac.exe
2488	Adlcfjgh.exe
1744	Andgop32.exe
3036	Bgllgedi.exe
2748	Bqeqqk32.exe
2760	Bgoime32.exe
2800	Bniajoic.exe
2792	Bgaebe32.exe
3020	Bmnnkl32.exe
1740	Boljgg32.exe
2432	Bffbdadk.exe
1648	Bieopm32.exe
2464	Bqlfaj32.exe
1144	Bbmcibjp.exe
1636	Bfioia32.exe
2896	Bmbgfkje.exe
1536	Bkegah32.exe
1264	Cbppnbhm.exe
3032	Ciihklpj.exe
2116	Cmedlk32.exe
572	Cnfqccna.exe
3056	Cfmhdpnc.exe
1936	Cileqlmg.exe
336	Ckjamgmk.exe
2984	Cnimiblo.exe
2208	Cebeem32.exe
2092	Cinafkkd.exe
2832	Cnkjnb32.exe
2708	Caifjn32.exe
2816	Cgcnghpl.exe
2584	Cjakccop.exe
2564	Cnmfdb32.exe
3016	Cegoqlof.exe
768	Cgfkmgnj.exe
1876	Djdgic32.exe
1940	Danpemej.exe
1260	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2012	1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354N.exe
2012	1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354N.exe
536	Nlcibc32.exe
536	Nlcibc32.exe
2132	Nlefhcnc.exe
2132	Nlefhcnc.exe
2124	Nabopjmj.exe
2124	Nabopjmj.exe
2768	Omioekbo.exe
2768	Omioekbo.exe
2556	Oippjl32.exe
2556	Oippjl32.exe
2688	Oibmpl32.exe
2688	Oibmpl32.exe
2612	Oeindm32.exe
2612	Oeindm32.exe
2008	Opnbbe32.exe
2008	Opnbbe32.exe
1948	Oococb32.exe
1948	Oococb32.exe
736	Phlclgfc.exe
736	Phlclgfc.exe
780	Pmkhjncg.exe
780	Pmkhjncg.exe
2848	Pojecajj.exe
2848	Pojecajj.exe
2128	Pidfdofi.exe
2128	Pidfdofi.exe
2840	Ppnnai32.exe
2840	Ppnnai32.exe
1320	Qkfocaki.exe
1320	Qkfocaki.exe
2780	Qeppdo32.exe
2780	Qeppdo32.exe
1552	Ajmijmnn.exe
1552	Ajmijmnn.exe
884	Allefimb.exe
884	Allefimb.exe
3044	Ajpepm32.exe
3044	Ajpepm32.exe
2996	Alnalh32.exe
2996	Alnalh32.exe
996	Adifpk32.exe
996	Adifpk32.exe
2992	Ahebaiac.exe
2992	Ahebaiac.exe
2488	Adlcfjgh.exe
2488	Adlcfjgh.exe
1744	Andgop32.exe
1744	Andgop32.exe
3036	Bgllgedi.exe
3036	Bgllgedi.exe
2748	Bqeqqk32.exe
2748	Bqeqqk32.exe
2760	Bgoime32.exe
2760	Bgoime32.exe
2800	Bniajoic.exe
2800	Bniajoic.exe
2792	Bgaebe32.exe
2792	Bgaebe32.exe
3020	Bmnnkl32.exe
3020	Bmnnkl32.exe
1740	Boljgg32.exe
1740	Boljgg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bgoime32.exe	Bqeqqk32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bgoime32.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Ljamki32.dll	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Adifpk32.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Oeindm32.exe	Oibmpl32.exe
File opened for modification	C:\Windows\SysWOW64\Pojecajj.exe	Pmkhjncg.exe
File opened for modification	C:\Windows\SysWOW64\Qkfocaki.exe	Ppnnai32.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Nhiejpim.dll	Pidfdofi.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Pidfdofi.exe	Pojecajj.exe
File opened for modification	C:\Windows\SysWOW64\Qeppdo32.exe	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Allefimb.exe	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Adifpk32.exe	Alnalh32.exe
File created	C:\Windows\SysWOW64\Jmclfnqb.dll	Adlcfjgh.exe
File opened for modification	C:\Windows\SysWOW64\Opnbbe32.exe	Oeindm32.exe
File opened for modification	C:\Windows\SysWOW64\Oococb32.exe	Opnbbe32.exe
File created	C:\Windows\SysWOW64\Kmgbdm32.dll	Pmkhjncg.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Bqeqqk32.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Obahbj32.dll	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Ahebaiac.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Adlcfjgh.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Boljgg32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Naejdn32.dll	Nlefhcnc.exe
File created	C:\Windows\SysWOW64\Enemcbio.dll	Opnbbe32.exe
File created	C:\Windows\SysWOW64\Alnalh32.exe	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Oeindm32.exe	Oibmpl32.exe
File created	C:\Windows\SysWOW64\Obecdjcn.dll	Oococb32.exe
File created	C:\Windows\SysWOW64\Bibjaofg.dll	Phlclgfc.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Kaaded32.dll	Pojecajj.exe
File created	C:\Windows\SysWOW64\Mqdkghnj.dll	Ppnnai32.exe
File opened for modification	C:\Windows\SysWOW64\Adlcfjgh.exe	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cnmfdb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2860	1260	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phlclgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omioekbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkhjncg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcibc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nabopjmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefhcnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oococb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oibmpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnnai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oeindm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oippjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alnalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oibmpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll"	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bniajoic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naejdn32.dll"	Nlefhcnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oippjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlefhcnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oococb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlcibc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkgbapp.dll"	Nabopjmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opnbbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlefhcnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll"	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nabopjmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafqii32.dll"	Oeindm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll"	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgllgedi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 536	2012	1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354N.exe	31
PID 2012 wrote to memory of 536	2012	1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354N.exe	31
PID 2012 wrote to memory of 536	2012	1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354N.exe	31
PID 2012 wrote to memory of 536	2012	1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354N.exe	31
PID 536 wrote to memory of 2132	536	Nlcibc32.exe	32
PID 536 wrote to memory of 2132	536	Nlcibc32.exe	32
PID 536 wrote to memory of 2132	536	Nlcibc32.exe	32
PID 536 wrote to memory of 2132	536	Nlcibc32.exe	32
PID 2132 wrote to memory of 2124	2132	Nlefhcnc.exe	33
PID 2132 wrote to memory of 2124	2132	Nlefhcnc.exe	33
PID 2132 wrote to memory of 2124	2132	Nlefhcnc.exe	33
PID 2132 wrote to memory of 2124	2132	Nlefhcnc.exe	33
PID 2124 wrote to memory of 2768	2124	Nabopjmj.exe	34
PID 2124 wrote to memory of 2768	2124	Nabopjmj.exe	34
PID 2124 wrote to memory of 2768	2124	Nabopjmj.exe	34
PID 2124 wrote to memory of 2768	2124	Nabopjmj.exe	34
PID 2768 wrote to memory of 2556	2768	Omioekbo.exe	35
PID 2768 wrote to memory of 2556	2768	Omioekbo.exe	35
PID 2768 wrote to memory of 2556	2768	Omioekbo.exe	35
PID 2768 wrote to memory of 2556	2768	Omioekbo.exe	35
PID 2556 wrote to memory of 2688	2556	Oippjl32.exe	36
PID 2556 wrote to memory of 2688	2556	Oippjl32.exe	36
PID 2556 wrote to memory of 2688	2556	Oippjl32.exe	36
PID 2556 wrote to memory of 2688	2556	Oippjl32.exe	36
PID 2688 wrote to memory of 2612	2688	Oibmpl32.exe	37
PID 2688 wrote to memory of 2612	2688	Oibmpl32.exe	37
PID 2688 wrote to memory of 2612	2688	Oibmpl32.exe	37
PID 2688 wrote to memory of 2612	2688	Oibmpl32.exe	37
PID 2612 wrote to memory of 2008	2612	Oeindm32.exe	38
PID 2612 wrote to memory of 2008	2612	Oeindm32.exe	38
PID 2612 wrote to memory of 2008	2612	Oeindm32.exe	38
PID 2612 wrote to memory of 2008	2612	Oeindm32.exe	38
PID 2008 wrote to memory of 1948	2008	Opnbbe32.exe	39
PID 2008 wrote to memory of 1948	2008	Opnbbe32.exe	39
PID 2008 wrote to memory of 1948	2008	Opnbbe32.exe	39
PID 2008 wrote to memory of 1948	2008	Opnbbe32.exe	39
PID 1948 wrote to memory of 736	1948	Oococb32.exe	40
PID 1948 wrote to memory of 736	1948	Oococb32.exe	40
PID 1948 wrote to memory of 736	1948	Oococb32.exe	40
PID 1948 wrote to memory of 736	1948	Oococb32.exe	40
PID 736 wrote to memory of 780	736	Phlclgfc.exe	41
PID 736 wrote to memory of 780	736	Phlclgfc.exe	41
PID 736 wrote to memory of 780	736	Phlclgfc.exe	41
PID 736 wrote to memory of 780	736	Phlclgfc.exe	41
PID 780 wrote to memory of 2848	780	Pmkhjncg.exe	42
PID 780 wrote to memory of 2848	780	Pmkhjncg.exe	42
PID 780 wrote to memory of 2848	780	Pmkhjncg.exe	42
PID 780 wrote to memory of 2848	780	Pmkhjncg.exe	42
PID 2848 wrote to memory of 2128	2848	Pojecajj.exe	43
PID 2848 wrote to memory of 2128	2848	Pojecajj.exe	43
PID 2848 wrote to memory of 2128	2848	Pojecajj.exe	43
PID 2848 wrote to memory of 2128	2848	Pojecajj.exe	43
PID 2128 wrote to memory of 2840	2128	Pidfdofi.exe	44
PID 2128 wrote to memory of 2840	2128	Pidfdofi.exe	44
PID 2128 wrote to memory of 2840	2128	Pidfdofi.exe	44
PID 2128 wrote to memory of 2840	2128	Pidfdofi.exe	44
PID 2840 wrote to memory of 1320	2840	Ppnnai32.exe	45
PID 2840 wrote to memory of 1320	2840	Ppnnai32.exe	45
PID 2840 wrote to memory of 1320	2840	Ppnnai32.exe	45
PID 2840 wrote to memory of 1320	2840	Ppnnai32.exe	45
PID 1320 wrote to memory of 2780	1320	Qkfocaki.exe	46
PID 1320 wrote to memory of 2780	1320	Qkfocaki.exe	46
PID 1320 wrote to memory of 2780	1320	Qkfocaki.exe	46
PID 1320 wrote to memory of 2780	1320	Qkfocaki.exe	46

C:\Users\Admin\AppData\Local\Temp\1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354N.exe
"C:\Users\Admin\AppData\Local\Temp\1d2b9455e6a1dfd4304f7fb5592f9e9a20a0edc1a91055c61dcb7e6c41b3d354N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\Nlcibc32.exe
  C:\Windows\system32\Nlcibc32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\Nlefhcnc.exe
    C:\Windows\system32\Nlefhcnc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\Nabopjmj.exe
      C:\Windows\system32\Nabopjmj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Windows\SysWOW64\Omioekbo.exe
        
        C:\Windows\system32\Omioekbo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\SysWOW64\Oippjl32.exe
        
        C:\Windows\system32\Oippjl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Oibmpl32.exe
        
        C:\Windows\system32\Oibmpl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Oeindm32.exe
        
        C:\Windows\system32\Oeindm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Opnbbe32.exe
        
        C:\Windows\system32\Opnbbe32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Oococb32.exe
        
        C:\Windows\system32\Oococb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Phlclgfc.exe
        
        C:\Windows\system32\Phlclgfc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Pmkhjncg.exe
        
        C:\Windows\system32\Pmkhjncg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Ppnnai32.exe
        
        C:\Windows\system32\Ppnnai32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 144
        60⤵
        Program crash
        
        PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adifpk32.exe

Filesize
276KB

MD5
a9732787fc57ec1bed3f0c980d6b123c

SHA1
fd61a50bbf370756777c8253a1c4651611a983b8

SHA256
1abef9c336c7ff8109682a3b3bc962cc130ed249f76981dd15f0cf2955149cff

SHA512
30080a6f909fecd7966133ff06fd5e4de6493927eb911299914b3fa1248c5c35f1bbc31c138a43666639974b34661d2322c1a320b0dbc556f3fcf4bc90b4f397

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
276KB

MD5
70b684f8ac23fc50e6716ded796391ca

SHA1
27e8c77a779a568d082cf55291b4d79c8531444d

SHA256
57f93d12c439c79a1868d89ecdc93b192953f98f77038690cc097534513cf132

SHA512
5183be8d0777a95972b5aa440cbb6d0f9aed556bf58e4d74cadeb93c0c1108c4bd7d0949fe179a522035195d893010e8f8084f015b95c5dd7446eb3410d001ae

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
276KB

MD5
5a129d55ac6768a82585cc26507f9a78

SHA1
dcc2fe2289882488097733b56666135746291c53

SHA256
2ea0d922f8de0a9f03a9e679322b02ae2dcec9c16543105079ddf3580ba29a93

SHA512
750983094f6c692c31ef9666d36aec4806ac4d997a05423531859bed28ed32633df7e8662632bd2b899e4b83a51875a0423b3e4cf5a6983557c2ca29ae4b3eef

Download Submit
C:\Windows\SysWOW64\Ajmijmnn.exe

Filesize
276KB

MD5
284db7a9d52c43cefe1ab77bbd91813a

SHA1
5587aa5dd0fc87bf7c0d3ff5da35ecf7a475361d

SHA256
5a1b17c8dabedcdabde07ba16b991b17b473f8034dca9d4424563dbcbd34e5eb

SHA512
6af3c1bf0de3c015686fc524d697618e315198ccafa4cf7122b71f8c0edeb999a0d9538d88efe2e605579ced438ee8aeb80c917994ddf4b96345a31d2f2c0758

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
276KB

MD5
675266cb38bbdf76270588a00badb79d

SHA1
b48705c2e38972b92e18bcb2bcf62c69974e5d9c

SHA256
c7bfd3e9c1b1752ecc00b2ad1cfceef7e015eb67983aab0e59549d06c6994564

SHA512
730b54ba905b3e35832c2f781934be00cac95cf7db879cead1a157940e1ef7f0eff56d2951dbebe17e4f5b13f41653ee488c4e7595dbf7f79f864cb710521d03

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
276KB

MD5
25a3b87b8949ec41b4becfcd612d5c5e

SHA1
f58b9434a71b5d74069c084f4a965544607652e6

SHA256
ef011934e37bef8e8ed9a3f1bacadcf02a97d5fddb83bb687244e16da7dbeb29

SHA512
dced38214b3c4999a6227b6cd05897858d5fc2c7f15aa9f990c7a01eefeee5fda9eaa349bdc204efd09ea761a6355bd745e34ed24cba9f13149defd92f1c483d

Download Submit
C:\Windows\SysWOW64\Alnalh32.exe

Filesize
276KB

MD5
3d5fdd39eaf1240312586da18a34c69f

SHA1
f51ad1a8d64c37c921c16ffd478cffd9eb679bb2

SHA256
d518a89eec5f2f46beb0cae8106b1caf222755b8bac25313de3df125e3a5b8bc

SHA512
a580c515e6397c4455bf583a123332f1b45267e9516751fafdff458099ca383547b99d99c10e15782d6d06e631de3409e150c0c1a1e2b55b163dbdf11411c75d

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
276KB

MD5
d4e42fd79a1f4f320720c67adea818af

SHA1
f622300e35490bd09fd43887a407b3f601fd3b7e

SHA256
f8d0f12e33f84673b7c939963da19b194ba66e4caa2e2ff5dcc346689d828e63

SHA512
05e3db9cc1ccd39bdf86088171462267dfd3a3fb91a4ab639b925f97635cacba2ef757b023cf90d49f9b504aabc2d1ab2941cc80f70948eef04a7065a94e753a

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
276KB

MD5
c996dd16ac6ef5da8232042937da02e9

SHA1
8a1d9406a5dc7fcfb10e79a8858f8d8c969d9d0c

SHA256
c321290009a20e48ca7ad2d34038b1eacbf77d881f643b0cbe6c769643b72b90

SHA512
2389adca982159ecbf97589f700752ede343bbf3f054bb23885468f2c409e157a12f543cd548d6c09beb2e300187f33e1bc759e0c896dd3c9686ad1834043297

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
276KB

MD5
2a729b043d4259c5630be941a43e612d

SHA1
0e09447186e3db99140733a9eca537f4eab89fee

SHA256
07c0f06d42daf747bf357ad4aabbef250f3d6528fb9b118bfd801a7546880425

SHA512
fc08ccdb32ebceb42fe6aaab3042bb0ed71354487615981a04354dee54dce3884d938539919129db056d611f5bdf2e23dfd1508f50c66185473b7258153450ba

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
276KB

MD5
00a84859da3265abfeb4bcf81b8a2c3a

SHA1
e11403992f60cc0cdf38e032b614e6840da6d81b

SHA256
c869fc7410588254dfe2193794623cfb994bc25902435766e32c4138fabe3f24

SHA512
926a69fa77c62c7b63d2e1df688872b21467472265882817e210448f149c7890143870de53073c4f0d822ae695fd003d0c7dbb423ab4b3e5a338a8fb0521407c

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
276KB

MD5
932a71bd78e9b911935c5ca4a8dde1a3

SHA1
6571e5157ebe93cf18e48c6293943a30f911ac76

SHA256
c826f1c8e92a3753f57a40b845fafaed2f3e54b0b7b6c1fabc2f548e2763362e

SHA512
5cf82f7392a9423fda31531d59883c61733f90b80bfbbcce0fd7f28b32fbf16f365d429ced02fc1890804511d6f3889b904e7fbc1f595833a7757ca4b583673d

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
276KB

MD5
1d510cecd212a9e78cabbc4db7331aa3

SHA1
0040cfe59a0d04867bf4c710b6ea096f2dae8a63

SHA256
9672a9cf209a247d2616391b290eef85083a421c4b6a4a16e8e69ec913249c8d

SHA512
afc4fd510a68deb486f4603b70ff42ff4789bc2bca7f1d15dd3dd6eec7834ec1c5b7e26a914292cf0c544262a25b06178a4d1a1b5de5ed58fb1c27e8d77d8016

Download Submit
C:\Windows\SysWOW64\Bgoime32.exe

Filesize
276KB

MD5
1a1cd0fb7afc45aebf88b2592d1bcd1d

SHA1
5e7c3a13162a3ebc636c7e6ba511969cc5c13ff5

SHA256
043e8c8c0f71ce1044905d1ae99f81a4afe600c8de6028c509a336047c88d5ff

SHA512
231f2942d403ccdd9bda961b3a4027591f92d7c867051b8a66fa11c7847eaadf8c2dc2caa002e6d5c00e513d7196ad946d2e7c13887c19c15a85397688cbf582

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
276KB

MD5
40eef3c20a68ad178fd687d8cb40b82d

SHA1
1d7ee096959b6429673c783218404c2385af54dd

SHA256
65195fbb6be72926654e8b6cf86ec9ca2ac39d2bdd51cc96058ea4e49646b1f0

SHA512
bcb41bd781a84b0bcb1d440e8fb06f883be982094db693fe2df0cbd9eb8aedc1e9dc1105552d2f5334d166ad21742e2b82b6279e0bbdbb172cac5f4650524b90

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
276KB

MD5
878399348221a6f6192cba4141de3806

SHA1
04cfdff99160225ea6178c71ad79530e1607b634

SHA256
f2e3fff83a9eb04a447463577f90a0588f9b5626df20ff44c71ff8e321a1a4d0

SHA512
712b4eaf0b8749bc76c9ca6997fda57b4585e2d389c95d471384731e38ca0879a69c9d26e4fc87d8d1cde4db7935ab94089a962ebc42e1c4682cd776b88041a4

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
276KB

MD5
730bf39a38b401fc9ed055735da6569f

SHA1
0dbc67ab4800e9ee0668c4ebd992b3df8e174594

SHA256
1e0fdae71d11394ad8b846dd963402ac2bb6e02112c24ab60ab3128b3244492c

SHA512
c10788676ad01a098494834e1e86ba54fec4a66427881491e9e846e8e7c1382c7f34304da0a3d8eeb4aab68522f461bb78f2f899490bfdf0e1dfe6f5bc3f9dc1

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
276KB

MD5
550a0e05ecef1282ab9c8f60cfdb589f

SHA1
07fc1fc1b4923cd33d08b9da10e326a321e7d0be

SHA256
537719225fff0337cffeba071b9bbda3f6979ae4702c13e55af0c7e370177a79

SHA512
08bd2595d455b19e9ab8a6adae96ed640bc3203767d9de935b13cca5c5fdfe2bb125b9d1f4ecdfd0e3b33cb775af2f824dbf1698d8311e7db17826f707ff6827

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
276KB

MD5
f3a0cecac565c0ef5bdd3d3fb1de3287

SHA1
4918cd0dfd292cb0dd6bac814f653f188bdbf19e

SHA256
c9cdc284641e75e761f14fe5f757a25b1fc7f68e67b326c9e322ecb4018a0988

SHA512
d4045c3ccf75c2c412929a6a7e68ede52b9ba54121bc673412144f3114ff094e1bf207bad120bc39e14f8b678cd5f6051c68e916ac9d3a8d25e4f795420be006

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
276KB

MD5
26ec9ec185a97efd9824b8f02f0a8c82

SHA1
aa090e45ccdc790fef98b5d95cef745ba07056cd

SHA256
696731bf90e284e60947eda9d0d8b57d2b92ecd9a47337eba67dc431b8e6e5ed

SHA512
25e82e38a9dfa31acd92a7be46a10941d5877adb730c8090a1279bc842d78b7a5e976bdc52262de5e3f068f35f90d38ada26ec6ee1afc3caa230ca4300b50e26

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
276KB

MD5
c6a8f19122c32c7c30ab3e90a1ba146c

SHA1
a22655a469415fd41891092487c3b9a0be4b56f3

SHA256
4a9c4da86728f67f2911528837318157de88f12bf47eb1768bc09452a480fbf1

SHA512
1056a92bb1f31bd04c12755157885de7508159ddd63d9a26f130d5cb07fb711c6af2ac893002dde1b9d05aab88e7b287e92d6fd96acd6197e5571b6da5144dc9

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
276KB

MD5
f82b95366807c54cd65a9847db1f8a09

SHA1
c5dee774bda9b3a63c2bfc9410b6ffb3579a595e

SHA256
16f810d2d94f4a7b0c17dbad98a593ec774fbe98d90b8fa24b9af0e994a5ba6a

SHA512
b281307ea9dc8ac779f17c5fd5f220dd745069307245221cb2bb5704bd231b42dbb0f46ab11aa7608a1c72ecf15e1a372fd9f0ecd446c691b6eee9f65c7c08c1

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
276KB

MD5
2d3cd0ee3aad7cd49b7a231ca3e47dc3

SHA1
b729cfec5c9d396fb5ca6707e06f9e70fc8e7ed0

SHA256
4ac10b79e28f20e2691a7d3a7aa974e9cada8e92730919bfe0a23418f73a9ec7

SHA512
a208c40de0150cd4e859b7f0c06bce8c7cff0df5df96a21e43a074ecf348373e7fb0c896787348bc24d77cf5990d9ab1269f288da957ecb774743b6d72d453a0

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
276KB

MD5
8f795ea348539eb12a3a477b1af0e867

SHA1
9929648138a53502bd719bcef27d65423ee40a8e

SHA256
755ecaceb0879635d13ca9555bbfa7248ea63d532dd139328e944aee69762451

SHA512
b97dcd3f916d362381d50c555c94e4cfb6f179eabe3b2db1238b5f3a90140bd47859eac3805d7c7599d20b9efc98b0cb3ce033c7ca37f86a88b9eb8835785e16

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
276KB

MD5
260cf5c7a8c0930d149861cdaf20cdaf

SHA1
35091bbafc78bda21f269efab5a43eb401c2816b

SHA256
3195d9e35ff10de1cd10a2139a347d80336727ed2d6fb03e4dfd147cbc7d4650

SHA512
e90a2d938f42602f946721c7d3a37cc950d9eab0367200ae18595a7bc54c4a3c841eee504fcacf59f8eab95aebec6b825b9b321831ffc4d3d6105c7afb5f1d66

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
276KB

MD5
6c567d5ff188961e520b075bd0684165

SHA1
c72137b3826238706d1814745934cc924d99d876

SHA256
9f52c2b8b8a752ad51b48a42813c5f356987a742153670a038cd2923fb5fd10b

SHA512
645b027c8bbe24686828eaaee259096fca579ccdf2c5318b2b63e3e6c0de66a6bcc68028c5cb2b1d84cbebc9a0a19306cfbd6e4de38647a56c0bf8a4e9c68170

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
276KB

MD5
d7a7f5fa0154c34f7355c9cc4380c9bd

SHA1
db3903e576c4037c850b29eb1752087619ddb618

SHA256
6106019beaa2e6a025dbfd3610a706d4ef35ae244ef290bbbba8181cf8b6aba4

SHA512
39ef31736f70e88f38fa9a9d09fe5778c61e385e7fb86579cd3e6470ee09936361840b173de9f6df9316b0bb294c8b5f30f03fb1ecbcb9b15fbed9317da22e73

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
276KB

MD5
ad52b1ac97ae62693defd551dbca63aa

SHA1
df77b4382fb7304955e471bdeb7fdca4e20ca750

SHA256
1a6b597a3564b037eb78d7120dabe9c16b41cec1baf77eb12cd68b729eac2f1b

SHA512
7ff09266269e7013fc5ede38834f12b2fc2af5989b62aa5c256c6a4808c26e2d82ea0eafcfebb9ee16ab9c570cf23fbe99750b5dccb66d5edbca41642f31465d

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
276KB

MD5
d4122d367c80da4de04d3422dcef31bd

SHA1
637656ad2aa89a9341f7cdc84173e4e2c07c31c3

SHA256
a682e511386f61433294e17d55f9c248b6cacad83c983ed0ecd03597e9da6eac

SHA512
67ce492148467ceb2c92c9fee230a61bb8415b853c4ae873f5c323ed2965b037bca14589198262a3591ad3034b10f95bf653b28ad732f8dcc9b14a7693f18145

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
276KB

MD5
ec2841e713b095704c76512dbd90a2c9

SHA1
1d7055ec488c92e659ad74e48899e0eda1dd8fbd

SHA256
9382ed0c2660122232dd883b5b400fdc7a581d04745d6ac29600487f85e547ce

SHA512
462e9dbd7231994a454a138eea712c3976cd108c304a2a620569a95e7a3e35fd16ed9088c4dec29f457067c2ce71b7048533a7f7045a70729b6b223fc56ecc5a

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
276KB

MD5
3f728f044d7489a31a418ba998b8f78c

SHA1
f0b9973ee9d9555aa904d14d53b475d678781da3

SHA256
ed5e44f364826a6e5bd664ffe50149ff68722b1a32577c5a1abc25d9dbe9a3c6

SHA512
86de66b2116341e80108004d8e17747fcd5f00989ffc044c9f13c771efd8c2305debfdb081c4e98647575b6d72a7639a68fa0c3ec62b3a8751f6976ac3a6bde5

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
276KB

MD5
6609b274d0b07bccf8953a35cbb2c0b9

SHA1
a27195061004e24a7631201744d3960efe949e7b

SHA256
f87ce73cf8bf63b5007e808bf67a2c14d5571b0994e8451dd362958396b88467

SHA512
d4daa01b293e0512216a575389b5adc2a24d7c2540e613fb62f24232ff91d19cd52736fc4242b8341b9ff2f7d0182fc7c4e4b77b1e9da9333f25b0c31f20593d

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
276KB

MD5
2a53a18028285f28879c4ec630b957ef

SHA1
dbda8faee5bd8130d9fa9f20038976a0ad81488c

SHA256
1fcc92940ad930c5a2425864543d313e69b44357abd419097e93e163f92e5bda

SHA512
73000d1496769573d8ea68b6816b171fd24fd61dfbeaa98ba3b8e013e3f9a24ddeb52ce59b346dd9263e4bb5e2212f031bc67f162bbfb739e0c3c56a9c7bf0c8

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
276KB

MD5
126078245f6ecd3fdaaf93024cb1ed6b

SHA1
38b00d0bcd1668cfddec0081005801df182de29c

SHA256
0c1a954d3fdad0c1ef2dc397afb5da5ac44919555a09c6c37b25db489ded95dc

SHA512
6a40429c3e31c8c8b144f9dc150d0b71525fab36e7047fb3ea67ba3e6bc7497a707ab267172bb596aba0bc8b16f71d07c543c7b2c85e25b680f4f513dbf362e2

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
276KB

MD5
b9e0c9af9e215b25f8e2c3bb1f559aff

SHA1
331c6b9283e67d2b4fa583c8d9d774ce1ae08a88

SHA256
a053de2e7706569c7d24f1edfec0ca1361401a82ec51cc939ea42e3ee5a293d7

SHA512
76b17e7e1d705fab84a405163962c5cfa080e603470e98627803090140ef63a4390fcd51fe9c6c3bdb66fe6e5fa32b614453e7bbfb938da56be878aaece6b297

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
276KB

MD5
482b77ec23ce56dc540c7a94a77e5313

SHA1
6ed2a3a69fba0816cf74110cf350a36a012ce53c

SHA256
630708153db643a2017b305daf194003dc793e5a22bf091ce7b2d7652927dfdc

SHA512
e719243e8a863c3b42a585ff76d8572f888678aaa5ba578accb4b8484274b19d16804c5e5a466ecde27b7da4cd222addbebec9199571679de7607ff62db082ae

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
276KB

MD5
71288b85bf5de8d3e224aa2d3faaac27

SHA1
93bae682a82c502d72bc0a85b57923ce593ae373

SHA256
6fc4a0574257cc72fa9ef9d0ad73ffaec645635ad9f6f6792d1290afc5981848

SHA512
789020b888e8324117ba1b76e6eb1d80279084945382714220ed573daa18f02084ee54dc5d2f2f6fd28c9845d194b2cbf22f723571e973a9846d873704ac46fe

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
276KB

MD5
38573bfb39d4f4e577a392c8c1e79bd6

SHA1
455e3bcc5bdee3b276a03505bf22daafc65de1fb

SHA256
184cc2dc6703e2b9ded22c63af5d6b16821bd153bcc841c9520c14e36f4ac634

SHA512
478bcea243896d62c1e53cfcaee4a4064fa02452e920e3f40e24ba09c74b6c69e36614c104f67526b238630d4a7797ea839954bf052f987cac4d20255b9df5d0

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
276KB

MD5
e534da673e7f6e96b4a751a621a566ee

SHA1
715441d1bea9341ba3fc69d741c07bb4195cee0d

SHA256
290c06cd993a4b9d42e0ba4541157be2994276c98ca40f230037b5e228627087

SHA512
c37b905662d5ebd80185f0b85969f05f18d882f0385ef90a71113a6bfc5b4cbd036ec457f35d5a2c2c98cdc80662b8fa5703f81b64c663b5620707625e2c5a25

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
276KB

MD5
b8f0c1faf1a65d1594a49296426b1cc8

SHA1
1c8b7b95a86a76ba00027b563c27ab0cfe2f119f

SHA256
a4d478443f3f6dbd1a83290477c55991b4fd7448f17705fd81a542edafb0d051

SHA512
512067cc99b5233140c234c2e756709e16028368ddab0b4173e164c6510f6d457408428990e711be489fc0ee38065d7e9a0ad3babade83b4229807bc88e0fe88

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
276KB

MD5
41cbc7258c19a410cd3aef4fdfc06c9f

SHA1
f2d86b1f55a715fe1ae4bf7f709d3b8e42a7839a

SHA256
0e3bf1888c518177d4da19cfcbc87553d184f0801f7c027cfed653af5f38278e

SHA512
7b90e96198938647d2b36330a82dfc72f48577caeeb0a95f1bc2187298342c91281eccb8f65cb248966ad5bf3449158c51f009bc0dbf6d2afc8ece1c35c08a2c

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
276KB

MD5
e1ac1b845252c1fad75fcee7b68c3c5b

SHA1
e446ab6fcb1c4c85452931bf3acff1cae65173ae

SHA256
e96c6a546f2853b9d3ee9cbf8237673246ec81b076f2cc86a11926aafaebf965

SHA512
f3a4ff0236e8b083a235cb6a7de2d9aa12179dc4b64f016376ade0e9b5ff843dd79f001b9b0b86d14cd163d6c8ce8dc4d681e3baac01116560bcac3bf4225865

Download Submit
C:\Windows\SysWOW64\Gbfkdo32.dll

Filesize
7KB

MD5
84b78a26a1a88475457543c258cdefb3

SHA1
74e55b9e452c0717a8985a6c9ff5ed36becdd676

SHA256
fa579e3718a5ff644177102ffcd21d69378e0a2538c46da1129d064e849d9a0b

SHA512
60ba036c6c8967865f3f8103b76b13109f1dc86e0bcd554b3868bed506f071994c034e84eed342dbec73b8a7197c43e6d29168412ee2e9ed48a6ccff34d1d5e4

Download Submit
C:\Windows\SysWOW64\Nabopjmj.exe

Filesize
276KB

MD5
a392e151c9de58b247f758aac119cdcf

SHA1
63e271f26a34b8713e8d6dc5099ca59b2ff9f1eb

SHA256
7a47c7e14b822623eb99b067ab7d493028ca8a77490d2ae29db7bc541e5d8c1f

SHA512
0cf5faeffb47b0a48ba8582b4f2fad66e81b995ada7b1a04d87d4da3398851b591db8830a3c7ef1091e1d12e7fd5ffb174a6da784cfd4b58f454a8b938bcf9e2

Download Submit
C:\Windows\SysWOW64\Nlefhcnc.exe

Filesize
276KB

MD5
00a485812c0d94362b9b4ebf410208e5

SHA1
6548dc5f99ebac5322db73ad6214c396bd7a7b6b

SHA256
cf5626981c5ccefb03cf3ab1ce28b02eee7a868c749972b8f54737c5b2eb08ec

SHA512
b7899b42b9e99da7f69a94b940d91e0b394264e9c83c6dd084da21b386f7ddc288708cf639ef62115c7d4727544b06e67d16b8bfb4768852c518f10b4e325e36

Download Submit
C:\Windows\SysWOW64\Oibmpl32.exe

Filesize
276KB

MD5
42de13537cbe7016b50c835d823927c7

SHA1
fa7811ae97d84f140522d5662568c0b9d69c5780

SHA256
08e1eb98f6f6c42b13271d05f6b5245c8b2f1b656f9960b29f09b2b59d3798fb

SHA512
47e579fd3e19c42e94c851051278f8ba23b7167ad5590dc2ecc92cccc7f527443b88e526d01abb67d882ebd1a924b6b621752be7e1805e233a82df4009220e36

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
276KB

MD5
cb918c0af7d2c4a889799c0fb2a1eacf

SHA1
1243bd67a925244d1da38d6621d06730d3e425af

SHA256
532a819268447f9ab9ef6b64916b5d41597014db573ac9fa03b5e65b67a1c6e1

SHA512
1ff7c554d74ed069943b47b78cc0ff4df3f5270e8c7badba72c9f8e7c9511e8a1c0a7fba9ec3d941ae0827390ad5fbb2889cf2bb62ef3a3f7014d8c1eb086f79

Download Submit
C:\Windows\SysWOW64\Qeppdo32.exe

Filesize
276KB

MD5
55c00611260e1a278a4f128aca2747f2

SHA1
6016576c72e814eef5919704fe0dddd75167d5ce

SHA256
04c9a01b8f0135cd0ee813c551c23f472d6093df046dd2da41d552a3b0aa6aa8

SHA512
3f4ceaf763d113923da8e4d282c6f254bafed4eb2e4371d5a5cd71812cac92d12a43d9e9abe57e6c1684df431c3d9da30a1cddf1a15f71ea5904f7c43963919c

Download Submit
\Windows\SysWOW64\Nlcibc32.exe

Filesize
276KB

MD5
e9d1b1e71e7491a19076dafe15ed1c68

SHA1
f16643497a1b53cf5214dad481bab6dd9236bd5f

SHA256
3df5b45c0e47f33036c58c0f5ddcc9212d9619c86ca403ebbbcf1009f5886646

SHA512
6df57051a528acef0eb0a7e953b11a1b07530c69cbec23876d2eadcd997b603271b9beb2cd7d2dba6e55cce11089786f9d0396308b127f5edcad6ea8b93a719b

Download Submit
\Windows\SysWOW64\Oeindm32.exe

Filesize
276KB

MD5
d47591d872b8674d24e5acac9d298c10

SHA1
d4342ae47a413de6a7ef943cebbb7c32c4758b4b

SHA256
86ad9d0b4c2cc28895d6e9d01e4c98a6894c9449c1fbb792117333a663b24458

SHA512
7e9e2416a0211f2214956c8dfe3f7354d2e89cff41dd69b0a68f01a9271265e14196ae889104d92b8e8957ef0c2a27e247c4383182d5208b7ce45e39c22efa34

Download Submit
\Windows\SysWOW64\Oippjl32.exe

Filesize
276KB

MD5
589c022d00c7282220b2bd1bcea7f85b

SHA1
8773a1cda189a9b4e9c49187773f861b1a359b1d

SHA256
522045ebcdbfe3bfa82fe41664f8340d511b898203272bf5f60ea26167055e30

SHA512
fe7288799abd4a7c006de4ddaa912734fbbac647e3144377226a3d9593def250ceaf1b9a14d0f9fc31f3c2400fefacdd6472f1a2846f44a43786c281d6f828aa

Download Submit
\Windows\SysWOW64\Omioekbo.exe

Filesize
276KB

MD5
e81e39de060f0c9fcbacaa0fa0ba98eb

SHA1
6474eea92c313c5ff790a0d0252ed2833381fc31

SHA256
12bb758031717490cc8b0f687c9abe438f235900ae7b45062c286183a29eb5d0

SHA512
a42e8982192d649cccabbe9c50ee8dc81436e6fd572f28f9936ecca3299919a3c3993cab978b96d2d3c500e5157cd1e60432182aed05f78ee95b2b29098c4575

Download Submit
\Windows\SysWOW64\Oococb32.exe

Filesize
276KB

MD5
3d6553f993da5709ed3c1d4172e501bc

SHA1
fcc2b579d89d9ea737e6f64a7f2cc5cb7ea7e750

SHA256
af4c0c31c27daed9571f79b95b4d72d1d7a4d0848efb7d0d2f66d1cfc039e170

SHA512
299fe8df345abb9de1552344b5828776af6ad4f50f340bc442f7baa96f8a5eec5e825791255b0e8f68bdd58344d2524423722c1c30144f638b84316118c162ff

Download Submit
\Windows\SysWOW64\Opnbbe32.exe

Filesize
276KB

MD5
99dd89b83aae432e4fe3983bc507a750

SHA1
efd749d647b4118b1766eb1ee1d1ba97132f3e33

SHA256
823b483986b2a12118dfc5362e821a4ba69a8da9b607b3454881956d93987732

SHA512
6eb1ce2a044a11280c6731a256f0261b784c2042e52a3b0c104aa18d81f2928910ac35f44d9690371e5a1100d2142502f530454a7b2a0c8d1ebb59dd2579d0dd

Download Submit
\Windows\SysWOW64\Phlclgfc.exe

Filesize
276KB

MD5
09f5c42c50f4bacaf48d7b8a6c766cee

SHA1
824156d44b6a6e9ece755183b4b43915dfe5a3b8

SHA256
4fbe2104fb9038624c76322cf7bb461c4e7add043a2f6ac7498be4121d287915

SHA512
67d609a02951b8425819c4a4bdcda581387bdd6d1efee3221269b0b76f1f559a80bdf18ba2627d962b0f10db2a92fa7f58f17f8aacf849498a43854138b98ce2

Download Submit
\Windows\SysWOW64\Pidfdofi.exe

Filesize
276KB

MD5
c3481a0bc61c5d0139da23288b0c66bb

SHA1
a267c195c8cc4305b186954c799b7b88b667b9ef

SHA256
06cf2a891200bab56845dfb9aa0a478f7057ef3a09da4ac46c595fe92fec1a2b

SHA512
f2cc406b847b2a573fde69148d13afc19221cc0516767332733b1a8a7845c8d765e61f98368107c90b098a05a2276a0f2222610a2714afd46d2fa25a35211981

Download Submit
\Windows\SysWOW64\Pmkhjncg.exe

Filesize
276KB

MD5
6a998a153b0ff0bcea6aa3c709183749

SHA1
1c09cde5d722a1f0a9d9b9f065a6a4e34b38a492

SHA256
3197554d79e1601a1ad9696c78d670d04f2da3eb1060273bd6706d9d27c77746

SHA512
0c3b222b262e1341de5699a13cd68580f993c064d79097b744f0a5718a3bae110605161231d28fe3c53d0478f25fd8fef8d5b2d33c2aed07454d580a22cfd540

Download Submit
\Windows\SysWOW64\Ppnnai32.exe

Filesize
276KB

MD5
f07f3534b00a6e89b5fb2005ee220b49

SHA1
1f8ea0b80a2a676ac09bc0611ad409c8a4fe33cc

SHA256
39abe3dad2f6e306f71203304d9e0855f64c6b94c80b22a6f243bf865a589f6d

SHA512
d40df2b4df51e069ec556ae17131bf5b884d8ac35b868e6c9c504f8c5b7514ae7a905707b80eaee79fa6706a5c8b3abb808c62ebf558afd70241223fea4f9d56

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
276KB

MD5
d4645751dda856e8181b6dcbea546f7b

SHA1
aa6232ab80037d74fc4d715c5fce30ca1ad1b46e

SHA256
07d4587a628d047bdb284f87e134a16679153cfa87828fb710c45c0ac67a190a

SHA512
d6c880feb7066e75df28ad083688f5fa9192dc32d8383561732f451e208a80763cbb2eb323de01c72eaccb83187900feb293353183f108b19641bdcd2e9ab9d8

Download Submit
memory/536-67-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/536-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/736-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/736-157-0x00000000002B0000-0x00000000002F2000-memory.dmp

Filesize
264KB

Download
memory/736-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/780-177-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/780-221-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/780-225-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/780-224-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/780-164-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/780-178-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/884-318-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/884-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/884-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/884-278-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/996-346-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/996-310-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/996-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/996-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1320-279-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1320-277-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1320-243-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1320-230-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1552-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1552-267-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1552-260-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1552-300-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1744-378-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/1744-347-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/1744-342-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/1744-377-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1948-144-0x00000000004B0000-0x00000000004F2000-memory.dmp

Filesize
264KB

Download
memory/1948-195-0x00000000004B0000-0x00000000004F2000-memory.dmp

Filesize
264KB

Download
memory/1948-145-0x00000000004B0000-0x00000000004F2000-memory.dmp

Filesize
264KB

Download
memory/1948-189-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1948-196-0x00000000004B0000-0x00000000004F2000-memory.dmp

Filesize
264KB

Download
memory/2008-125-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2008-180-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2008-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2012-7-0x00000000002B0000-0x00000000002F2000-memory.dmp

Filesize
264KB

Download
memory/2012-12-0x00000000002B0000-0x00000000002F2000-memory.dmp

Filesize
264KB

Download
memory/2012-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2012-53-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2124-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2128-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-84-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2132-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-39-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2488-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-331-0x0000000001FD0000-0x0000000002012000-memory.dmp

Filesize
264KB

Download
memory/2488-324-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-123-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-127-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2612-109-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2612-162-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2612-155-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2688-99-0x0000000001FF0000-0x0000000002032000-memory.dmp

Filesize
264KB

Download
memory/2688-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2688-147-0x0000000001FF0000-0x0000000002032000-memory.dmp

Filesize
264KB

Download
memory/2688-85-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2688-93-0x0000000001FF0000-0x0000000002032000-memory.dmp

Filesize
264KB

Download
memory/2748-365-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2748-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2748-399-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2768-114-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2768-69-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2768-62-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2768-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2768-54-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2780-253-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2780-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2800-390-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2800-386-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2800-379-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2840-228-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2840-213-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2840-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2848-246-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2848-244-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2848-197-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2848-190-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2848-238-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2848-181-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2992-312-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2992-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2996-335-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2996-290-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3036-384-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3036-357-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/3044-329-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/3044-323-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/3044-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads