berbew | b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe
Size

60KB
MD5

1b6c79b76e7ea9673c508591a9825393
SHA1

005a5e696eee94c9a35d8080ca5a5ae940305614
SHA256

b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222
SHA512

f813fab49d4779769d39b4ce3544bbd26b941481723e5ef0d9a704ec99f2632c6baf9fd85bb9889f0f0bab9ba1e22a7d19adeb05eafb5db8c8dadce546f29078
SSDEEP

1536:DB5eAStUF1APPpCie07jEInA3j6kz0B86l1r:2RjpncYB86l1r

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opmhqc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piemih32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjhjf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnnhcknd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olalpdbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piemih32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abgdnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abiqcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anpahn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqjhjf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcmnaaji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoihaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aehmoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkifgpeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaondi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjppmlhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmahog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijfihip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pobeao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjppmlhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aehmoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnnhcknd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abeghmmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aioodg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjgbmoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjgbmoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdonjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkifgpeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmcedg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anpahn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olalpdbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmahog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcmnaaji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmcedg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqanke32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abgdnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocihgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opmhqc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pchdfb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pobeao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdonjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkkblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdcgeejf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajibckpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abiqcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdajpf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkkblp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdajpf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdcgeejf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijfihip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pchdfb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajibckpc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeghmmn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 32 IoCs

pid	Process
2372	Ocihgo32.exe
2348	Olalpdbc.exe
2912	Opmhqc32.exe
2940	Piemih32.exe
2824	Pobeao32.exe
2684	Pdonjf32.exe
2052	Pkifgpeh.exe
2416	Pdajpf32.exe
2056	Pkkblp32.exe
1072	Pdcgeejf.exe
1840	Pjppmlhm.exe
1848	Pqjhjf32.exe
1648	Pchdfb32.exe
2160	Qnnhcknd.exe
1200	Qmahog32.exe
1992	Qmcedg32.exe
2640	Qcmnaaji.exe
984	Aijfihip.exe
2064	Aqanke32.exe
1936	Afnfcl32.exe
1976	Ajibckpc.exe
352	Abeghmmn.exe
680	Aioodg32.exe
380	Aoihaa32.exe
2812	Abgdnm32.exe
2932	Abiqcm32.exe
2440	Aehmoh32.exe
1056	Anpahn32.exe
2172	Aaondi32.exe
3016	Bkdbab32.exe
2892	Bjgbmoda.exe
2844	Bmenijcd.exe

Loads dropped DLL 64 IoCs

pid	Process
2300	b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe
2300	b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe
2372	Ocihgo32.exe
2372	Ocihgo32.exe
2348	Olalpdbc.exe
2348	Olalpdbc.exe
2912	Opmhqc32.exe
2912	Opmhqc32.exe
2940	Piemih32.exe
2940	Piemih32.exe
2824	Pobeao32.exe
2824	Pobeao32.exe
2684	Pdonjf32.exe
2684	Pdonjf32.exe
2052	Pkifgpeh.exe
2052	Pkifgpeh.exe
2416	Pdajpf32.exe
2416	Pdajpf32.exe
2056	Pkkblp32.exe
2056	Pkkblp32.exe
1072	Pdcgeejf.exe
1072	Pdcgeejf.exe
1840	Pjppmlhm.exe
1840	Pjppmlhm.exe
1848	Pqjhjf32.exe
1848	Pqjhjf32.exe
1648	Pchdfb32.exe
1648	Pchdfb32.exe
2160	Qnnhcknd.exe
2160	Qnnhcknd.exe
1200	Qmahog32.exe
1200	Qmahog32.exe
1992	Qmcedg32.exe
1992	Qmcedg32.exe
2640	Qcmnaaji.exe
2640	Qcmnaaji.exe
984	Aijfihip.exe
984	Aijfihip.exe
2064	Aqanke32.exe
2064	Aqanke32.exe
1936	Afnfcl32.exe
1936	Afnfcl32.exe
1976	Ajibckpc.exe
1976	Ajibckpc.exe
352	Abeghmmn.exe
352	Abeghmmn.exe
680	Aioodg32.exe
680	Aioodg32.exe
380	Aoihaa32.exe
380	Aoihaa32.exe
2812	Abgdnm32.exe
2812	Abgdnm32.exe
2932	Abiqcm32.exe
2932	Abiqcm32.exe
2440	Aehmoh32.exe
2440	Aehmoh32.exe
1056	Anpahn32.exe
1056	Anpahn32.exe
2172	Aaondi32.exe
2172	Aaondi32.exe
3016	Bkdbab32.exe
3016	Bkdbab32.exe
2892	Bjgbmoda.exe
2892	Bjgbmoda.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lkdjamga.dll	Ocihgo32.exe
File opened for modification	C:\Windows\SysWOW64\Qmahog32.exe	Qnnhcknd.exe
File opened for modification	C:\Windows\SysWOW64\Abeghmmn.exe	Ajibckpc.exe
File created	C:\Windows\SysWOW64\Aioodg32.exe	Abeghmmn.exe
File opened for modification	C:\Windows\SysWOW64\Aehmoh32.exe	Abiqcm32.exe
File created	C:\Windows\SysWOW64\Hoeqmeoo.dll	Aijfihip.exe
File opened for modification	C:\Windows\SysWOW64\Ajibckpc.exe	Afnfcl32.exe
File created	C:\Windows\SysWOW64\Olalpdbc.exe	Ocihgo32.exe
File opened for modification	C:\Windows\SysWOW64\Opmhqc32.exe	Olalpdbc.exe
File opened for modification	C:\Windows\SysWOW64\Pobeao32.exe	Piemih32.exe
File created	C:\Windows\SysWOW64\Qcpnob32.dll	Piemih32.exe
File opened for modification	C:\Windows\SysWOW64\Pdcgeejf.exe	Pkkblp32.exe
File opened for modification	C:\Windows\SysWOW64\Qcmnaaji.exe	Qmcedg32.exe
File created	C:\Windows\SysWOW64\Oedqakci.dll	Anpahn32.exe
File created	C:\Windows\SysWOW64\Jkpaokgq.dll	Pchdfb32.exe
File created	C:\Windows\SysWOW64\Lelhjebf.dll	Qnnhcknd.exe
File created	C:\Windows\SysWOW64\Ajibckpc.exe	Afnfcl32.exe
File created	C:\Windows\SysWOW64\Aehmoh32.exe	Abiqcm32.exe
File created	C:\Windows\SysWOW64\Jgelak32.dll	Abiqcm32.exe
File created	C:\Windows\SysWOW64\Pdonjf32.exe	Pobeao32.exe
File created	C:\Windows\SysWOW64\Pkifgpeh.exe	Pdonjf32.exe
File created	C:\Windows\SysWOW64\Cpijenld.dll	Pqjhjf32.exe
File created	C:\Windows\SysWOW64\Aijfihip.exe	Qcmnaaji.exe
File created	C:\Windows\SysWOW64\Iifedg32.dll	b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe
File opened for modification	C:\Windows\SysWOW64\Pdajpf32.exe	Pkifgpeh.exe
File opened for modification	C:\Windows\SysWOW64\Qmcedg32.exe	Qmahog32.exe
File opened for modification	C:\Windows\SysWOW64\Afnfcl32.exe	Aqanke32.exe
File created	C:\Windows\SysWOW64\Ejbmjalg.dll	Aioodg32.exe
File created	C:\Windows\SysWOW64\Aqanke32.exe	Aijfihip.exe
File opened for modification	C:\Windows\SysWOW64\Ocihgo32.exe	b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe
File opened for modification	C:\Windows\SysWOW64\Pdonjf32.exe	Pobeao32.exe
File created	C:\Windows\SysWOW64\Pjppmlhm.exe	Pdcgeejf.exe
File opened for modification	C:\Windows\SysWOW64\Pjppmlhm.exe	Pdcgeejf.exe
File created	C:\Windows\SysWOW64\Qnnhcknd.exe	Pchdfb32.exe
File created	C:\Windows\SysWOW64\Cfjjhnge.dll	Qcmnaaji.exe
File created	C:\Windows\SysWOW64\Lphdbl32.dll	Aehmoh32.exe
File created	C:\Windows\SysWOW64\Pdajpf32.exe	Pkifgpeh.exe
File created	C:\Windows\SysWOW64\Knanmoan.dll	Pkkblp32.exe
File opened for modification	C:\Windows\SysWOW64\Pchdfb32.exe	Pqjhjf32.exe
File opened for modification	C:\Windows\SysWOW64\Aqanke32.exe	Aijfihip.exe
File created	C:\Windows\SysWOW64\Bdinjj32.dll	Ajibckpc.exe
File created	C:\Windows\SysWOW64\Abiqcm32.exe	Abgdnm32.exe
File created	C:\Windows\SysWOW64\Lmdecb32.dll	Opmhqc32.exe
File created	C:\Windows\SysWOW64\Mcndnbhi.dll	Pobeao32.exe
File created	C:\Windows\SysWOW64\Qmcedg32.exe	Qmahog32.exe
File opened for modification	C:\Windows\SysWOW64\Bjgbmoda.exe	Bkdbab32.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Bjgbmoda.exe
File created	C:\Windows\SysWOW64\Ocihgo32.exe	b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe
File created	C:\Windows\SysWOW64\Cdhbbpkh.dll	Olalpdbc.exe
File created	C:\Windows\SysWOW64\Hcnhpd32.dll	Qmcedg32.exe
File opened for modification	C:\Windows\SysWOW64\Aijfihip.exe	Qcmnaaji.exe
File created	C:\Windows\SysWOW64\Apfamf32.dll	Abeghmmn.exe
File opened for modification	C:\Windows\SysWOW64\Aoihaa32.exe	Aioodg32.exe
File opened for modification	C:\Windows\SysWOW64\Abgdnm32.exe	Aoihaa32.exe
File opened for modification	C:\Windows\SysWOW64\Olalpdbc.exe	Ocihgo32.exe
File opened for modification	C:\Windows\SysWOW64\Pkkblp32.exe	Pdajpf32.exe
File created	C:\Windows\SysWOW64\Pdcgeejf.exe	Pkkblp32.exe
File created	C:\Windows\SysWOW64\Hegfajbc.dll	Qmahog32.exe
File created	C:\Windows\SysWOW64\Afnfcl32.exe	Aqanke32.exe
File created	C:\Windows\SysWOW64\Jcoimalh.dll	Afnfcl32.exe
File opened for modification	C:\Windows\SysWOW64\Piemih32.exe	Opmhqc32.exe
File created	C:\Windows\SysWOW64\Pobeao32.exe	Piemih32.exe
File created	C:\Windows\SysWOW64\Jbcimj32.dll	Pkifgpeh.exe
File created	C:\Windows\SysWOW64\Polhjf32.dll	Abgdnm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1512	2844	WerFault.exe	61

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdonjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijfihip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkdbab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anpahn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeghmmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmcedg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaondi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjgbmoda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdajpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opmhqc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkkblp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnnhcknd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmahog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqanke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoihaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olalpdbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piemih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkifgpeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjhjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aehmoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pobeao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcmnaaji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdcgeejf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pchdfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajibckpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgdnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abiqcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjppmlhm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piemih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knanmoan.dll"	Pkkblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjppmlhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnnhcknd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfamf32.dll"	Abeghmmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opmhqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgelak32.dll"	Abiqcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agfbfl32.dll"	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcndnbhi.dll"	Pobeao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfjm32.dll"	Pdajpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqjhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpijenld.dll"	Pqjhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmahog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcmnaaji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piemih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcpnob32.dll"	Piemih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajibckpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll"	Bjgbmoda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijfihip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebepc32.dll"	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqjhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjjhnge.dll"	Qcmnaaji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjkkb32.dll"	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjgbmoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkdjamga.dll"	Ocihgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkifgpeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abeghmmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aehmoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocihgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajibckpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkkblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aijfihip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnfcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdbl32.dll"	Aehmoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdonjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anpahn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmahog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdinjj32.dll"	Ajibckpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abiqcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abiqcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anpahn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olalpdbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pobeao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlga32.dll"	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aehmoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdecb32.dll"	Opmhqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnnhcknd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdajpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcnhpd32.dll"	Qmcedg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoeqmeoo.dll"	Aijfihip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjgbmoda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olalpdbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pobeao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abeghmmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkdbab32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2372	2300	b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe	30
PID 2300 wrote to memory of 2372	2300	b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe	30
PID 2300 wrote to memory of 2372	2300	b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe	30
PID 2300 wrote to memory of 2372	2300	b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe	30
PID 2372 wrote to memory of 2348	2372	Ocihgo32.exe	31
PID 2372 wrote to memory of 2348	2372	Ocihgo32.exe	31
PID 2372 wrote to memory of 2348	2372	Ocihgo32.exe	31
PID 2372 wrote to memory of 2348	2372	Ocihgo32.exe	31
PID 2348 wrote to memory of 2912	2348	Olalpdbc.exe	32
PID 2348 wrote to memory of 2912	2348	Olalpdbc.exe	32
PID 2348 wrote to memory of 2912	2348	Olalpdbc.exe	32
PID 2348 wrote to memory of 2912	2348	Olalpdbc.exe	32
PID 2912 wrote to memory of 2940	2912	Opmhqc32.exe	33
PID 2912 wrote to memory of 2940	2912	Opmhqc32.exe	33
PID 2912 wrote to memory of 2940	2912	Opmhqc32.exe	33
PID 2912 wrote to memory of 2940	2912	Opmhqc32.exe	33
PID 2940 wrote to memory of 2824	2940	Piemih32.exe	34
PID 2940 wrote to memory of 2824	2940	Piemih32.exe	34
PID 2940 wrote to memory of 2824	2940	Piemih32.exe	34
PID 2940 wrote to memory of 2824	2940	Piemih32.exe	34
PID 2824 wrote to memory of 2684	2824	Pobeao32.exe	35
PID 2824 wrote to memory of 2684	2824	Pobeao32.exe	35
PID 2824 wrote to memory of 2684	2824	Pobeao32.exe	35
PID 2824 wrote to memory of 2684	2824	Pobeao32.exe	35
PID 2684 wrote to memory of 2052	2684	Pdonjf32.exe	36
PID 2684 wrote to memory of 2052	2684	Pdonjf32.exe	36
PID 2684 wrote to memory of 2052	2684	Pdonjf32.exe	36
PID 2684 wrote to memory of 2052	2684	Pdonjf32.exe	36
PID 2052 wrote to memory of 2416	2052	Pkifgpeh.exe	37
PID 2052 wrote to memory of 2416	2052	Pkifgpeh.exe	37
PID 2052 wrote to memory of 2416	2052	Pkifgpeh.exe	37
PID 2052 wrote to memory of 2416	2052	Pkifgpeh.exe	37
PID 2416 wrote to memory of 2056	2416	Pdajpf32.exe	38
PID 2416 wrote to memory of 2056	2416	Pdajpf32.exe	38
PID 2416 wrote to memory of 2056	2416	Pdajpf32.exe	38
PID 2416 wrote to memory of 2056	2416	Pdajpf32.exe	38
PID 2056 wrote to memory of 1072	2056	Pkkblp32.exe	39
PID 2056 wrote to memory of 1072	2056	Pkkblp32.exe	39
PID 2056 wrote to memory of 1072	2056	Pkkblp32.exe	39
PID 2056 wrote to memory of 1072	2056	Pkkblp32.exe	39
PID 1072 wrote to memory of 1840	1072	Pdcgeejf.exe	40
PID 1072 wrote to memory of 1840	1072	Pdcgeejf.exe	40
PID 1072 wrote to memory of 1840	1072	Pdcgeejf.exe	40
PID 1072 wrote to memory of 1840	1072	Pdcgeejf.exe	40
PID 1840 wrote to memory of 1848	1840	Pjppmlhm.exe	41
PID 1840 wrote to memory of 1848	1840	Pjppmlhm.exe	41
PID 1840 wrote to memory of 1848	1840	Pjppmlhm.exe	41
PID 1840 wrote to memory of 1848	1840	Pjppmlhm.exe	41
PID 1848 wrote to memory of 1648	1848	Pqjhjf32.exe	42
PID 1848 wrote to memory of 1648	1848	Pqjhjf32.exe	42
PID 1848 wrote to memory of 1648	1848	Pqjhjf32.exe	42
PID 1848 wrote to memory of 1648	1848	Pqjhjf32.exe	42
PID 1648 wrote to memory of 2160	1648	Pchdfb32.exe	43
PID 1648 wrote to memory of 2160	1648	Pchdfb32.exe	43
PID 1648 wrote to memory of 2160	1648	Pchdfb32.exe	43
PID 1648 wrote to memory of 2160	1648	Pchdfb32.exe	43
PID 2160 wrote to memory of 1200	2160	Qnnhcknd.exe	44
PID 2160 wrote to memory of 1200	2160	Qnnhcknd.exe	44
PID 2160 wrote to memory of 1200	2160	Qnnhcknd.exe	44
PID 2160 wrote to memory of 1200	2160	Qnnhcknd.exe	44
PID 1200 wrote to memory of 1992	1200	Qmahog32.exe	45
PID 1200 wrote to memory of 1992	1200	Qmahog32.exe	45
PID 1200 wrote to memory of 1992	1200	Qmahog32.exe	45
PID 1200 wrote to memory of 1992	1200	Qmahog32.exe	45

C:\Users\Admin\AppData\Local\Temp\b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe
"C:\Users\Admin\AppData\Local\Temp\b916e2e10f00ba73f2989617a2414a1722dde52c89d9f462c5023791b3d9c222.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\Ocihgo32.exe
  C:\Windows\system32\Ocihgo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\Olalpdbc.exe
    C:\Windows\system32\Olalpdbc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\SysWOW64\Opmhqc32.exe
      C:\Windows\system32\Opmhqc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\Piemih32.exe
        
        C:\Windows\system32\Piemih32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\Pobeao32.exe
        
        C:\Windows\system32\Pobeao32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Pdonjf32.exe
        
        C:\Windows\system32\Pdonjf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Pkifgpeh.exe
        
        C:\Windows\system32\Pkifgpeh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Pdajpf32.exe
        
        C:\Windows\system32\Pdajpf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Pkkblp32.exe
        
        C:\Windows\system32\Pkkblp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Pdcgeejf.exe
        
        C:\Windows\system32\Pdcgeejf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Pjppmlhm.exe
        
        C:\Windows\system32\Pjppmlhm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Pqjhjf32.exe
        
        C:\Windows\system32\Pqjhjf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Pchdfb32.exe
        
        C:\Windows\system32\Pchdfb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Qnnhcknd.exe
        
        C:\Windows\system32\Qnnhcknd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Qmahog32.exe
        
        C:\Windows\system32\Qmahog32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Qmcedg32.exe
        
        C:\Windows\system32\Qmcedg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Qcmnaaji.exe
        
        C:\Windows\system32\Qcmnaaji.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Aijfihip.exe
        
        C:\Windows\system32\Aijfihip.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Aqanke32.exe
        
        C:\Windows\system32\Aqanke32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Afnfcl32.exe
        
        C:\Windows\system32\Afnfcl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Ajibckpc.exe
        
        C:\Windows\system32\Ajibckpc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Abeghmmn.exe
        
        C:\Windows\system32\Abeghmmn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:352
        
        C:\Windows\SysWOW64\Aioodg32.exe
        
        C:\Windows\system32\Aioodg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Aoihaa32.exe
        
        C:\Windows\system32\Aoihaa32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Abgdnm32.exe
        
        C:\Windows\system32\Abgdnm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\Abiqcm32.exe
        
        C:\Windows\system32\Abiqcm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Aehmoh32.exe
        
        C:\Windows\system32\Aehmoh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Anpahn32.exe
        
        C:\Windows\system32\Anpahn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Aaondi32.exe
        
        C:\Windows\system32\Aaondi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Bkdbab32.exe
        
        C:\Windows\system32\Bkdbab32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Bjgbmoda.exe
        
        C:\Windows\system32\Bjgbmoda.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 140
        34⤵
        Program crash
        
        PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaondi32.exe

Filesize
60KB

MD5
3f283e5cc9335048fc50413b1575bd33

SHA1
d078208977827e9ba8525a2e0aa05d17924c009e

SHA256
af09507387aec03fe23ce925e15a17ae05d00e0946db0f31561acb3d2de22f92

SHA512
d0897c25816e5e85a58a09d581683e6eedb17c3896b0638fa3ef1cf33ad0dd004e22157e6d7f415e8f79fa5ef068efd936ef653ba90b0ecbce851d48caa68b61

Download Submit
C:\Windows\SysWOW64\Abeghmmn.exe

Filesize
60KB

MD5
24e9fa853cbdfa5294b248e210e7b54b

SHA1
c66b91c85ec59f76c03de7780c7e974c34890838

SHA256
5bc9e1267ea5c5f1b32fa103a24db83f5e6f62a18cd44868e5af298b74cf9168

SHA512
863741684631eb09dd864d4425a23cb47985b8e9ad0acbc6a5cb50094b8ab06dab8dd07de2c7dfa2880eedfff74690b8b554ddd621b1d0070ce8d2e9941a4835

Download Submit
C:\Windows\SysWOW64\Abgdnm32.exe

Filesize
60KB

MD5
6624a43b3334c54d32ce39d453ddce27

SHA1
fcb645e6dcd05d0c31f02f57b82a4000eb974290

SHA256
159707ca4e345992a94557da5df51f7f41686fbc78627b8c62f12baa6aadd27a

SHA512
327c5f0ba598da1f14873115cbc769c70a0ac2b83d3a8e9765c7e06c53e6fc545980edbcaac7057becc325f67e9d8ead077272358b2a26faa17aeb725d1e2a57

Download Submit
C:\Windows\SysWOW64\Abiqcm32.exe

Filesize
60KB

MD5
42e73b418e66c71b8db07e8c6cd30dc4

SHA1
68bfb49f6a6d6a257fb059d8f671719b122183b7

SHA256
ea02cb0a1ab25a9a55c3962663346849178edb614f26b97ebff62098215d74e7

SHA512
2a1c3ff744c0ca617e53c9c1f8ef3eea8d1582a12c8ce9425ab5c02536cd87433608ad7f8cdda96952b230162e2ca60244cf38c6fa2ac36c9a92cae354d8525c

Download Submit
C:\Windows\SysWOW64\Aehmoh32.exe

Filesize
60KB

MD5
5c6f0aace9669444e0581e8628936b3c

SHA1
6a7681faf2e875127feb88933eff4a7054da4fa3

SHA256
dab86f06e9ad87dc2716272f684db117ef5ec1fac0509c89cfcadb3869fcb617

SHA512
73cc54480ad7e11bc52140414db0e76f583a159ce92f9308a1e33ba19c5ef78ad35f79634b910c1a1bccad9a9c3b7c0cd31648a35978b770cd41fdc86e7b5b7e

Download Submit
C:\Windows\SysWOW64\Afnfcl32.exe

Filesize
60KB

MD5
ebc5dd0264a6b0f6047b572839bd2f50

SHA1
40bec7daa6bbcdf5ab06f36787854c07c223fe37

SHA256
7c5774e292432f9cde74ff449be0c2b68d793a6dac77a1ae6d49a7804f3623a3

SHA512
74de8971f2ab82893972cdc1122bddfd2f6ae78a7852d056dde796bdd5a1038c20bb6d8790cac9fe771f69f333f75581d6236bc3cca0dc5fd390cbaff76a7385

Download Submit
C:\Windows\SysWOW64\Aijfihip.exe

Filesize
60KB

MD5
d636fbbb5f9549e541a556615c9d87f8

SHA1
7abde1139063c96c8c477720528f6d264d04a2da

SHA256
4b48d34fd7ff4fa65cadc2e00b9d825cf45f63d0d5a376b14b79d7f4b2e6154d

SHA512
35859ac6619909535f509905a368a2ebf7189b67695314b3e0f55c73f4a90ded53f56dafcaa1d36a505a6d1d8a949fe5a6221f3d870f3a0385e3d442b1643541

Download Submit
C:\Windows\SysWOW64\Aioodg32.exe

Filesize
60KB

MD5
3d99a6f448a2766ef43058a17a7c57d4

SHA1
d5aa7c0dd32de65d004812c82b369a7453bf21f2

SHA256
dbaaa9ad45f5f4f6b5fb1b79717ea48909c14c556dbe5541b0af3e4883d32920

SHA512
efd768640f771e6554406020831ea0386ba38fe5026c8295edecb8d54896ffd26ec29846c534378960df089ad87c482db11c9aa16bba13bc4e274f13d3ff61a6

Download Submit
C:\Windows\SysWOW64\Ajibckpc.exe

Filesize
60KB

MD5
f9dc4de9870a1a3afed45e372a671a61

SHA1
8fdf7a6c525e04ff286d7ec87c8284d49445061e

SHA256
324240f6ae64b388da42742d900423507d05e5c54f33f0461d93fa3765544462

SHA512
04005e4206f679b6f99f7528ecb46e3395b45b9fcffb6bea8340eddd973dc100194cf0a0824c6598c9ac52fe3cfe0c57f56820c24e7e230a17a4cfff1e8c7f47

Download Submit
C:\Windows\SysWOW64\Anpahn32.exe

Filesize
60KB

MD5
1a8c89739875a8ef016c928ad7f3d06e

SHA1
c2120868008bb8fb7d1810e8d4ec78e45f4a1ad2

SHA256
905ffe944fb09e6e4d4de7ff79520e6573b24607c2863198560c60fe625336f5

SHA512
f8c1def46df92bf974d480e1c86e4363a8875d789e0af4e72956ea13c7ff5417a2c60806b24830a3b1872944c9b753704593e87018afa04210695e43b744982b

Download Submit
C:\Windows\SysWOW64\Aoihaa32.exe

Filesize
60KB

MD5
fc48142828338e8078a283b36e452b4e

SHA1
7eafeda480681128c49b438bbdea030b5922b5ed

SHA256
9a42793deed108e55f87eb029dc340f955a499f6fdffb1a201b3aeceb21a428c

SHA512
60ea07895cae59181a47ca7e04c527f149ec5407f3bce6fb823d20e418913b69756f6f3e91a9a31f7058dfba465fadcfbd77265cf979522678c86b8be61cfbc9

Download Submit
C:\Windows\SysWOW64\Aqanke32.exe

Filesize
60KB

MD5
1a083769e2c7cb6b4340af42b3ee12f7

SHA1
ca6456fbdbdb1d63907f6d039941cc7214c086ee

SHA256
2b19b9b83624b1bb7a7601ae6b7aa5d253e3365dd244c5e018c87eb32a822928

SHA512
e66de7ad99230e050d053c1c5ce5f41c28327cd3b5cdaff859a8e4c02fc5f439ed6e39d24e1bf6a82a38143f71ec8cd2eadfbb754bf3521972b4c1cba771d633

Download Submit
C:\Windows\SysWOW64\Bjgbmoda.exe

Filesize
60KB

MD5
36352a9d467729b4c5c7c408155cb107

SHA1
734bc1beaf01aba771b543881a82f5756184442c

SHA256
179a27774d754bc46cca4d3e8dbed97de72c134656aa86928da814c66ece617d

SHA512
becfb6d23b9ff8211b9b8d76c79b72385244c1bcb721920e7cc480906add60f7b4565b509b8f7dd5917d81d5d6620bc553753f61a3280479b399cb334d407657

Download Submit
C:\Windows\SysWOW64\Bkdbab32.exe

Filesize
60KB

MD5
fe453a67511712e1322ce6249217667e

SHA1
6406a495070662a457671f8435e41f680697bfde

SHA256
e2f1dad0a6ea9dde048d8d1ac3b7b7d2d6423bb96f3643d4d9a38e61e72f7aab

SHA512
ed0804d47fe55a528f699759c5518c7617847527402b3412e34af9c5e02b97fe5aa69caecea656a29e02812dc5acfc6951aee33ce135f14de738eb97e5923563

Download Submit
C:\Windows\SysWOW64\Bmenijcd.exe

Filesize
60KB

MD5
53e31aa21a87ff4b16ad9e41cd4461c0

SHA1
3d43626244103da51c11f9e01c95950b5934bb8f

SHA256
28331af3e2345e51f26ba15e0081ec47e132c99f7119cb913ee1ae58f851d5be

SHA512
72a755c1f4e1d546a67ffc5b1d9f5620752c90319193e1c389d64a4e8dd012ca631fe012f07de8adc411f831b07359b49f0cbb469fc17c26ddd36e6358109934

Download Submit
C:\Windows\SysWOW64\Ocihgo32.exe

Filesize
60KB

MD5
97a15d5d13d3591f20fe02b76e041b57

SHA1
cb4dd38b870e5ddb3d138a9c8f303b4db49fb992

SHA256
b8f243a5986ddc3a3b20498a6ce6c59378b099a753762109e1672e70b4b1c579

SHA512
cc90bda7c5f553c4fe2967f709966106440d25c6c993f05901b1ba7ae84d3b41a052c3927cf821dc3d961b524a2f8b9bc4071bb2d51abc4b34861357e81b57fd

Download Submit
C:\Windows\SysWOW64\Pjppmlhm.exe

Filesize
60KB

MD5
0746167671624edc6f5c633028406490

SHA1
9339ba67e6a5674c35484f0506e32cb407fabe91

SHA256
6caec825d5d64a5cc9fe23b5df802f9c3a4b9e62fe3810204b13ef2d35c7e37f

SHA512
cc7e0f566abeb0f20caa3952629b5adcdd936964c59b6a352279223cb086650de09c8ad7c787dd3bf48dd0badab8fd3884ceedd6c928d1ba8f3660c301f152b0

Download Submit
C:\Windows\SysWOW64\Pobeao32.exe

Filesize
60KB

MD5
d7a5e6f4306eeb988e8862e64d302522

SHA1
cd48fa47ef9b1a9675f3a93a4d99780d23397d10

SHA256
2573c9181dad19f5834e64e4bfc52a2b1d9bc2eb7424a1e0e8198783a9c1d803

SHA512
6e3f6957cf7da140e2a2d1ed4146e17cd8e0cb1d70a1b46f683328e8eab7c63b096ec42f0b3c3bac971f2de269754a4debc036ade110031027302edad3ac9896

Download Submit
C:\Windows\SysWOW64\Qcmnaaji.exe

Filesize
60KB

MD5
e979c322df15bf6ffeb96744e3cf45c3

SHA1
763a58474533173768dcb25755b1107a9a3f0ece

SHA256
c029d40abfc7a15183e167ce65adcc687fdcede8725f97036cf8a0885c9e5eea

SHA512
9d034decb9a6f2e74f044f01cbeb935c6da46215835e4a6f9530620c27ff0f24f3daedccabc78aec0aa7c19c0455fcfec0f3020644e38491af7edc0f5bc6b1d3

Download Submit
C:\Windows\SysWOW64\Qmahog32.exe

Filesize
60KB

MD5
e6c67411cca9be26e59c9e67d8586982

SHA1
b72eeb10b0ba7ef7b705e60caf4cd22757c4e8d6

SHA256
3587b9018844a91a66a0de33534aae1e16bbe4db6ed42f01168a88c730c755b5

SHA512
46a99eb8a0c41d1bb4b9b7b5b7650cd50dfc4d00cf49cdd0050fe2b7380864469107d6caca5ee08d83992d6b0db22961e74857b33bda7e7fb412ceb73d91cbf9

Download Submit
\Windows\SysWOW64\Olalpdbc.exe

Filesize
60KB

MD5
c1c13748f4184cbf1ceacf8f347832b7

SHA1
fc7acb961e1ccec02524f870f8b5461f0cd1acb9

SHA256
259ea2d0a0a816058053dc92f585cf900acc7e121dae8ac148e69099fa25c096

SHA512
193998e2dfbf80d2f729c2d25566facf26b865b4e34249007a740e0c78d88e9ee5a52feaa711bd77badb6d30bc49cd56280ce5e2871d9ea664821c4468c1b48d

Download Submit
\Windows\SysWOW64\Opmhqc32.exe

Filesize
60KB

MD5
89693adbe62ad0c1bb6d0fc19ee372dd

SHA1
785b9dd39dc73d8dddb560ab4836ca82b48f38e2

SHA256
fad995c4fdbc929a908d832215ee52088f2efdead771337b2a30ef96a724c033

SHA512
0f0713940fd8ff09a7bafea3ca2b9adccd304664a092795d718302bb5178904f360a9eb0cab0592ee84aaf73c99d50b28fb86ac0d10de2f08eec07553f3e7ddf

Download Submit
\Windows\SysWOW64\Pchdfb32.exe

Filesize
60KB

MD5
cb068bf23ba3175ac5141f2df69dcb07

SHA1
b61f1d4727d61c9e8d664a0bed206ff36de413e1

SHA256
d2ba03f149dd0bfe256992939903e6efeaccb1db42d8eef3b08cfcf4ed9fa49e

SHA512
9fe5e1ea0b6dfc7401dbbbc2c7c652a4b1a61742e940e2bc01c406e7a547b998a52131020027860a82e9ad80dcd4d3121d392c658e5efcb5e66121b292669612

Download Submit
\Windows\SysWOW64\Pdajpf32.exe

Filesize
60KB

MD5
4972f7c0260d6eff65017a79f2b65cce

SHA1
4a35b0e22d4eaf16371c0bb77718e3ca168da61f

SHA256
58f8c6c107caae99a82ff3dd3c27291abeaf6f6fc8fc7ef1eb68d25e7e84ed3f

SHA512
8baef839ae86d431f6dc69913c9912939d2685ab457f6d7b049bfa8aa6270e063bb1091a2b6eca5e80f24dab9688fe2383061fed2bc9e9b2118593a6f3c10bca

Download Submit
\Windows\SysWOW64\Pdcgeejf.exe

Filesize
60KB

MD5
ea77baf3502c17359f865e285769fea5

SHA1
50ed8202cac73c29f049682deed78514dfb8e9be

SHA256
56a6fd67f41d4ede8916aa73ba32d2dffd46fcd7a1d88c356a151b955671f619

SHA512
f8cccba30ae7b7798e96e616d3fa8ca4e055016bc0f4bcd1e43bf07557ea6e5b5b2ef2dfb5275861de94579df3a22dfc02a154214f959649f4ac8fad7bde0ab6

Download Submit
\Windows\SysWOW64\Pdonjf32.exe

Filesize
60KB

MD5
621044392ea14fd5721efe73cecfa9cf

SHA1
9a53786269503f6c259981e98023ece9088e916f

SHA256
b694ffdc9bfecad9e093d7c6cba5281adc6de6e63404dbf86b7a47b5f7c58c1f

SHA512
857938aacde32c43888c3cb171c76771935a77b08bcb36dc5890df9252c239ed20b67c9f405d1d280f297754fda143c610cfeeccb67dc09681c5484d4384ba87

Download Submit
\Windows\SysWOW64\Piemih32.exe

Filesize
60KB

MD5
bb3507656fdbe3817e99182630c1d309

SHA1
0b85c682c7e5e61ee3893e00df1cacbcbc89ba30

SHA256
cb3c0d2be3f2db57db59762fee7f40286fb27ea10878520daa8835a628485326

SHA512
8466ee87cab05b1d4df3553681a36fb8a384e094891081cd9e16b877f2a9e96ef328c9881c7c0469fc17df249e60bba39d28bd10f1662c1d7d85d05921678676

Download Submit
\Windows\SysWOW64\Pkifgpeh.exe

Filesize
60KB

MD5
9f1c66f4c227d9c2bd4c9108105d631f

SHA1
c64268e5928a87a668c02e149b710b95f87a4f2f

SHA256
9e8bc601482daa8ebde2eb1c826484e91ba3d6c9bf367bcb069494ca79031a76

SHA512
fa9f64c62a9472c8126c1e8453fd2c826177d3f57bf63889ba1ed674e08fa87e4ee9dc2e551afd8ae0efb656ae52c684f3b3fe31c0f22f64d31e87f87980c470

Download Submit
\Windows\SysWOW64\Pkkblp32.exe

Filesize
60KB

MD5
1b45c2ed15ed9148a9fbf452badb2737

SHA1
f92791b32ab4b5f38f77285d2e19cdb3eb39afdf

SHA256
8134ae199f4c06338552221e7dc4c985302b3385b25dfb8a71058001a474c6fe

SHA512
53800b7efceb2c849e37410879a674436e0de65e11cd899028c6e1d5062dbdff53bc19bcf5382e8e58d2d62183dd0d54540291bc6c79d15dc3df2fcebb289a35

Download Submit
\Windows\SysWOW64\Pqjhjf32.exe

Filesize
60KB

MD5
7244c9e28599fb17c53d9de784bbf9fd

SHA1
08f18bc023277a874b1f0e9febc510ccf17d394d

SHA256
9bb71bb8f2b9e68fa5e16013b0357d8406ebde1430481dca87b39c2a3616eff3

SHA512
2675c9bd8a82cd5e98753c7afb27f19a7ea2b9f729c32a35b319a17cf7061b42590de9ff7b9b68a82ce03dee5d3aaf9ab0d356cd58452931afea73c8a5f0b5be

Download Submit
\Windows\SysWOW64\Qmcedg32.exe

Filesize
60KB

MD5
a581045b710ae95a3f133286a2485d94

SHA1
5e2c9cc6206675d01a24a9f456fdcc7fdcf07234

SHA256
e46c26196a62edeea62f79d3638f16ee4729440c21806cd2da318df1185d2b31

SHA512
a33c9dc78206cba07e9931a5908acdd4cf6a384bd83ebf68edec78cbb6b51f8c7243cd51820ee060677d5025da034b1e98ea6bf076858891b99a192f6c412239

Download Submit
\Windows\SysWOW64\Qnnhcknd.exe

Filesize
60KB

MD5
f305f41640549d2191f5057f7ef7eb99

SHA1
e806c05e40f8135880185395390bc132425d904e

SHA256
df818ec98c470bea1e6613bce4ca9f50cdb9683037571780e4302e5b0ff8d391

SHA512
8059b2294074022fd960e9355b97a8729d88c1da4d55910add25981ae8ff02845fc94feaa615bfa85ce0c93460eff9529aed255a0a0510a47dc75a04dda87eab

Download Submit
memory/352-321-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/352-463-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/352-311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/352-362-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/352-322-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/380-381-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/380-344-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/380-345-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/380-437-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/680-329-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/680-323-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/680-333-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/680-364-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/680-375-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/984-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/984-442-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/984-274-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/984-264-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/984-306-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/1056-387-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1072-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1072-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1200-270-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1200-224-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1200-445-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1200-233-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1648-193-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1648-206-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1648-252-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1648-207-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1648-257-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1840-231-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1840-164-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1840-177-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1840-221-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1848-238-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1848-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1936-455-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1936-297-0x0000000001F60000-0x0000000001F96000-memory.dmp

Filesize
216KB

Download
memory/1936-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1936-343-0x0000000001F60000-0x0000000001F96000-memory.dmp

Filesize
216KB

Download
memory/1936-292-0x0000000001F60000-0x0000000001F96000-memory.dmp

Filesize
216KB

Download
memory/1936-334-0x0000000001F60000-0x0000000001F96000-memory.dmp

Filesize
216KB

Download
memory/1976-299-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1976-347-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1976-307-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1976-462-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1992-250-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1992-285-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1992-246-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2052-111-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2052-484-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2052-102-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2052-165-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2056-142-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2056-469-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-148-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2056-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-205-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2064-320-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2064-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2064-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2064-284-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2160-222-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2160-263-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-13-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2300-480-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-12-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2300-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-57-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2300-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2348-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2348-40-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2372-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2372-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2372-26-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2372-477-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2416-117-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2416-179-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2440-377-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2440-370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2640-296-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2640-259-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2640-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2640-298-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2684-147-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2684-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2684-100-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2684-486-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2684-150-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2684-87-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2684-95-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2812-433-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-353-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2812-391-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2824-132-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/2824-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2824-80-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/2824-130-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/2824-473-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2824-85-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/2912-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2912-49-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2912-109-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2932-365-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2932-357-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2932-369-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2940-125-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/2940-476-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2940-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads