berbew | a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe
Size

128KB
MD5

dbe768323f70c426c66f24bc98c18840
SHA1

7b604736a83c5dd5d5ebf3159a6cd602b8d6ca9b
SHA256

a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245
SHA512

d1c8fd4c024e04aa32e999b2b8fbd8f784d35faa14317b4358820cf856734e1a3c387afd68ac81abdc14557f4048edf48a357db60610c9c1189ce37042b8ab0e
SSDEEP

3072:LN5aCh+OfJ9IDlRxyhTbhgu+tAcrbFAJc+i:LP/h+0sDshsrtMk

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkkfmml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oebimf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocfigjlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkkmqnck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjnamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oebimf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkkfmml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmojocel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcibkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkmhaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilhhdga.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 57 IoCs

pid	Process
2808	Mkmhaj32.exe
2712	Mpjqiq32.exe
2848	Ndemjoae.exe
2736	Nlcnda32.exe
1864	Nigome32.exe
580	Nodgel32.exe
2012	Nofdklgl.exe
568	Nilhhdga.exe
1736	Ocdmaj32.exe
2300	Oebimf32.exe
2404	Ocfigjlp.exe
1676	Ohcaoajg.exe
668	Onpjghhn.exe
2284	Oopfakpa.exe
2492	Ogkkfmml.exe
432	Ojigbhlp.exe
2620	Pngphgbf.exe
1344	Pdaheq32.exe
1540	Pjnamh32.exe
1744	Pgbafl32.exe
2320	Pmojocel.exe
2576	Pcibkm32.exe
992	Pfgngh32.exe
1712	Poocpnbm.exe
2652	Pmccjbaf.exe
2768	Pndpajgd.exe
3056	Qijdocfj.exe
1092	Qiladcdh.exe
2672	Qkkmqnck.exe
2752	Acfaeq32.exe
904	Ajpjakhc.exe
1852	Achojp32.exe
2384	Annbhi32.exe
2660	Agfgqo32.exe
3000	Aigchgkh.exe
2208	Abphal32.exe
2088	Aijpnfif.exe
2240	Apdhjq32.exe
2060	Bmhideol.exe
2268	Bnielm32.exe
1472	Bfpnmj32.exe
2440	Beejng32.exe
2292	Bbikgk32.exe
1272	Bdkgocpm.exe
1336	Bjdplm32.exe
900	Bdmddc32.exe
1432	Bhhpeafc.exe
2120	Bmeimhdj.exe
1284	Baadng32.exe
1584	Ckiigmcd.exe
2944	Cilibi32.exe
2732	Cpfaocal.exe
2728	Cbdnko32.exe
2520	Cinfhigl.exe
2180	Cmjbhh32.exe
2364	Cddjebgb.exe
2552	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2880	a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe
2880	a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe
2808	Mkmhaj32.exe
2808	Mkmhaj32.exe
2712	Mpjqiq32.exe
2712	Mpjqiq32.exe
2848	Ndemjoae.exe
2848	Ndemjoae.exe
2736	Nlcnda32.exe
2736	Nlcnda32.exe
1864	Nigome32.exe
1864	Nigome32.exe
580	Nodgel32.exe
580	Nodgel32.exe
2012	Nofdklgl.exe
2012	Nofdklgl.exe
568	Nilhhdga.exe
568	Nilhhdga.exe
1736	Ocdmaj32.exe
1736	Ocdmaj32.exe
2300	Oebimf32.exe
2300	Oebimf32.exe
2404	Ocfigjlp.exe
2404	Ocfigjlp.exe
1676	Ohcaoajg.exe
1676	Ohcaoajg.exe
668	Onpjghhn.exe
668	Onpjghhn.exe
2284	Oopfakpa.exe
2284	Oopfakpa.exe
2492	Ogkkfmml.exe
2492	Ogkkfmml.exe
432	Ojigbhlp.exe
432	Ojigbhlp.exe
2620	Pngphgbf.exe
2620	Pngphgbf.exe
1344	Pdaheq32.exe
1344	Pdaheq32.exe
1540	Pjnamh32.exe
1540	Pjnamh32.exe
1744	Pgbafl32.exe
1744	Pgbafl32.exe
2320	Pmojocel.exe
2320	Pmojocel.exe
2576	Pcibkm32.exe
2576	Pcibkm32.exe
992	Pfgngh32.exe
992	Pfgngh32.exe
1712	Poocpnbm.exe
1712	Poocpnbm.exe
2652	Pmccjbaf.exe
2652	Pmccjbaf.exe
2768	Pndpajgd.exe
2768	Pndpajgd.exe
3056	Qijdocfj.exe
3056	Qijdocfj.exe
1092	Qiladcdh.exe
1092	Qiladcdh.exe
2672	Qkkmqnck.exe
2672	Qkkmqnck.exe
2752	Acfaeq32.exe
2752	Acfaeq32.exe
904	Ajpjakhc.exe
904	Ajpjakhc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mpjqiq32.exe	Mkmhaj32.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Ocdmaj32.exe	Nilhhdga.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Cddjebgb.exe	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Nofdklgl.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Oopfakpa.exe	Onpjghhn.exe
File opened for modification	C:\Windows\SysWOW64\Pdaheq32.exe	Pngphgbf.exe
File opened for modification	C:\Windows\SysWOW64\Pcibkm32.exe	Pmojocel.exe
File created	C:\Windows\SysWOW64\Hpggbq32.dll	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Beejng32.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Nilhhdga.exe	Nofdklgl.exe
File created	C:\Windows\SysWOW64\Oflcmqaa.dll	Onpjghhn.exe
File opened for modification	C:\Windows\SysWOW64\Aigchgkh.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Qaqkcf32.dll	a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe
File created	C:\Windows\SysWOW64\Ejaekc32.dll	Qiladcdh.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Agfgqo32.exe	Annbhi32.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Nlpdbghp.dll	Pjnamh32.exe
File created	C:\Windows\SysWOW64\Poocpnbm.exe	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Annbhi32.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Jbdipkfe.dll	Achojp32.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Mkmhaj32.exe	a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe
File opened for modification	C:\Windows\SysWOW64\Poocpnbm.exe	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Ajpjakhc.exe	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Apdhjq32.exe	Aijpnfif.exe
File opened for modification	C:\Windows\SysWOW64\Nilhhdga.exe	Nofdklgl.exe
File created	C:\Windows\SysWOW64\Ogkkfmml.exe	Oopfakpa.exe
File opened for modification	C:\Windows\SysWOW64\Pgbafl32.exe	Pjnamh32.exe
File created	C:\Windows\SysWOW64\Qiladcdh.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Bfpnmj32.exe	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Mkmhaj32.exe	a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Nlcnda32.exe
File opened for modification	C:\Windows\SysWOW64\Pmojocel.exe	Pgbafl32.exe
File opened for modification	C:\Windows\SysWOW64\Ajpjakhc.exe	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Cinfhigl.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Pngphgbf.exe	Ojigbhlp.exe
File created	C:\Windows\SysWOW64\Plfmnipm.dll	Pngphgbf.exe
File created	C:\Windows\SysWOW64\Adagkoae.dll	Pgbafl32.exe
File opened for modification	C:\Windows\SysWOW64\Pfgngh32.exe	Pcibkm32.exe
File opened for modification	C:\Windows\SysWOW64\Qkkmqnck.exe	Qiladcdh.exe
File created	C:\Windows\SysWOW64\Aigchgkh.exe	Agfgqo32.exe
File opened for modification	C:\Windows\SysWOW64\Aijpnfif.exe	Abphal32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Cinfhigl.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Ckpfcfnm.dll	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Bfenfipk.dll	Nofdklgl.exe
File opened for modification	C:\Windows\SysWOW64\Onpjghhn.exe	Ohcaoajg.exe
File created	C:\Windows\SysWOW64\Paenhpdh.dll	Pmojocel.exe
File created	C:\Windows\SysWOW64\Gfpifm32.dll	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Agfgqo32.exe	Annbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	Bfpnmj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2328	2552	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofdklgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfigjlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcaoajg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojigbhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjnamh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbafl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjqiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oopfakpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onpjghhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddjebgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdmaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilhhdga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkkfmml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdaheq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpnmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndemjoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oebimf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkkmqnck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcibkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjbhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngphgbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkmhaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgenio32.dll"	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onpjghhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmojocel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abphal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbhhkda.dll"	Pdaheq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjnamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkmhaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfkbpc32.dll"	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedakjgc.dll"	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflcmqaa.dll"	Onpjghhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkepk32.dll"	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocfigjlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmojocel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abphal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beejng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdipkfe.dll"	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2808	2880	a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe	30
PID 2880 wrote to memory of 2808	2880	a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe	30
PID 2880 wrote to memory of 2808	2880	a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe	30
PID 2880 wrote to memory of 2808	2880	a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe	30
PID 2808 wrote to memory of 2712	2808	Mkmhaj32.exe	31
PID 2808 wrote to memory of 2712	2808	Mkmhaj32.exe	31
PID 2808 wrote to memory of 2712	2808	Mkmhaj32.exe	31
PID 2808 wrote to memory of 2712	2808	Mkmhaj32.exe	31
PID 2712 wrote to memory of 2848	2712	Mpjqiq32.exe	32
PID 2712 wrote to memory of 2848	2712	Mpjqiq32.exe	32
PID 2712 wrote to memory of 2848	2712	Mpjqiq32.exe	32
PID 2712 wrote to memory of 2848	2712	Mpjqiq32.exe	32
PID 2848 wrote to memory of 2736	2848	Ndemjoae.exe	33
PID 2848 wrote to memory of 2736	2848	Ndemjoae.exe	33
PID 2848 wrote to memory of 2736	2848	Ndemjoae.exe	33
PID 2848 wrote to memory of 2736	2848	Ndemjoae.exe	33
PID 2736 wrote to memory of 1864	2736	Nlcnda32.exe	34
PID 2736 wrote to memory of 1864	2736	Nlcnda32.exe	34
PID 2736 wrote to memory of 1864	2736	Nlcnda32.exe	34
PID 2736 wrote to memory of 1864	2736	Nlcnda32.exe	34
PID 1864 wrote to memory of 580	1864	Nigome32.exe	35
PID 1864 wrote to memory of 580	1864	Nigome32.exe	35
PID 1864 wrote to memory of 580	1864	Nigome32.exe	35
PID 1864 wrote to memory of 580	1864	Nigome32.exe	35
PID 580 wrote to memory of 2012	580	Nodgel32.exe	36
PID 580 wrote to memory of 2012	580	Nodgel32.exe	36
PID 580 wrote to memory of 2012	580	Nodgel32.exe	36
PID 580 wrote to memory of 2012	580	Nodgel32.exe	36
PID 2012 wrote to memory of 568	2012	Nofdklgl.exe	37
PID 2012 wrote to memory of 568	2012	Nofdklgl.exe	37
PID 2012 wrote to memory of 568	2012	Nofdklgl.exe	37
PID 2012 wrote to memory of 568	2012	Nofdklgl.exe	37
PID 568 wrote to memory of 1736	568	Nilhhdga.exe	38
PID 568 wrote to memory of 1736	568	Nilhhdga.exe	38
PID 568 wrote to memory of 1736	568	Nilhhdga.exe	38
PID 568 wrote to memory of 1736	568	Nilhhdga.exe	38
PID 1736 wrote to memory of 2300	1736	Ocdmaj32.exe	39
PID 1736 wrote to memory of 2300	1736	Ocdmaj32.exe	39
PID 1736 wrote to memory of 2300	1736	Ocdmaj32.exe	39
PID 1736 wrote to memory of 2300	1736	Ocdmaj32.exe	39
PID 2300 wrote to memory of 2404	2300	Oebimf32.exe	40
PID 2300 wrote to memory of 2404	2300	Oebimf32.exe	40
PID 2300 wrote to memory of 2404	2300	Oebimf32.exe	40
PID 2300 wrote to memory of 2404	2300	Oebimf32.exe	40
PID 2404 wrote to memory of 1676	2404	Ocfigjlp.exe	41
PID 2404 wrote to memory of 1676	2404	Ocfigjlp.exe	41
PID 2404 wrote to memory of 1676	2404	Ocfigjlp.exe	41
PID 2404 wrote to memory of 1676	2404	Ocfigjlp.exe	41
PID 1676 wrote to memory of 668	1676	Ohcaoajg.exe	42
PID 1676 wrote to memory of 668	1676	Ohcaoajg.exe	42
PID 1676 wrote to memory of 668	1676	Ohcaoajg.exe	42
PID 1676 wrote to memory of 668	1676	Ohcaoajg.exe	42
PID 668 wrote to memory of 2284	668	Onpjghhn.exe	43
PID 668 wrote to memory of 2284	668	Onpjghhn.exe	43
PID 668 wrote to memory of 2284	668	Onpjghhn.exe	43
PID 668 wrote to memory of 2284	668	Onpjghhn.exe	43
PID 2284 wrote to memory of 2492	2284	Oopfakpa.exe	44
PID 2284 wrote to memory of 2492	2284	Oopfakpa.exe	44
PID 2284 wrote to memory of 2492	2284	Oopfakpa.exe	44
PID 2284 wrote to memory of 2492	2284	Oopfakpa.exe	44
PID 2492 wrote to memory of 432	2492	Ogkkfmml.exe	45
PID 2492 wrote to memory of 432	2492	Ogkkfmml.exe	45
PID 2492 wrote to memory of 432	2492	Ogkkfmml.exe	45
PID 2492 wrote to memory of 432	2492	Ogkkfmml.exe	45

C:\Users\Admin\AppData\Local\Temp\a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe
"C:\Users\Admin\AppData\Local\Temp\a0ec77e8ee8a7567c053ca75af270efbe8a2046982e8ac218a8826339a3c5245N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\Mkmhaj32.exe
  C:\Windows\system32\Mkmhaj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\Mpjqiq32.exe
    C:\Windows\system32\Mpjqiq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\Ndemjoae.exe
      C:\Windows\system32\Ndemjoae.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Nofdklgl.exe
        
        C:\Windows\system32\Nofdklgl.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Nilhhdga.exe
        
        C:\Windows\system32\Nilhhdga.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\Ocdmaj32.exe
        
        C:\Windows\system32\Ocdmaj32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Oebimf32.exe
        
        C:\Windows\system32\Oebimf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Ocfigjlp.exe
        
        C:\Windows\system32\Ocfigjlp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Ohcaoajg.exe
        
        C:\Windows\system32\Ohcaoajg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Onpjghhn.exe
        
        C:\Windows\system32\Onpjghhn.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\SysWOW64\Oopfakpa.exe
        
        C:\Windows\system32\Oopfakpa.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Ogkkfmml.exe
        
        C:\Windows\system32\Ogkkfmml.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Ojigbhlp.exe
        
        C:\Windows\system32\Ojigbhlp.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Pdaheq32.exe
        
        C:\Windows\system32\Pdaheq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Pjnamh32.exe
        
        C:\Windows\system32\Pjnamh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Pgbafl32.exe
        
        C:\Windows\system32\Pgbafl32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Pmojocel.exe
        
        C:\Windows\system32\Pmojocel.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Bfpnmj32.exe
        
        C:\Windows\system32\Bfpnmj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Cddjebgb.exe
        
        C:\Windows\system32\Cddjebgb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 140
        59⤵
        Program crash
        
        PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abphal32.exe

Filesize
128KB

MD5
fa37b950ff398a2f57d467331ef16cd8

SHA1
c03aab64625350e53630a70b0792237cb417f83a

SHA256
407bbd383bee547203e4bb30543fe98f3b2d7ecc2014827e4b87d229dea4efae

SHA512
546c2fdf84716cec03d5fb2218dd585872fdeeaacfaee6a4cb6e699b4e3971b3ffbfd768603a168231df66931fd63c8e1ac92824714071ceee54d48ac387b1f1

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
128KB

MD5
8ef8385b12e67c8a2e91b7d1b09a3e42

SHA1
1a86c4bda68a3aa05605802b711d8bbdf371fe09

SHA256
e5e91f0887e63b38af6cafe2ad58ab11a7d37d620c6494633e5ce2f4c2d6e8bd

SHA512
06823f190750f4e1e21bf5b88357ab4a6e9aa8c7be8e77e62000655d62f9915f0b5a24d925884443b9c6c4548e46d6d1564647c84b0ccd028b9dcd0b7e43cee1

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
128KB

MD5
eaed74cf6996070fc27ca2f9ec603583

SHA1
61cc37f1baba0c9b64f8bfc015afc4b38ca57209

SHA256
841fa74e0b40aad1b1c2ffd220efce248663dc6951f9f23938d480ad5a0081b6

SHA512
458ad743a06b9178bf8f72849753e7165f262bf4c547379d0582afb6732ada1b0ff8fb8d464c060b8751193f52202643d85793a4814af18f4ff77d2fef6f915a

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
128KB

MD5
5cc49924fbbdeb19d104b47ed02cc871

SHA1
4c6393e370caef41ff61c64bb73d60b92a8c14c9

SHA256
430d698ede6e0a5dd110eee09962f5146211e1d4b94aac75f5936493ff1b7b2e

SHA512
53a6c6c431a7c3b6cc49a1896a617a2fc3a7fc783da7b7fee0636276e27b5720a315951713761a2673895f81a52a112a7d9e5b1a3260e692eb6cb91216d3dd11

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
128KB

MD5
80097aeea969ddab3899ff16279f78a6

SHA1
8fb3eceea1c2bf0486910694a00da50a71abe92b

SHA256
19b831779cb83766e89212dd9673c6af6ee2e9f3f53366bfb1013fb723838f43

SHA512
6922690ad436b3561c70b7ff3ec90ed1f232a11444919c3db301adbb83e844960a2f6f185e3fa38b0c6286739b2c6985488ecda844c479d7cee2cfa6169293a5

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
128KB

MD5
e53330671b513625469145fa3ae6aa2e

SHA1
5861b902411ffa81fa54854fd3dc07cf460322f8

SHA256
80ecda04af8199a6e0c339e8a5096e3333a0c4f951b822f3f2345955a72b8948

SHA512
7a54eb152a784ccc72f907664aa2c6e2c9bf1c18473c7bea91e93047c0067827b625246ada5d8a74b2bec9466bbbb2738071499ead15d40d3c931e60d25060bd

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
128KB

MD5
de340559a7b285a467aed861bee0d615

SHA1
03b26c86c59baea72b889e59e01a532a5013fd48

SHA256
3c5fbc1ea8a5611d99bb965b23ac03c25af3296f3c5395d328e87ce695cfbdd0

SHA512
31c20fb9113b7e3ee6866080af9c9eac117d882b3f3ee25b2a08105fe11ca9f4be17b8b72202eff1ba6bfba452f884388f265849dcfcedf583d5036204d6fa7c

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
128KB

MD5
607dcf49c634f1d72abe36dfec6dc5cf

SHA1
1235d3dfa728ae02dbd18fe079426d12a056f1c4

SHA256
269507b4171fe118a379c79298cf0c54cf1a47d79205dce9551f04827b285121

SHA512
45aa959a6b769ea418fe406593af486f02554d97e6bbc1b06d67d0051bc411dade1c79209fbfaa54e5f02bf75b8c07dec1db9f35d61a66be9df34aea1de3493e

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
128KB

MD5
0e68730e97d1b6f36c922943e08e50ab

SHA1
5d348d82c46a61e051a2a1546ac02c3e180b1308

SHA256
23de86bd91899a334ad69b7f9b74e5e3feb6f2e03dbdbdfae791411868cc6500

SHA512
22f30c11c1de264fd618ad9c7fcd11497db445684514fb5ea59e4dc4e54d742a5968761b4606f737beef152a812ba542b5c4d911cd26335f856f6b266c206c2f

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
128KB

MD5
1a1c84349a6b203d1e9e1442022778a7

SHA1
9e60fc571c15e13951f2220f16cddb8f53ba8e17

SHA256
fb5e6776325488d22a44fdbdfccb12e137136beffbc29a60ac3cc519a6243a1e

SHA512
c65010bac1977ed70658f29c65fd91aa5886f150a00ea68de7f119d90c0a5ed59680635c161477160dd8085111c9ec05adc71a9ef63f60394cd8c003e378aef5

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
128KB

MD5
6b1a689193858f89185d1edcab58d108

SHA1
cb8daeb71d3396b2609160057535f06b080f6f3a

SHA256
9cac2615fe1fedc42244fda6887c678ca84757870730ecc400fab921ec2d62a7

SHA512
7143ab80eb2e53aa7b0180393e20209c8ad590e59d13486cb6569014073015e02d056e2eb2428e96bd237738f7c06f0e689c23b89c461a4b41025a3f2d1395e0

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
128KB

MD5
9c6e15a1c7119cd18ce7b4e511abe3e3

SHA1
499208f1e0c99235d11e815123414f3c76b93a79

SHA256
91ac9befdb0ce0d1e2ac67fab577d4153cdfc0076699d70c237345b26dea6403

SHA512
0c74d9410bc0697c99f78000eda69844e8aa9c0c0a5a503e5674f62e1674bff7a43c0d3a40120b1171822ed77e590494bfd0515ced1f02f11c1f6fca845e9d6b

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
128KB

MD5
47d31de40a4331383519ca2dff1f7658

SHA1
26799e1a142ff2be1ac2a86c65f66ba3373935a8

SHA256
277fa1ccde5860af7ad626ab5654756410a2993a81d9f58851613fb67634639e

SHA512
b8515fe6d9c7c23db28dca281cfaad449171424d274297a6f80f28906ee68cf62e9e7798e0be221c92b7fee2cc6331c726708a18a049cbb2fe440328eccae2e2

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
128KB

MD5
358eef891b68236a405503ecfe30d1ce

SHA1
89473265093e8e97c54b4371002f3f0151297272

SHA256
e9850a5972e54153cca4fdeff99a88e793414dc792506bf25cc39cd11f34182e

SHA512
db94a0a54c21d3eec540de6420bc4dd5077e3dec3f31cbcaade0e160836a00fa1b1bc11ae5a8e442511d9bc301c8b4595d73bb49cd02ce1851cca7192785fc2f

Download Submit
C:\Windows\SysWOW64\Bfpnmj32.exe

Filesize
128KB

MD5
dd146d7ef9e2a56079b9a73cf3f2d361

SHA1
cb33199841d0a70de289c32cc224ac4841ad8e9f

SHA256
cb8fa37884ad58067ddedbec15618c6f4e791d624765e8cdfddf57ba4cb39a0f

SHA512
7c793bbae8875c6f0f75f7878641844ccf86e162999c46e64d3bf5bca5dc34ff9154c236ff9a167f3303ab4f55c472f352ac73273bc8286a16a185ccb6823f95

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
128KB

MD5
f2d6803189e71646cd26047397ee2a70

SHA1
1f7ae8d50513f52541859a21785522ac22b12683

SHA256
e0f282d8a256516e2e96f1eb59aae9bcdf3870637642597722f70e3ec6c5c627

SHA512
3a3b11e3f5f3effcc644bd71604f5d472ddf2b9a4b5f2640802bcbcbb91b16ac48e4fa430b8c001f1f3f2d649343630c3f6b0a1d9a1037568f7b1a7be30a253b

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
128KB

MD5
bec7faca0f5f80a6bb7e1bcb475eca21

SHA1
fa8d7faad819a323b4dfff5b1ff7fb029586bfc9

SHA256
0480c7adb28fce18f50d9c84df6ae15e7780a30c844290c863ce406534868f6c

SHA512
318f89d9c9dce9a8bdf5b142e0c15f8c7af30b26b07441e6bb7a85f7d8d8570113180061e063952097760beae40fb8d95896ea005bd6003c02cbca26d6b60413

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
128KB

MD5
9a3e349cd359aaec081bf432b27d27ca

SHA1
6e45a6f5a0cd68ecbb9590049c925e016a52d5fa

SHA256
245c00e0a09417a4e9a0f6cab9722e30a8f74c1aa6375d73e7132af5ca3b3dd4

SHA512
b33585c74dddb08f69946cbf99b47d294b93efaf4636d0d1e46655cc96da1b8703ff665adea27c1c5374ec3cae6c6fcffee3678e0adbd6919ec64ee0ffe6a28e

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
128KB

MD5
c2719c2a857c45afd40efbf7befe3cc6

SHA1
d751117d98304a98fd8d757d545e95f226b3928f

SHA256
4e29e696dc3d5b6573d746c98570c7caf0d67044170b7825728a64c60182b2cb

SHA512
27b41e8a17093e702290bc5c6bd6349c4d9e2303ee4726353ac1657b3a71ac7240f1def8fb1664ce3edd33fcd567746cfa5e6434303a23acd411ddced873bbbb

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
128KB

MD5
ac2dd5248da2eab7c158fae99eff0049

SHA1
0944baff73b5f22ce929e5953dcc00a4f5e63cbd

SHA256
83bd487c5290906cc9d8473a75b0ae57fed7c4294c17f0fa21ecfa5556e1d763

SHA512
79044af5cf6e85f92555e69595df4ad445690e28370906706e6e64fd8a7e50fdd5eae2a146c6d7704183d4a48e7f5be8b54945e6f62213a3074388d2ef3669d2

Download Submit
C:\Windows\SysWOW64\Cbdnko32.exe

Filesize
128KB

MD5
9f1e9916965b6d2796771d7da85df2ee

SHA1
1d43d7c87a6bb6e2a793a21ce83efcab31158af2

SHA256
c0af928365b8ac3c8d9fa0d87cc5eaf504c98cfe42d1032cbef604d76efcefde

SHA512
eaca6e330824f5ec2f9572502453f51f0b16c0d7f1909ef37de8bd0c74b8230d3a8990069d5264c47963a25e616eb9e56725b9598b9d5ec4666343fdfc40485b

Download Submit
C:\Windows\SysWOW64\Cddjebgb.exe

Filesize
128KB

MD5
31e7ed859df8891856e3c2a7ab0c73ed

SHA1
837856c75f7778aa6496405f5a584f24361764a8

SHA256
3756629926a256e2c15909a0642984ac8384edb82397c90c0646938a252db9b6

SHA512
2290ab61e730b41ed9d30b97fff5670ff2ec59a06c11a22c352dd3d5b4213aef1b97fd13f9b3a8eb2e2f5000ce3e7e39b15770f96f0eed431354082b82699a38

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
128KB

MD5
a68b29185872f4ab92da7b0380a3c8a4

SHA1
1ae32523b377ee3eaacba96f7ce1fa59bac8fd5f

SHA256
85c831ce0d4cab251ad44e904eac8f1477235d264f8ce5820949bdbae05bed06

SHA512
1f24cab633479670cd3d2805336e6cb61fadd59fad0127566fbd3068f9af990d4f54eb2c1034221e091cb216f390698aaf408af901fb501ba5d2c6f05ae1c76d

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
128KB

MD5
d27b85e10dbb50fa561161062a60a3df

SHA1
56c950fd31a2cea285812d135d390a4b5e7a546a

SHA256
a37a5b87a703b786b376b2c277227c552426b4e651115d3a7664c77ae16c8ef3

SHA512
c04b77a156a068609fd59b31df6791d7d4cac41c763e183f0aba9e581b50eeb4eeec5ad2d3e6dce9ce02eb87a83ab54e97651e4cd32dcc5441654ce4a2d42830

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
128KB

MD5
791e157b2e64c4a2419fd4b24ef2f800

SHA1
0e4471469e2e1ed322f14cc461c9ad2aeb502b20

SHA256
4399022075ff6ba5d16f3b2087356fb34e15b3832535ddf18b706a9040ee7a2f

SHA512
a6434ea557521485943de2044829c036acf4e52c64a7fcf1846f69d9579c2cdeab26c2b99933a0e676c57d4bafc84556ff25b848d9287ff923372b4d5b11f0ea

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
128KB

MD5
d3af4d03c45540ef7e6fefd51ee90bf6

SHA1
ef3e58577828af093ef51ee69a299ab0def60b86

SHA256
ed5022d775edf2bebe37dcab1b2c5c5a0ab963a5c4d4e0b876f985e2b0605e91

SHA512
4b9ebab02857030380cd12783203dd7ab8980947abca0f9b03bfe345215e794dc17a6b4a55d33f52c33c9e446e2157acab66f015cb5f27715f32c478d0d7112f

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
128KB

MD5
ea584297e20f55b3327aa5d8e40cef48

SHA1
1df28f140d92614bc2094d271694becae2756ea3

SHA256
77b4108d4c3c6a28a050e8486930fe519a6752f56c6341904872ac34956e1359

SHA512
2dbb0da2996e3c37f0ec70422cf8e6f5317a10d9015832a6f6017748bcd6a0913e5d13d276d7a46cf9859034b664c86e4c790d2c6fef7313f2c0bcf6150fea49

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
128KB

MD5
61e8be5dad047ebbda0065948fc20845

SHA1
ef46799fc712a5acb6ac214984d5990ce9a2b364

SHA256
de429ce65c746b76bcc64b103a78f50f9cadfdacf9b052690fd5c90d8bb1a616

SHA512
de10a8c7372bb5f6764f70fb290dfb87600bad4deb31de3e0d7d1461745daae944efef9bd459e8ea7023289adc6b9b4c5bee173be4a6932ab6993b0dff047c3d

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
128KB

MD5
3183ae1669f7fe0c5504d4f2ad919093

SHA1
679408f006481b995a11c5d6c857f21221ed8ad2

SHA256
c7d4656b4dd82cc3cc4fa921702865983e33551a4fd3369edcd7122babfe3dbb

SHA512
19ac3e5bbbeaa8d0ab32fcd5bf1602c7771e49028adfa6bf71c0b807749802f9674be562d7b62b33c50b91cf795787fff55cbf2fff372ab154b19139832cb1fa

Download Submit
C:\Windows\SysWOW64\Oebimf32.exe

Filesize
128KB

MD5
a59da90d29c8ce1d290bf6a5d31f2fe2

SHA1
51b28891052bab1aeeb95bb0a539eb04bdee89b9

SHA256
df785322e6c16096220d74ae24698f9035913d8113883b10f63723ae3fa7ba59

SHA512
73a4d1fa505a85ecc823e387b9121b6c7722599fe908b0009a33532f60044985a02d3031d968c59ece4d95263976f1631f30900ea1af1ab577539c62ce59f3f9

Download Submit
C:\Windows\SysWOW64\Ohcaoajg.exe

Filesize
128KB

MD5
8d620eecd5b473afe4eade2c004f0c0e

SHA1
5643654ac18a93b575641af05fc81f70302ed82c

SHA256
582e76fe8c49a2bcfe495d78bc2ef4c93174213785e6742fc4e6d5203e05d962

SHA512
26e2f1086f25e03889290232798672859f4ef4a3eeddb0d9948eb33c3f627bb0611ae218f6a8d4841a5ab470c323bbd953f6a57d8a90c9dc884b8fdcead0e8be

Download Submit
C:\Windows\SysWOW64\Pcibkm32.exe

Filesize
128KB

MD5
d300efef8a36e2b03da7aebc9891131d

SHA1
a8e2406be23b31e90b6ebe1e6d61f4844f9081f4

SHA256
2ea3a6bea190ca29e0055ac279f202c003ed8923c4e96795d726fdcb3deaea49

SHA512
26311d8c2b5031d92ff349e2534a52f3ecfea39888a876fba18f45abddf0a130abb8aa4eec4271d1801a7ea6ade22ac1c549bc0ee82600e95e81338854d67bb0

Download Submit
C:\Windows\SysWOW64\Pdaheq32.exe

Filesize
128KB

MD5
6ca0ca91b666ea37160ac5e95af006fe

SHA1
6619d0ed2150985346f47139b98754142198c541

SHA256
de8a28fdd02b79fd501ee2b9ca4b63631712f573558932014fa33d9366b6dfb9

SHA512
8186965e6e781eb67aa900a36062536e90faa9dd85e9dbe3b5573409a9c7c6f067f93eed5a94a2c14af60941a39a2ca4ac0e2394d7e0f6d2e34347c36f1e3731

Download Submit
C:\Windows\SysWOW64\Pfgngh32.exe

Filesize
128KB

MD5
6a853f55abf0ddf263c88de21910b0e8

SHA1
f96588406bdb72ab903a99596266139deb95d947

SHA256
032da31f92286d4069ce909571cae831ff64433e4ac0eaddc47aa2a45744a179

SHA512
4c25bedf2530f619019f22b1b7c9cfeb0e46924440eef212a2600be4d9a2dd4f44359c22edf06ba7a223f8d578a2808a3654657e1abff844255d3dc839cde7d0

Download Submit
C:\Windows\SysWOW64\Pgbafl32.exe

Filesize
128KB

MD5
66f3f24b180687acceb65b546814e37a

SHA1
14e9c566f79c95f578f4cab1d27c7f3d268ba072

SHA256
7cc209de075b018af01e5850de3efb1e8051f3c7ebfdde078cbaee4ac534c219

SHA512
479325443257491b216b99e351834a4af31f5eef6da8fd86d7b669875b86ac6c4c8d5228f1de5cf47513785af143eea720a8c503bd36268198bafe5cf1af928a

Download Submit
C:\Windows\SysWOW64\Pjnamh32.exe

Filesize
128KB

MD5
ed76c94db88149953651bc19e91ccf57

SHA1
0d7f9a81fc57f2267e1fb3f1a2d1453ac38a1d38

SHA256
225497fb8675d6cd2434d18146beff9c2c6cbaab9118ce086a634d9d79a3756b

SHA512
984c15169b68d3b66233dc7394436d582900e2e17f194d3c3be84aa3452daeda9e6ffd4eeeae293ea34c0bb31a38776af1c98de4fa800c0496b4b7d80ce25245

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
128KB

MD5
1fd80b2f40961c15a82a1f7d07958f05

SHA1
cdc00398038a8aa86f13be6fc36caef2fb616630

SHA256
47718dd7f78c0e32d0e82c724455fb14e048bf04dcac72c00ecc7625ebb4f03e

SHA512
0651ba7dbc46e9e4f774aade065c8f212a6f90b5056c9bfd482a6c5fde5b0328bc300263508b4ddf0d9e42d56cbed7e688de660315610138622493ffdfdadd58

Download Submit
C:\Windows\SysWOW64\Pmojocel.exe

Filesize
128KB

MD5
3c6026b1ac1e1aafde43550b05780b72

SHA1
42317b34017716398a905fe211a483899fa7d542

SHA256
62f12210da29b12df0d240cb92e68163fffd59ee08086b9f908074bb405b98c6

SHA512
0b34601859457f3486a576cdccfd08d6f1ddbb577d799c860d710c476b4f956062803cdcfa43b561560387858cfa70cf3edcca30a1dfbadd7639597d472e982c

Download Submit
C:\Windows\SysWOW64\Pndpajgd.exe

Filesize
128KB

MD5
7580a7fdbce8b00c5adefaa6f7059ffb

SHA1
bab69b715e6049baa924994d3fe9bd86deaecd59

SHA256
94001ed27c0077405f113bcc420b31a91e2296a162b0aaad30cf395063a2314c

SHA512
ae98c8c48581f32a5c27e7f1f5cdb8cbc453085fe2e2d4ceac0ab56ebae40fe7bf45d203884046a8b98a07b8b0749869f72bcbd2e2506cd128cdc4289bd7a7fa

Download Submit
C:\Windows\SysWOW64\Pngphgbf.exe

Filesize
128KB

MD5
9e6ac84f5e2c4574052baf960d26f758

SHA1
01cbe9bc67eb580f32ef56c580985a92ecdaa22e

SHA256
efe6c7a3d16082550d6cf07df028dc3196b97474915e6e4a62169458d3fe9475

SHA512
7dd6245b1ea73bd0fe23f6d08f67a20e4a01bc2c5906f3ef774c22446a556443c016fca1d106c3f49c62ef805ea317ddf0fab2c15c5589620205c77f307153ae

Download Submit
C:\Windows\SysWOW64\Poocpnbm.exe

Filesize
128KB

MD5
346742f660770041727644e3b4f9138e

SHA1
fcb4171d260dada4f003dc88cd8146c59a04e77a

SHA256
b422f24497ee0175d210d403aec64fc510d854aff286ad2aa507223fe9bd62ef

SHA512
5eaaced960367be7996dbd9e1d6ce260c328857d67c00ae8ff02098a833063d17b5a91cd41c964c7feeb8c040e2f6268c24f1b138cc2f71707e92eb04d45fb9c

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
128KB

MD5
69fe3eb375ceb13c4f7bb7286c381c30

SHA1
0724d188170f1a6371bf0df16b729a8d0d805f87

SHA256
ec24d7a78b5e0bd2a624e9256606d4074b8613b5249714f0ca04b7481b855ad7

SHA512
dc79f25bf8919f5fba7c34350b4e412a5184b459398ac47e8fcf5c852220f9e4cb12933da8fd75d31914f5b4d16c07e5efa2ad582875ca1fa0c469818575f43b

Download Submit
C:\Windows\SysWOW64\Qiladcdh.exe

Filesize
128KB

MD5
3b7c447bd881bbdadc29c466870a816b

SHA1
2abc914a2c66027491c8e54f5e4035e41361c4f8

SHA256
1ac058e1f4cd091604e7ef8f14d07ebbc0fafa09add69c7c9d20111952d1e503

SHA512
1f4f032990b97b68b8ad307bf2725bb8fabb876dba84af86f8b9e3f21cfab68211eaa56088cb3a28134c77fed38ac71cbe1606c51c4bc06e84134e88c5dc2b5e

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
128KB

MD5
bc1d1df70f2ad122fd93f01f743963ae

SHA1
3138540cf316d3d8fc00eb6a83e289e01344ec0c

SHA256
680c93c63ea5ff700657f5b2cd0148ab41e80395e88b9740c9897475273a3849

SHA512
8680d7cacd70b8f72efba9d5a10a3edc05573b443a76b74c0d5576ed3ef45c4d6d31c24620b0fcef5a8d24ecc14813f419253e56451c73736191226ebc1e4beb

Download Submit
\Windows\SysWOW64\Mkmhaj32.exe

Filesize
128KB

MD5
cb7a52d205aa17cc48165f3c9202c3c9

SHA1
b91669ca9e01ef7c85d22df8a09df22d9b5643cf

SHA256
0bcb21bc170525b394709667659c8bd86c55966644a4b3046fc425979570f389

SHA512
8fd253893f91c0bf8d4a7d9c2458d238fb98a8116759ef9c57c25843846ecacc3cf8be9cf0d2c77753094b057bb76c1b6e5cdccefaea09f39120287747e415a5

Download Submit
\Windows\SysWOW64\Mpjqiq32.exe

Filesize
128KB

MD5
2e46468ba6ed5f828a62b7504323b788

SHA1
3fd5870e27e7abe008245b677813790d6e63e495

SHA256
7cdf589528c03bd1306e14362959dfade218cc3c8119a0099b97017387527497

SHA512
cc6445fadadc5bb73aeba1b707885bbccf788ebe191c62e57fe6e630561b06926c4d40aeb59f74940d1587ce0965428459b44fdbb98fff8ccc329757a2a78e7a

Download Submit
\Windows\SysWOW64\Ndemjoae.exe

Filesize
128KB

MD5
bdd245f694fe283cb9600858783367d0

SHA1
7e3e12bcaf7973c3431fa7896abe3dbe617b7c93

SHA256
7ac0679e4a4792af4523263604956825620ec97fff4d9d3e1b39da4fc27722d5

SHA512
b3a50ea5f85b7a40e72c2c8117025c94908507cd2c274e04a7ed6e61b05a4ba62ddf2819a0c278a6f298decb9a0efafeb3885263289531e7ce87b8d1a0f642bb

Download Submit
\Windows\SysWOW64\Nigome32.exe

Filesize
128KB

MD5
85f9c8f2d9b44c718166f7638ed30f56

SHA1
fec00131d376d9a01b190b325bebfe6d9460ff91

SHA256
6e127e9efec9212953b2325476f1e158838d6ed3af7d198f2e9aa2f90ea58b50

SHA512
85f99904b17618bfee9495aa67ef476652ae6a04cd202bf98589061b990eae3381df02be8436edc8aa85bc4ac06d83b7f6abbc42f2e4070f9fd6b312dcc2bf8d

Download Submit
\Windows\SysWOW64\Nilhhdga.exe

Filesize
128KB

MD5
b5173ec826966633f3a2e73cb64d0e76

SHA1
4cb73f7f7a473c643b39ae375289cf26bc48d8f2

SHA256
ea2e1adb5f09d8d3056d4abb7299e33acaa646f72000379b4bb90cc69fb0061a

SHA512
69e2ec17ac510ea25d8885444cb6612d4540c295c128d9480ead2537c0ebe71f8a0a657def809b3a011fb28659a19a3ca71310fa045bf5cc7e30532efd3bdee4

Download Submit
\Windows\SysWOW64\Nlcnda32.exe

Filesize
128KB

MD5
46f8bca152a5338f7b246b69e735da82

SHA1
732b56ab461347ade21460c98ae38e323aebe7f0

SHA256
f8654c91c24136934b695d739b09f9ddd8ef708fe724db55b460a27520233f9b

SHA512
35dcea92c2b4a97d11746583e090f0a93c9cd56b1027d9e91779b4cd9da95c1798574c3a7a1fe30df103a973133e8f29d5120e5a57b66f27c55b0349700411c2

Download Submit
\Windows\SysWOW64\Nofdklgl.exe

Filesize
128KB

MD5
fc013b4129ebaec258c6f329d6bded39

SHA1
1aae96b4225280b326dd15121a5ada1985b7e23c

SHA256
3b057a92bd2c0da2f40e68794c2c64de419b1b585f1308847b04343f381d59e5

SHA512
7efe3d7269549c18af70608038b17d4bc61d2cd9a3799a64395f3e5f664f147547c968edcb8697e0a58743639f0327b5f9bfad3c4c47e1301ce68a4306f4de66

Download Submit
\Windows\SysWOW64\Ocdmaj32.exe

Filesize
128KB

MD5
07c97d04003d803e3a402735b8778979

SHA1
af7ce6a22f030516d57ae066677db4114cf5c918

SHA256
791b647fe33264b9e05d5376852160ecf595c43e74664da9297898772e6fa5ff

SHA512
4ed0124be0740611b4ab89d38cae72cb0a9a11d5106dc3bf9f3e267f454f3b1b9dfeccb63069f1c385ee978d22bd5226ce0934a6aef1fba20ea5d48f90583017

Download Submit
\Windows\SysWOW64\Ocfigjlp.exe

Filesize
128KB

MD5
83c27fd26300a4ab334eee7e1c1c39c1

SHA1
936a405ccdcacae51e5b7bd893b56fcf21734b52

SHA256
8259068aa337025a25ee6315fae9e83327a08c140d33958fda367321212fcb97

SHA512
40438943f59d2a46c9f7f91e7987a4f4e8eb57c5dbc6dc2ff4659aaaf19bf95a89a79af1771aba04b06e77aae1bb26c106f1d8a6f35403609c5495688de22828

Download Submit
\Windows\SysWOW64\Ogkkfmml.exe

Filesize
128KB

MD5
c56109750061e51bf81440c80f3a2829

SHA1
ff65b229507c41953dac0eb67122f4d1f6f138e5

SHA256
faa4785397f72558bd2270f0d237d1b40662273989471ccee90ec089eccc9b72

SHA512
f7885319da0af07d9caf1f273cc1457f82f2ab1e82a8577526033479245bea3db7e8d8b4b19489285b23cd8689fce5804276221f14865548f1f9489b432d074a

Download Submit
\Windows\SysWOW64\Ojigbhlp.exe

Filesize
128KB

MD5
abbe09e11c0565ffc3b19c6044fe4cf8

SHA1
e727f4c54bd8e8634c671d64a69e17773ceb4bc9

SHA256
ffb104ade1a4eb8a2cfdb9f78dd72f599d8a5232338f6c7300f83d3c1f743723

SHA512
a7d27ac0d525f866573d617cc5741d64f73092e70570ec0fd0cbd5a1a7eb0869eaf897c6359b18a1ad20da91175c65cc2e32fe57ba9c838577d9bba74cfb261b

Download Submit
\Windows\SysWOW64\Onpjghhn.exe

Filesize
128KB

MD5
87c735d86d3bfc8e3d0e31388ca5ef48

SHA1
1b27a8eb6e0174b984997b936a06d1611d53d306

SHA256
e4217f2af90f71a242b44bf17fb0bc157e143b3eb84c36a34e716efc27c4528a

SHA512
e678a74fb507a4214f22ae2fae7fbb656b697843be5e54130addec6e5b151ca02cf9503b3b1791df81793917cda01b64b6a23bca3e0ef6b6a3eca80346e9596d

Download Submit
\Windows\SysWOW64\Oopfakpa.exe

Filesize
128KB

MD5
625f3d41ef44d66d20e9205106295673

SHA1
7ecfea8bdd379440cdd70eba143a633ae8e38802

SHA256
1e373eead552a20a7156f69c01f9de4b6112b73920d68aa1f6a9d5e319e3d5a4

SHA512
c152bde203f1ca6c62e10355463be4aee9c5d82043aed62f7431d6546733ec3ac17a3dc2eef7aa99d6f268aefb624dbb1d53b63d64d986bda78f72f2881d804d

Download Submit
memory/432-226-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/432-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/432-225-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/568-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/568-434-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/580-87-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/580-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/580-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/668-182-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/668-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/904-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/992-298-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/992-299-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/992-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1092-354-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1092-353-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1092-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-245-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1344-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-493-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1472-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1540-255-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1540-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1540-256-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1676-482-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-169-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1712-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1712-309-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/1712-310-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/1736-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1744-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1744-266-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/1744-267-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/1852-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-468-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2060-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-469-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2088-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-448-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2208-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-477-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2284-196-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2284-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2284-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-458-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-140-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2320-277-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2320-276-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2384-412-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2384-398-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-470-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2404-159-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2404-158-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2404-481-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2404-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-494-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2492-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-287-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2576-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-288-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2652-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2652-320-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2652-321-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2660-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-361-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2712-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-38-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2712-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-39-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2712-375-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2736-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-61-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2736-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-376-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2768-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-328-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2768-332-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2808-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-11-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3000-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-341-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/3056-342-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads