berbew | 62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dc

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dcN.exe
Size

63KB
MD5

a9e60610e7549f8a014d413ef70b8ed0
SHA1

0caf78fc0f3c66966a5262173a154ab7c807f935
SHA256

62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dc
SHA512

b18ebdd1b034fd1a3f9c9d2cbf489839b99f3d4721ccaf83b63edd5a2f45776a8af99661f3cd17bad5404b6ff5429c4bde9fc377cd32d4ec11bd3acdf2aa3267
SSDEEP

1536:LxdtgtT1xMV02c3jjPKHCPTHlHIA+VZEn9rjDHE:1ayV02kjjPKiPTH3oZk9DHE

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oagmmgdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oebimf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oagmmgdm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkkfmml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dcN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oebimf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odoloalf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqacic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokieo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amelne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odhfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkmdpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odoloalf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oegbheiq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqacic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfbelipa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pokieo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 52 IoCs

pid	Process
2808	Nkmdpm32.exe
2864	Oagmmgdm.exe
2676	Oebimf32.exe
2524	Odhfob32.exe
264	Oegbheiq.exe
1720	Ohendqhd.exe
2412	Oqacic32.exe
3020	Ogkkfmml.exe
3012	Odoloalf.exe
2664	Pkidlk32.exe
2508	Pqemdbaj.exe
1248	Pfbelipa.exe
2260	Pokieo32.exe
2196	Pjpnbg32.exe
2248	Pqjfoa32.exe
1292	Pbkbgjcc.exe
772	Piekcd32.exe
1068	Pckoam32.exe
1956	Pihgic32.exe
1784	Pndpajgd.exe
2352	Qgmdjp32.exe
1696	Qodlkm32.exe
980	Qjnmlk32.exe
1044	Aecaidjl.exe
1788	Ajpjakhc.exe
2764	Annbhi32.exe
2948	Apoooa32.exe
2708	Agfgqo32.exe
2796	Apalea32.exe
536	Acmhepko.exe
1152	Amelne32.exe
2120	Bilmcf32.exe
1184	Blkioa32.exe
2896	Becnhgmg.exe
2520	Bhajdblk.exe
780	Bphbeplm.exe
2564	Beejng32.exe
380	Bonoflae.exe
2032	Behgcf32.exe
2164	Bjdplm32.exe
2296	Bmclhi32.exe
1856	Bhhpeafc.exe
1240	Cpceidcn.exe
1520	Cdoajb32.exe
1816	Chkmkacq.exe
2408	Cgpjlnhh.exe
296	Cinfhigl.exe
1624	Cinfhigl.exe
1892	Cmjbhh32.exe
1544	Clmbddgp.exe
2712	Cbgjqo32.exe
2692	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2996	62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dcN.exe
2996	62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dcN.exe
2808	Nkmdpm32.exe
2808	Nkmdpm32.exe
2864	Oagmmgdm.exe
2864	Oagmmgdm.exe
2676	Oebimf32.exe
2676	Oebimf32.exe
2524	Odhfob32.exe
2524	Odhfob32.exe
264	Oegbheiq.exe
264	Oegbheiq.exe
1720	Ohendqhd.exe
1720	Ohendqhd.exe
2412	Oqacic32.exe
2412	Oqacic32.exe
3020	Ogkkfmml.exe
3020	Ogkkfmml.exe
3012	Odoloalf.exe
3012	Odoloalf.exe
2664	Pkidlk32.exe
2664	Pkidlk32.exe
2508	Pqemdbaj.exe
2508	Pqemdbaj.exe
1248	Pfbelipa.exe
1248	Pfbelipa.exe
2260	Pokieo32.exe
2260	Pokieo32.exe
2196	Pjpnbg32.exe
2196	Pjpnbg32.exe
2248	Pqjfoa32.exe
2248	Pqjfoa32.exe
1292	Pbkbgjcc.exe
1292	Pbkbgjcc.exe
772	Piekcd32.exe
772	Piekcd32.exe
1068	Pckoam32.exe
1068	Pckoam32.exe
1956	Pihgic32.exe
1956	Pihgic32.exe
1784	Pndpajgd.exe
1784	Pndpajgd.exe
2352	Qgmdjp32.exe
2352	Qgmdjp32.exe
1696	Qodlkm32.exe
1696	Qodlkm32.exe
980	Qjnmlk32.exe
980	Qjnmlk32.exe
1044	Aecaidjl.exe
1044	Aecaidjl.exe
1572	Achojp32.exe
1572	Achojp32.exe
2764	Annbhi32.exe
2764	Annbhi32.exe
2948	Apoooa32.exe
2948	Apoooa32.exe
2708	Agfgqo32.exe
2708	Agfgqo32.exe
2796	Apalea32.exe
2796	Apalea32.exe
536	Acmhepko.exe
536	Acmhepko.exe
1152	Amelne32.exe
1152	Amelne32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Eelloqic.dll	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Behgcf32.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Aobcmana.dll	Pihgic32.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Pqjfoa32.exe	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Cmjbhh32.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Kpkdli32.dll	Oagmmgdm.exe
File created	C:\Windows\SysWOW64\Odhfob32.exe	Oebimf32.exe
File created	C:\Windows\SysWOW64\Aalpaf32.dll	Pokieo32.exe
File opened for modification	C:\Windows\SysWOW64\Pckoam32.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Pndpajgd.exe	Pihgic32.exe
File created	C:\Windows\SysWOW64\Doojhgfa.dll	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Ajpjakhc.exe	Aecaidjl.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Amelne32.exe
File created	C:\Windows\SysWOW64\Oegbheiq.exe	Odhfob32.exe
File created	C:\Windows\SysWOW64\Pqemdbaj.exe	Pkidlk32.exe
File opened for modification	C:\Windows\SysWOW64\Bhajdblk.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Cmjbhh32.exe	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Oegbheiq.exe	Odhfob32.exe
File created	C:\Windows\SysWOW64\Oqacic32.exe	Ohendqhd.exe
File created	C:\Windows\SysWOW64\Blkioa32.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Becnhgmg.exe	Blkioa32.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgpjlnhh.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Oagmmgdm.exe	Nkmdpm32.exe
File created	C:\Windows\SysWOW64\Ghkekdhl.dll	Ohendqhd.exe
File opened for modification	C:\Windows\SysWOW64\Blkioa32.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Pokieo32.exe	Pfbelipa.exe
File created	C:\Windows\SysWOW64\Apalea32.exe	Agfgqo32.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Eoqbnm32.dll	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Mblnbcjf.dll	Cgpjlnhh.exe
File opened for modification	C:\Windows\SysWOW64\Odoloalf.exe	Ogkkfmml.exe
File created	C:\Windows\SysWOW64\Qodlkm32.exe	Qgmdjp32.exe
File opened for modification	C:\Windows\SysWOW64\Pihgic32.exe	Pckoam32.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Ogkkfmml.exe	Oqacic32.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pbkbgjcc.exe
File created	C:\Windows\SysWOW64\Dojofhjd.dll	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Clmbddgp.exe	Cmjbhh32.exe
File opened for modification	C:\Windows\SysWOW64\Pqjfoa32.exe	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Mbkbki32.dll	Apoooa32.exe
File created	C:\Windows\SysWOW64\Qgmdjp32.exe	Pndpajgd.exe
File opened for modification	C:\Windows\SysWOW64\Qgmdjp32.exe	Pndpajgd.exe
File opened for modification	C:\Windows\SysWOW64\Aecaidjl.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Hkhfgj32.dll	Aecaidjl.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Aaapnkij.dll	Oegbheiq.exe
File opened for modification	C:\Windows\SysWOW64\Pjpnbg32.exe	Pokieo32.exe
File created	C:\Windows\SysWOW64\Hmomkh32.dll	Pfbelipa.exe
File created	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pqjfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Acmhepko.exe	Apalea32.exe
File opened for modification	C:\Windows\SysWOW64\Amelne32.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bmclhi32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Bmclhi32.exe
File opened for modification	C:\Windows\SysWOW64\Oagmmgdm.exe	Nkmdpm32.exe
File created	C:\Windows\SysWOW64\Kedakjgc.dll	Oqacic32.exe
File created	C:\Windows\SysWOW64\Cbgjqo32.exe	Clmbddgp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2080	2692	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkkfmml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmdjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjbhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqacic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odhfob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clmbddgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oebimf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkmdpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbkbgjcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oagmmgdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohendqhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odoloalf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbelipa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqemdbaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oegbheiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkidlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalpimd.dll"	Oebimf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkmdpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpjaq32.dll"	Ogkkfmml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Blkioa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khcpdm32.dll"	62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dcN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqacic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelloqic.dll"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfmdo32.dll"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beejng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpjcomh.dll"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaapnkij.dll"	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedakjgc.dll"	Oqacic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapefgai.dll"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll"	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkmdpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igciil32.dll"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blkioa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2808	2996	62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dcN.exe	30
PID 2996 wrote to memory of 2808	2996	62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dcN.exe	30
PID 2996 wrote to memory of 2808	2996	62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dcN.exe	30
PID 2996 wrote to memory of 2808	2996	62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dcN.exe	30
PID 2808 wrote to memory of 2864	2808	Nkmdpm32.exe	31
PID 2808 wrote to memory of 2864	2808	Nkmdpm32.exe	31
PID 2808 wrote to memory of 2864	2808	Nkmdpm32.exe	31
PID 2808 wrote to memory of 2864	2808	Nkmdpm32.exe	31
PID 2864 wrote to memory of 2676	2864	Oagmmgdm.exe	32
PID 2864 wrote to memory of 2676	2864	Oagmmgdm.exe	32
PID 2864 wrote to memory of 2676	2864	Oagmmgdm.exe	32
PID 2864 wrote to memory of 2676	2864	Oagmmgdm.exe	32
PID 2676 wrote to memory of 2524	2676	Oebimf32.exe	33
PID 2676 wrote to memory of 2524	2676	Oebimf32.exe	33
PID 2676 wrote to memory of 2524	2676	Oebimf32.exe	33
PID 2676 wrote to memory of 2524	2676	Oebimf32.exe	33
PID 2524 wrote to memory of 264	2524	Odhfob32.exe	34
PID 2524 wrote to memory of 264	2524	Odhfob32.exe	34
PID 2524 wrote to memory of 264	2524	Odhfob32.exe	34
PID 2524 wrote to memory of 264	2524	Odhfob32.exe	34
PID 264 wrote to memory of 1720	264	Oegbheiq.exe	35
PID 264 wrote to memory of 1720	264	Oegbheiq.exe	35
PID 264 wrote to memory of 1720	264	Oegbheiq.exe	35
PID 264 wrote to memory of 1720	264	Oegbheiq.exe	35
PID 1720 wrote to memory of 2412	1720	Ohendqhd.exe	36
PID 1720 wrote to memory of 2412	1720	Ohendqhd.exe	36
PID 1720 wrote to memory of 2412	1720	Ohendqhd.exe	36
PID 1720 wrote to memory of 2412	1720	Ohendqhd.exe	36
PID 2412 wrote to memory of 3020	2412	Oqacic32.exe	37
PID 2412 wrote to memory of 3020	2412	Oqacic32.exe	37
PID 2412 wrote to memory of 3020	2412	Oqacic32.exe	37
PID 2412 wrote to memory of 3020	2412	Oqacic32.exe	37
PID 3020 wrote to memory of 3012	3020	Ogkkfmml.exe	38
PID 3020 wrote to memory of 3012	3020	Ogkkfmml.exe	38
PID 3020 wrote to memory of 3012	3020	Ogkkfmml.exe	38
PID 3020 wrote to memory of 3012	3020	Ogkkfmml.exe	38
PID 3012 wrote to memory of 2664	3012	Odoloalf.exe	39
PID 3012 wrote to memory of 2664	3012	Odoloalf.exe	39
PID 3012 wrote to memory of 2664	3012	Odoloalf.exe	39
PID 3012 wrote to memory of 2664	3012	Odoloalf.exe	39
PID 2664 wrote to memory of 2508	2664	Pkidlk32.exe	40
PID 2664 wrote to memory of 2508	2664	Pkidlk32.exe	40
PID 2664 wrote to memory of 2508	2664	Pkidlk32.exe	40
PID 2664 wrote to memory of 2508	2664	Pkidlk32.exe	40
PID 2508 wrote to memory of 1248	2508	Pqemdbaj.exe	41
PID 2508 wrote to memory of 1248	2508	Pqemdbaj.exe	41
PID 2508 wrote to memory of 1248	2508	Pqemdbaj.exe	41
PID 2508 wrote to memory of 1248	2508	Pqemdbaj.exe	41
PID 1248 wrote to memory of 2260	1248	Pfbelipa.exe	42
PID 1248 wrote to memory of 2260	1248	Pfbelipa.exe	42
PID 1248 wrote to memory of 2260	1248	Pfbelipa.exe	42
PID 1248 wrote to memory of 2260	1248	Pfbelipa.exe	42
PID 2260 wrote to memory of 2196	2260	Pokieo32.exe	43
PID 2260 wrote to memory of 2196	2260	Pokieo32.exe	43
PID 2260 wrote to memory of 2196	2260	Pokieo32.exe	43
PID 2260 wrote to memory of 2196	2260	Pokieo32.exe	43
PID 2196 wrote to memory of 2248	2196	Pjpnbg32.exe	44
PID 2196 wrote to memory of 2248	2196	Pjpnbg32.exe	44
PID 2196 wrote to memory of 2248	2196	Pjpnbg32.exe	44
PID 2196 wrote to memory of 2248	2196	Pjpnbg32.exe	44
PID 2248 wrote to memory of 1292	2248	Pqjfoa32.exe	45
PID 2248 wrote to memory of 1292	2248	Pqjfoa32.exe	45
PID 2248 wrote to memory of 1292	2248	Pqjfoa32.exe	45
PID 2248 wrote to memory of 1292	2248	Pqjfoa32.exe	45

C:\Users\Admin\AppData\Local\Temp\62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dcN.exe
"C:\Users\Admin\AppData\Local\Temp\62d8a6678f33604b1789a3c6587281d073400e8517312fd93e00667b6543c9dcN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\Nkmdpm32.exe
  C:\Windows\system32\Nkmdpm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\Oagmmgdm.exe
    C:\Windows\system32\Oagmmgdm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\Oebimf32.exe
      C:\Windows\system32\Oebimf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\Odhfob32.exe
        
        C:\Windows\system32\Odhfob32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\SysWOW64\Oegbheiq.exe
        
        C:\Windows\system32\Oegbheiq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Ohendqhd.exe
        
        C:\Windows\system32\Ohendqhd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Oqacic32.exe
        
        C:\Windows\system32\Oqacic32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Ogkkfmml.exe
        
        C:\Windows\system32\Ogkkfmml.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Odoloalf.exe
        
        C:\Windows\system32\Odoloalf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Pkidlk32.exe
        
        C:\Windows\system32\Pkidlk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Pfbelipa.exe
        
        C:\Windows\system32\Pfbelipa.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Pokieo32.exe
        
        C:\Windows\system32\Pokieo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Pbkbgjcc.exe
        
        C:\Windows\system32\Pbkbgjcc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Pckoam32.exe
        
        C:\Windows\system32\Pckoam32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:296
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Clmbddgp.exe
        
        C:\Windows\system32\Clmbddgp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 140
        55⤵
        Program crash
        
        PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acmhepko.exe

Filesize
63KB

MD5
4903dfe0e8affe288c52b553c538af11

SHA1
1b13fd2441e433370f125648bffd770257b8afe3

SHA256
826a07721a935cbd569c5769b5dcebf05415dc3e6f5b752de94330e6a917c294

SHA512
551ddcb7862468b10b5b824b1f1ace892d2d874cf08d12cf0cd93e3005fcac35d73f097fec5d10bb7ddb259c7d2faa93354bfc1383a56c0b97f4568d51b2c58f

Download Submit
C:\Windows\SysWOW64\Aecaidjl.exe

Filesize
63KB

MD5
c5d1a567ce6b1a9ab85c2f90486b58f2

SHA1
e8e4a84311cc122fa8e894c0199eb838588e931e

SHA256
8902594f3d4942ba0f3ebf8f6d55d54726abbf79cd57efae8707d18d2b010145

SHA512
834c2a07d00f6043577bd84fe972812a1ab7bd77cec7df66b2032eef6d46e5c64446f4667eac6981df49f4c53042e67c26813cb6a71872ef0780e629c2b1c8da

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
63KB

MD5
3564d0e667041846c4cfea7624c997ca

SHA1
8e45048c9bd9f54358837a376010275e3f05aea1

SHA256
448972cbf0556762c5d9ff48a3e57c30cd8cc211057bfaa774c09c03cb0db36e

SHA512
7b8b45a9bf16632bb5c3dd56ebe8dd41604aeeddb49820d5d5fd45cd49215bdf8e98489405648328a27e9559d984ee0594ac435b00ba958bd1209221e5790e46

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
63KB

MD5
4a7012ba8bc2830704544e389485ecaa

SHA1
e2951a5d99762e83387be703387f834585bde6ef

SHA256
3d16b62f351eceb9de0ac6ffa3565125883592f4ff538669f8f627d2aaefa27a

SHA512
4edf8809dd658948238234a5bdcdab1c59b0f5664be89ec9c69053359d8dbfa81209e2d54284d5d80ab7bf0fa37c524cceb1649d7a81d7e9a6de21c9f50b29b0

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
63KB

MD5
3df9a94e7390ca2ca7fef0a3c484837a

SHA1
ce024bafd59b1596ff11819a34d34768c611eca8

SHA256
a47ec73a6d62764a7d9b4fdd2f3852561f774b70ac728790578391ca35d8dd42

SHA512
58a0d7fb3b88e1a4638621e723936eacec41be8e93a09aa0a7e684e302482cadafeaf12b7a10ab97e90f96f091885e8574e3190f0570da08a79985b5ec004627

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
63KB

MD5
ef1fc423a67a6b1ba38eddb7ae80e893

SHA1
cd5e1016536251dd7ea913e330aacd313850a948

SHA256
32601cc7557852f23d04d71cfa2e57489b59e0becea92af7a82b678f29a70771

SHA512
4f22fdd960b14c1c50101fc2b044fca01ddb95bb83fd4e2a78fc73144d529b854243b0e17dcdaf47b17e1802cbb70ba22ed0e0146dc73411e0d91ff8c7873c3d

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
63KB

MD5
f9c3efb34426d20ccfa9632b9a3f1204

SHA1
758325acf6c9f606afb1bf2521b32caac9c510dc

SHA256
0be23fae885ca1deddd8a2e95c4dce4588c7a490aed3681e2eff0d67bc70f080

SHA512
179a3f5ee1df3e9600f0b25151d4e8eb5501b501f044120a1fc746dcd13ea7d03c7d6283ec03b19a364c8e47b3e46f6afe1f63700bbbc6bc44610365b5524192

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
63KB

MD5
978a6997a6b52158bcc3cefbdfeb65c8

SHA1
694838aef630a4d7dd9e67fb635db0fa3aba1294

SHA256
a9596b73cc1907fa79afb4828b48fcae96cced03ddb335fa73f1914791a7cd7f

SHA512
26e97062008b3ea97bdba34407bce05b1eb6033df0282056440f3309158efec5ac7f47e3b2c9f43cc1235fa9a03fd8e374651e411ebb7db665ecb765b8da71c6

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
63KB

MD5
76c40d9038bc3d95a6b87391589f2658

SHA1
930a07f5e219b39f2f111d748f0c341fdc4828b4

SHA256
bab05b8759daa90087ffd8a33d6ada117158d8329d083320f1943b6b217f3589

SHA512
39c51dfc40027877a9b75653602f8fce4bfb15ad3902d108e07af75fb3745c5b33c7bc6895f5cbfacec0a2df7d09ef9c3ddbd2f213a9104a0161dd63fe3674fb

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
63KB

MD5
28b25dabb9a4b3f3c90c3ea99910e3ba

SHA1
debe4976c99b773beda837d557f40b40ba4870d0

SHA256
9794580d5810b40a654c09a15546c9db6e84e5d888d817b1f688905d606ed9f6

SHA512
731208d2e5276f10658899161714515b8441cf22cd551aee36fa713257b375a547c0b17460f8a15331cbe1a00380f70207186e22ea0a389ba8fdbd40b3da22f0

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
63KB

MD5
986db8e90383e2c5184b31a14afaccad

SHA1
bb14b5789894697c2e2bda43aec70df1527e9019

SHA256
74f49749436c209714dd9643218029e9f80654cb8d02e18c2aa0f4c88a27af03

SHA512
b09fd039a894ca01532ba104f4f79c25497a90ec19a412cfc0307e0e19b444aecd87806d49cf392b5f3c89a888661338cc486d75b6a6419caa56acc4b0aa27af

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
63KB

MD5
f9688c20d8179f7550a64927ddd7a536

SHA1
85a9b69534d5e116ef2a74d5bd366410986e0351

SHA256
4cdc649415860aac3f2a89629567a6ea0f6a1903d4751137b01256c6ac62e912

SHA512
d34cd39925c9cad571d2b33564e736198adcd1181715359e36225a5e5214f7d29f1495c90cff153e31a6f63b1131049ab154c221daf7508ef7ccfd3e5539f203

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
63KB

MD5
55204b14fb8ad6dee24feca888d2d677

SHA1
bb312d03295090c8ffb82e64467fb08ab17a7ab0

SHA256
73066ef5fd9c10a1e7c4bd7504aa1952cfb3c2357cdb9b2ab3205192f5d6c361

SHA512
feab3bf51ed1f27f572ab3cd96224b03912967448ce2fab9f458e58a5f2956628eac0c543ad896d5ba0cdad725c79302b4e543ac6a7ec3137b04e3160d973cd4

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
63KB

MD5
67b48d8bf5395cefb2b0c4ff4d4d2a23

SHA1
75d9023e13ee69a99ba194f5e831f5005c2aecd0

SHA256
1e40a7b23547d41f788ab107f80a8abd95a3eab487a00eda98effcee0d6c206d

SHA512
80ab9c125eb108b1960d84edc50c75ccabed19ef2ece79c1cc8f6215ae54565d13607bc6bf602f09a198edf613295c4f5fa4ad1935bd9db54bc6dda2c177705a

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
63KB

MD5
d9b2bc726032b600ac4857fe87264f03

SHA1
134d7172121eb701da51528ebb5e80b3ee9d21f7

SHA256
e543cdb9bc5fe7ae4db2eb90279409f071889127a1cb004b3e7feaba70d3855a

SHA512
119f2286e1c97e57d81ea5ab15d592d4eafdc8a8fae8abaa0f791bdd6bcd2a30d82f24672d8a06e225b1dde088c54d439838b0fad36e37c36d38f99523242636

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
63KB

MD5
d2b059cbc711bccda83673ea9e58153c

SHA1
d7954e227174a282014715dfc57da0c046df4023

SHA256
5fd8c47e4dd8353797a906833e982c2642c0d2e85f4a0a3aceda048a6da80b4d

SHA512
fecec84806d8069bd388b968fff5f9a96babeb0003bbde8eb828dff2e7f42d3f4c099b729b925aade092e84d6aa9d432ac89ea9831759d307ab8d4ef0864f274

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
63KB

MD5
a6b0c2d1587f2a248e86ee20074e0782

SHA1
b57adc46206a734542f166a1a4d9b65d7c969707

SHA256
6ed2ff169473e63333e42cde6445b80315467da9b28c5b7e4b32c30d67a55c92

SHA512
91e14f07cc2a9596bbfc349808f9a1f7316a9a31ec3bcb23bb325333d9ae7f75efb4fa35d8eb90ad50a131641268ed6fb029cdc5bc9c654be3ff69d167aebcf0

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
63KB

MD5
47f701a2a8ed318873bef874c5956e66

SHA1
99a559d23d7db8a9b65e108cc9ce79a1b6f8193f

SHA256
8b982a587d66869e35540e18826580129bad951455bc7c44762d13b9de272409

SHA512
e4b37ef4244db47a42dab4fbb7763ed0550616065be306ebfca89947bcc8b0b9579440b30f39b00e79addb9a537307c2ead8b1d1b2b5d1dd541602b49053301b

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
63KB

MD5
2044b3775409cb0ba5dc4b42786b57d8

SHA1
f4d262da9dc142b4d5f5105b037c9aebeeadeb0c

SHA256
5a0d3b8e77c1fd83649092ed6b008d62f1eed0081c81f7b95dbf0ac7adab5a14

SHA512
8b75c8c0b63b3cc2909544b8660ad11d5f54d5b01a0ffc3adffebe59d867370af532369971c31bd930351bed35c28cd9de5b82a4d14918b87059b57d6e52cbb3

Download Submit
C:\Windows\SysWOW64\Cbgjqo32.exe

Filesize
63KB

MD5
d10d511f957ed1b0ddce5c8d23c72801

SHA1
8b5aa93807f40ff7078c4a71c62aefdf045107be

SHA256
b859d69f5b9a66bff0c4329d4fe853e7ca3cfb4303687bb232243e137a6278e9

SHA512
8fe12faacd1061680b95832c1fc7381e7f56c08b79a7455bda9bc09cfcde0361701c2bfc9f6c1beb1d3f52c70eb8a7b1b19860daec8b0ac996538c3249d0ae55

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
63KB

MD5
03637b0b49b48cd11edd55b8df5359b2

SHA1
baf2d9f9661f13ac37ba3ac2e252ac944a2da1df

SHA256
8078f0ae3b24d95316a8b80f25340ee4f9dc4506db5d2a749a296b5c6deb658e

SHA512
d17786077e2239e48ee5f8c6ba631ef8df13a0688839fd4c6efc49f32e51a82cb2ace5f5fa613526e0562a0a2db8dc870d43c5768017fba3a6984c4cbf8ba21d

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
63KB

MD5
0bf7cdcd98cbb19ad6da65b3f06768c7

SHA1
276aa6dfafe1201f485462481fbf1e49dd5083e8

SHA256
7b107f603e38f65500be15d879a60bb0b062514c7034eb1075c01d6c94d60d3b

SHA512
f6e5345e238857ef5e85a884dd6e228eee135d45eb51ab055fc8ae29cb73247eccf1bf700658b5292e98f4467c5338cd452e05a5f0f6ebfbbce46bb72a63d552

Download Submit
C:\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
63KB

MD5
6799fea519993dddca7721eca6016c64

SHA1
5884d7dfed7de954178271b018b76ce9ce659810

SHA256
f7e1a66600a49a22f85797f66afe0ba84bed567f5b4d365f34a8094fc794a969

SHA512
f4613c494577274eae95361a2df88c943f9963d2396c754d40e5f0924ea579b18a75c6d2e3a58a3067e6b41437549ae0cbda4570cf7ca61d98dffb77728afc2c

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
63KB

MD5
15f18205e67cd56072607c4f0017c7f2

SHA1
020c90216aa63edc7a3e6878719117b2a785e751

SHA256
2166634a360f1577eb7ab18a9daae323b736c273eb6f6412b6a574ab0698d101

SHA512
b3a68b1d538df90a3e4b8c9fe656e55f6c2841ab510248cbfa480d1e77c4dad0383d0f9ab8a492a9d555f9eb1b1c406d42f00b5268f896d356d015bc118bdbd7

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
63KB

MD5
4edd57925264bd1a80df41da35d621cd

SHA1
50003bde41c93a671fb775422b9de03dc071270e

SHA256
7338df63f0364bd12c1a35740f0c6fb7ed8dc51fb0cd278865883bb905c99caa

SHA512
27efb4b9ac4cbe681c92d09ec9472aa6836052fae17e271cc1dd77f550a2536c620b114e4898da9ef25e601f3ccc3cbcd042cd47d9d8cfa7259a0d532cb39b01

Download Submit
C:\Windows\SysWOW64\Clmbddgp.exe

Filesize
63KB

MD5
a48287c8ee8e1d6ed5855a99f136b29c

SHA1
d9caf0e3b2550e05a253155547ca3400bc385a99

SHA256
f39cd6a233b568d8a98aee016ea3443ebb145c065aa3004c85f7448f2cb1577d

SHA512
fbb21bae2fdfc1d79c3b28b0c6ff9ce09f7956246b536a190f306d302d2b3347a063ef164384130a71d4dfc39947290ab9d6d2ded45e7e34a4482eb2d1755b58

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
63KB

MD5
13f3f4edac9be5f0e411abbca607e03d

SHA1
aef71c68b6e4b721a60ab3e97f4bd5b7f4322087

SHA256
f3430537a4231b96501e3cb7868e45c549670fdc2b0f7927e888afd3d31dd9a9

SHA512
d92575f7f9e570ed53c3a0d39683187d984d9a5e56662caf77be5365f5e31890ade78a68c2d8ee8a11c1adb829df7ddbfccf24b894a46c8f992f60d82a4a2fa9

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
63KB

MD5
4fe98e04d4afd95375336c2ebc259900

SHA1
b67540dea533ed2867b9df36ea1ad97e9f616c52

SHA256
e647539d6268c9daaccba59bddc4e172a0f33d0d190173d79c3e76cfc1e7b68f

SHA512
26cc678e358a29a56e1132f71e5d95cac7dbdc04d50f10f38c5ed0e4c8cce744c8946e33840383fefb678067115e5631d2f0dd56fde0a50285f20843e8afcc1e

Download Submit
C:\Windows\SysWOW64\Oagmmgdm.exe

Filesize
63KB

MD5
7934d61365b9566c09fafc44743af38d

SHA1
be705c1322120363c32ee72a8ac41abcfc0e9e18

SHA256
dd95e460a713f3bb4dfacbace2571df26e65284f09bb2b79c5942fe579c8152e

SHA512
cb3c8f65f530364fffb4a8812f42eeb4b56f1d4c8a5765cb84c0c4674a2e93f3de64e55d4bbcd2c344dac52d718253c5951d73a65d9e873d46fde7e0aadf56c8

Download Submit
C:\Windows\SysWOW64\Oegbheiq.exe

Filesize
63KB

MD5
55779ba21ebde3abf1536c30733fc030

SHA1
4570d84c6757cfa1a3abec9f9f044438df10abdd

SHA256
056437d10b3ea49011fc96c6dbf9d574f22f71a5bde9f5e693b81dcbd903b7d1

SHA512
710ab497a3e7112be6a740a981355037e0c62ea0c542b3119b1d1d85dc9f06e487bf5a7b2b5fc31734a424cbfce88592e165262c743dbfb123abf08d4cc30c93

Download Submit
C:\Windows\SysWOW64\Pckoam32.exe

Filesize
63KB

MD5
638510f5e40e47e2ae7e304bf50e2ed3

SHA1
646a4dff54d101ac3ccd1cd97e295efc4fda67ca

SHA256
0e483fc0db870b4b4b02f5e8e8c2bff5c62448c4b29078460b596de2fda6fb1f

SHA512
15b4cab0b266d9a4b540518cb2fba04afbb91ee2afb8d17e274b0329171eebd65dba1d4b182d0242cdb1ab7909e5c4236491a70a78cb27298f5cdd71e4b80569

Download Submit
C:\Windows\SysWOW64\Pfbelipa.exe

Filesize
63KB

MD5
435c253b4f22231c1cadd1e5b94f9973

SHA1
e7a662b5639e96825ae826285e3ca834cfeece19

SHA256
fa26aa76ee732c7ffa107b0a072357670dbdec77cc630852cf96efa28a867f6b

SHA512
c23a9999529c83b24403e4f20df536812b72e397cd213ee10bf0d96da6e481389093d72963dbe934351b1be49b22239045f9c9fd1237bae4d3867d18272f6c27

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
63KB

MD5
3e378596f61cefe22943609df2114741

SHA1
bac1869553c13e9ee7d396a24bb99ec71cae5257

SHA256
1387f4d2325fe669a77501384a8d2b24ea43e4e1d9f915d4194e02dcfc04d796

SHA512
44bd92869db00f33bf40f9ab84626ee13c90d0b471c3f49415ea5c2722a6ebfad7fd02c9aeb86f528e80c85d4e60bbd9d1e31e804d565cbff5ef00611e2dbf86

Download Submit
C:\Windows\SysWOW64\Pihgic32.exe

Filesize
63KB

MD5
a660b56dc59b4ea3ae30efba87cb059e

SHA1
beb88d1881e4f026ca6beef020ac4cca9aca2d1b

SHA256
ee6664a453ebfcf48dc8886e935590366bcd7a73cc9097ff9b4bc238b72b86d4

SHA512
bf31045235807ba5bc52f91411820006be11b70e1311a9bac8330eca175fab472a673377f72ccf81624a4631921495c95c9bfe7ff9a1a413d0c4536298416fe6

Download Submit
C:\Windows\SysWOW64\Pkidlk32.exe

Filesize
63KB

MD5
2c0c35fdc0f6f8c5ee73e32a9a7ed94e

SHA1
c7aaa10c4f1578cfd8526038303da73e0e95a10c

SHA256
b95079202c0ec34b20faf4e83fa582c681212e4ccbad8a89d68c09cdae58ecb1

SHA512
4634d7a31c555b5c166790bf5fc6f9c300c552e4b8d339e0da905dda8af5ac79a2bbae174782d7e4bf7dc363a7cf2723dcb2a21b8d445bb8cefef88a4179edf2

Download Submit
C:\Windows\SysWOW64\Pndpajgd.exe

Filesize
63KB

MD5
7c566744a97ffe7abcd00712b1e3ab78

SHA1
49066bf9d865c941a5c4541fc548be4615493871

SHA256
9a879774b8c8e91b678ea85fe69d9314a544c49a765e0172dcb10c6a72875386

SHA512
5c95c73a1e70bd3e20ad276c8861b3f1ec1cb6934621d58f9892284dafb9dae41e873a77a4e1e6c143b5d01730586fc14b8962a70e2dee6746be5d8dd4981537

Download Submit
C:\Windows\SysWOW64\Qgmdjp32.exe

Filesize
63KB

MD5
f78126629bc5c76101f262b48fe809ca

SHA1
9a79128cd9e31cd4f1efbfffd5e6db5e5b6373a5

SHA256
0de3f45250de04e12a83d0e93a117988bc81e58d4785eeb42f54cb8b5ea9f6e8

SHA512
11d8cc342b7456bcc15371cef6cd0419fe2e0bc10e863673fc0228a835015c6b5c0d48eefe0cc427a2e920e1111cdab698ff595061412848eae65e6f001b4f57

Download Submit
C:\Windows\SysWOW64\Qjnmlk32.exe

Filesize
63KB

MD5
88c299bf316edbaf617a3722a65840a0

SHA1
57f74cc8417f7c748740513c0e9646394c2450e2

SHA256
5eae9b0ebe3cc94da4e388eebae0dd92f27286768f187a3643b58cdc11af42d3

SHA512
0f72688cee8e33257951cf666503e7c57890ad73ac4474819b2899775a398deb56fa7d79ee2c21bee49b2bd1692384b495aed8fc6bb33fb5f7dd429e38555574

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
63KB

MD5
1721c3d9aba3cb785a8467548ca1d06c

SHA1
47b1b46a885c379409fa8a51a54ef34039fa6a2f

SHA256
d46335921beca9ba0c08bad408c1f475d47a474e5665fd24f8e28a3d3174d51e

SHA512
0fcfc7b34b5265ec268b849b1041f6ba19ba0462731a94f7c5f771386ef6d14c92edae6cf911624bf9ed6322c505b731e035a365e34fee457b00df922cb802c7

Download Submit
\Windows\SysWOW64\Nkmdpm32.exe

Filesize
63KB

MD5
2cd4c7fa3bdc8eb280fd345adb969cac

SHA1
67317782c15f5a9041fcaa0638ec37b5541f7d56

SHA256
ae79fa3664fe838a3236c7950ece944bf8572cd021d77c33ce4b88ff57cf66cc

SHA512
49a860e7f3734070923157c7a5ebbc41c11dbe4c45f804ea48d48a1da36508cf86f0aa82741a11f6715ac44976f952c5b555c9c7095048220f9ea2f8564a693e

Download Submit
\Windows\SysWOW64\Odhfob32.exe

Filesize
63KB

MD5
690a80ce8bed3199088323195a73fc5c

SHA1
935141834d1bdb72eaea5417354551479c81bf94

SHA256
c80f20d68a93a2b460fcde558add06c23a1f39fe328d0ec24451bc3cc151df61

SHA512
272c3248c0894b43f8ba3d16a16facc6dc491db21636ec3b38467b690c694dfc5b1af37c17f4f313717f8fef9ec48e73e36d3b692691365ed57471a20209b08d

Download Submit
\Windows\SysWOW64\Odoloalf.exe

Filesize
63KB

MD5
2c4e21df6d2f4cf5b173ca6ce339c7c2

SHA1
31a9cf0694981855879d5098a7efc0f0b5088435

SHA256
a21dfe827f250641a4d9a1076903173b13eda4ed374ce4ef90ac012e8daa09bf

SHA512
296575276982f7fd003763f40018818f4a65c94c953bbdf108083d5e303ff0e5da01c869ab87a7f6837bc2ff7beb5b19682a5cf6ffbc3c84a2e78c5223456305

Download Submit
\Windows\SysWOW64\Oebimf32.exe

Filesize
63KB

MD5
8b84e96b1a53c525c4232480cde5048b

SHA1
32bcc68f1883e7a53aacf11c99ba4452bce6f806

SHA256
7c066beec78bebb8c551184e0886a75c7844ad1784bb9c4c58af1171240cfc2a

SHA512
7eaadd0fe506f5dd5270f96d75c8474917a4243c7121684066e4143b62de987defade99769db6e5c5b23b5acb0e8bac6f7f65e3f3761f19d805717bffa281b4a

Download Submit
\Windows\SysWOW64\Ogkkfmml.exe

Filesize
63KB

MD5
724b13e6de03499e65aa4cc294a2188f

SHA1
4ccded7dcd4aed5428fbfc781668d79359897065

SHA256
cf4f9a5e8172f0e870195a3a08f410a534443e75991955b87598e59809a0677d

SHA512
cb97abfd93ac796e418600a2b53edc573d195262b4e287c01c4ee5c70f05b94b7a9ad2ac4f90e5fc4e3e3af594caeb4f71c96f04653917a35b69600b167af33a

Download Submit
\Windows\SysWOW64\Ohendqhd.exe

Filesize
63KB

MD5
4532dfbab569e8513954f3205a84c43e

SHA1
0326930784d7a8c58849e0690376a87248f2bd0f

SHA256
356618c53c306f4a1ae8df713aee759fe8e4893c80fcb92f663fa7dbe31dcef0

SHA512
8e73704036398224a8cef03ded5145a8dbc28495090110afd90cec1eac1592f81bc6cffa031498ae34f5daddd272495d48d86d95dfed6fab53011fc3722dd22f

Download Submit
\Windows\SysWOW64\Oqacic32.exe

Filesize
63KB

MD5
36c8876b8e8511b080c2cf34c04f3ae3

SHA1
5b94603a675965c5c1209c88b02d619ca7009e22

SHA256
f62a152362e34f5b437fc9869dd0faf97f94056c5e2f1f65355f79584ec19b65

SHA512
55ce4c3017f150a76c8ed71631cce54eb5d11f9d6df292fb8a10da7b745155e8722475d7f5c489f5b96eecf99a2ad97f2a2ae4b2b917bd57b91d644d3db33114

Download Submit
\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
63KB

MD5
b9410e635130ca999af2c42d6e2c175b

SHA1
8e633360c6745dfc0cc7936c704d5beda0c45b37

SHA256
64b7a3685a75d2d1a24eeb9eb8ff58e2d38b399192ffea9cd12125544507ce79

SHA512
9695d4819236014c4ad13d6ee8b8aa228e9a5d36b5fa52f6e577c7debe0dd42b9775867de222849cb82383c957e9468a513f152b150da2094bf4afc848ca3e89

Download Submit
\Windows\SysWOW64\Pjpnbg32.exe

Filesize
63KB

MD5
8aca5a6034277871b2e5b5878a3ab35e

SHA1
1e1ca069ed46a290d66d0fb232e38de583ccec03

SHA256
012234ec789e858c84a3fa3384f2bd7301de79a640a15ecad3cd25c9ec3a1cf3

SHA512
9cbc6f94bd1eb46718c569cf118ebcf15771a7518cf25a4c81285ea314246f5883fa753cd98b9ea08606e9d6d46be5eae487753f9075799f1eaf7a1795746ae1

Download Submit
\Windows\SysWOW64\Pokieo32.exe

Filesize
63KB

MD5
568ceb56b5882d42e70cd1d4b6383957

SHA1
cfc88e0383dba8864505228f3793a48709e91356

SHA256
5a1ae275634a9fba6beee8cb1fecff0da714c4617ab52940bcde75d3e0a586c2

SHA512
bec7fb4e184c97f270f6f1b8dbe79e3acca278cf2ecae2b7282e9c021e00b8fe362ee3ca377222043321908a3053363605933920879020e46335282fcbf01223

Download Submit
\Windows\SysWOW64\Pqemdbaj.exe

Filesize
63KB

MD5
c30fd0f117b6a58e9954aa8c1d2fc220

SHA1
2c28047e13bc7ffb76da023b3a869a35766945af

SHA256
bb9ccb54687b58e6b9528c555bf904900584240ab671ac2e3b1633aa9c9b9f8a

SHA512
f3c1bd1056609330840ca64cc4badc294d3c1953b278c14bfebec8e1db8fe9a213580910e460d95572311197ce84f118bffe20fd8c1cf326ee1c099d21d3f955

Download Submit
\Windows\SysWOW64\Pqjfoa32.exe

Filesize
63KB

MD5
bc93f815e15cafeea9a4a3712cf3de1c

SHA1
f5c2283829325c7c8f0f877c1c5656aa6196eae3

SHA256
0618ee6d5a3e49efcd151ebba9c5bfa66fa28a3198804f62d0746ff765d888ed

SHA512
1cf7afa1c43b2ff30dce6df3a324d4f90e70ba909edcae84f47ff0f01ed7560cd105287cacc43baf9ce7f67122cc0961be273c64eb06063bc0c94823a6566e79

Download Submit
memory/264-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/264-376-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/380-444-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/536-359-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/536-369-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/772-229-0x0000000000440000-0x0000000000478000-memory.dmp

Filesize
224KB

Download
memory/772-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/772-519-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/780-424-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/980-289-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/980-293-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/1044-299-0x0000000000300000-0x0000000000338000-memory.dmp

Filesize
224KB

Download
memory/1044-303-0x0000000000300000-0x0000000000338000-memory.dmp

Filesize
224KB

Download
memory/1068-242-0x00000000002E0000-0x0000000000318000-memory.dmp

Filesize
224KB

Download
memory/1068-241-0x00000000002E0000-0x0000000000318000-memory.dmp

Filesize
224KB

Download
memory/1152-380-0x0000000001F50000-0x0000000001F88000-memory.dmp

Filesize
224KB

Download
memory/1152-370-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1184-392-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1184-402-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1240-500-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1248-161-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1248-168-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1248-453-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-509-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-213-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-517-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1520-515-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1520-518-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1520-516-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1572-316-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1572-312-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1572-306-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1696-273-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1696-279-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1696-283-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1720-81-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1720-390-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1720-88-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1784-252-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1784-258-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1788-304-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1788-305-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1856-495-0x0000000000260000-0x0000000000298000-memory.dmp

Filesize
224KB

Download
memory/1856-486-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1956-246-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-454-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2120-381-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2120-391-0x0000000000300000-0x0000000000338000-memory.dmp

Filesize
224KB

Download
memory/2164-464-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2164-474-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/2196-485-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2196-195-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/2196-187-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2248-505-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2260-463-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2296-473-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2296-484-0x0000000000260000-0x0000000000298000-memory.dmp

Filesize
224KB

Download
memory/2296-483-0x0000000000260000-0x0000000000298000-memory.dmp

Filesize
224KB

Download
memory/2352-272-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2352-271-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2352-262-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2412-397-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2412-96-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2412-107-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/2508-439-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2520-414-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-66-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/2524-365-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-54-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-434-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2664-430-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2664-135-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2664-143-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/2676-349-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2676-52-0x0000000000310000-0x0000000000348000-memory.dmp

Filesize
224KB

Download
memory/2676-40-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2708-337-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2764-325-0x0000000000440000-0x0000000000478000-memory.dmp

Filesize
224KB

Download
memory/2764-326-0x0000000000440000-0x0000000000478000-memory.dmp

Filesize
224KB

Download
memory/2796-348-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2796-358-0x0000000000440000-0x0000000000478000-memory.dmp

Filesize
224KB

Download
memory/2808-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2864-27-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2864-347-0x0000000000260000-0x0000000000298000-memory.dmp

Filesize
224KB

Download
memory/2864-345-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2896-407-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2896-413-0x0000000000260000-0x0000000000298000-memory.dmp

Filesize
224KB

Download
memory/2948-328-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2996-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2996-327-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2996-12-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/2996-14-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/3012-420-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3020-412-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3020-109-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3020-117-0x0000000000300000-0x0000000000338000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads