berbew | f353903f829d02496e04466d9a3e59f273f7fbf2b8b2265c8cbc518edbef6380

Analysis

max time kernel
106s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f353903f829d02496e04466d9a3e59f273f7fbf2b8b2265c8cbc518edbef6380N.exe
Size

163KB
MD5

7be2ed73e6b2795d75f6864176c9fb60
SHA1

2405bcdb69cdc5941f62922970febebc0127ea68
SHA256

f353903f829d02496e04466d9a3e59f273f7fbf2b8b2265c8cbc518edbef6380
SHA512

0f542bf289b51c6285735448a6c614dda16acdbd6f2eba98436bafb898cf98671be4c005ea01821879731b8dad61175f5fda233bf45de731443b49aa0db6817c
SSDEEP

1536:PE2HLYOkfMgiBRDcrrrK4WRAKlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:c2P683DcrrrRWRAKltOrWKDBr+yJb

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f353903f829d02496e04466d9a3e59f273f7fbf2b8b2265c8cbc518edbef6380N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opclldhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmkmjjaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boihcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caojpaij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncchae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apodoq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akkffkhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f353903f829d02496e04466d9a3e59f273f7fbf2b8b2265c8cbc518edbef6380N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncchae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4120	Nglhld32.exe
4192	Ncchae32.exe
3804	Njmqnobn.exe
3388	Nmkmjjaa.exe
2592	Nceefd32.exe
4052	Ojajin32.exe
4792	Ogekbb32.exe
4268	Oanokhdb.exe
2652	Ofkgcobj.exe
1380	Opclldhj.exe
4848	Oabhfg32.exe
4696	Ohlqcagj.exe
4564	Pnfiplog.exe
212	Pnifekmd.exe
1624	Pdenmbkk.exe
1324	Pmnbfhal.exe
1080	Pnmopk32.exe
2708	Ppolhcnm.exe
2072	Phfcipoo.exe
2352	Pfiddm32.exe
3332	Pmblagmf.exe
4108	Ppahmb32.exe
3920	Qhhpop32.exe
768	Qfkqjmdg.exe
672	Qobhkjdi.exe
1452	Qaqegecm.exe
456	Qpcecb32.exe
4956	Qhjmdp32.exe
2656	Qfmmplad.exe
4348	Qodeajbg.exe
1060	Qacameaj.exe
3500	Qpeahb32.exe
1876	Qdaniq32.exe
2184	Afpjel32.exe
5076	Akkffkhk.exe
2904	Amjbbfgo.exe
4020	Aphnnafb.exe
4172	Adcjop32.exe
2564	Afbgkl32.exe
2632	Aoioli32.exe
2636	Amlogfel.exe
1512	Apjkcadp.exe
2864	Adfgdpmi.exe
3624	Agdcpkll.exe
2300	Aokkahlo.exe
3596	Aajhndkb.exe
3984	Apmhiq32.exe
3732	Ahdpjn32.exe
928	Akblfj32.exe
3412	Amqhbe32.exe
3176	Apodoq32.exe
1248	Ahfmpnql.exe
2788	Akdilipp.exe
3908	Amcehdod.exe
2144	Apaadpng.exe
2696	Bhhiemoj.exe
2136	Bkgeainn.exe
2256	Bmeandma.exe
3820	Bpdnjple.exe
1668	Bdojjo32.exe
2000	Bgnffj32.exe
3040	Boenhgdd.exe
2568	Bmhocd32.exe
2948	Bdagpnbk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qhhpop32.exe	Ppahmb32.exe
File created	C:\Windows\SysWOW64\Qfkqjmdg.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Adcjop32.exe	Aphnnafb.exe
File opened for modification	C:\Windows\SysWOW64\Cdimqm32.exe	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Ckbemgcp.exe	Cdimqm32.exe
File opened for modification	C:\Windows\SysWOW64\Oabhfg32.exe	Opclldhj.exe
File created	C:\Windows\SysWOW64\Nceefd32.exe	Nmkmjjaa.exe
File created	C:\Windows\SysWOW64\Idaiki32.dll	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Pmblagmf.exe	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Aphnnafb.exe	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Eignjamf.dll	Adcjop32.exe
File created	C:\Windows\SysWOW64\Hlfpph32.dll	Bdojjo32.exe
File created	C:\Windows\SysWOW64\Kkbfan32.dll	Nglhld32.exe
File opened for modification	C:\Windows\SysWOW64\Qpcecb32.exe	Qaqegecm.exe
File opened for modification	C:\Windows\SysWOW64\Amlogfel.exe	Aoioli32.exe
File created	C:\Windows\SysWOW64\Iohmnmmb.dll	Akdilipp.exe
File opened for modification	C:\Windows\SysWOW64\Boenhgdd.exe	Bgnffj32.exe
File opened for modification	C:\Windows\SysWOW64\Cklhcfle.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Pnfiplog.exe	Ohlqcagj.exe
File created	C:\Windows\SysWOW64\Pnmopk32.exe	Pmnbfhal.exe
File opened for modification	C:\Windows\SysWOW64\Qfkqjmdg.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Eehmok32.dll	Qpcecb32.exe
File opened for modification	C:\Windows\SysWOW64\Bkgeainn.exe	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Giidol32.dll	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Qaqegecm.exe	Qobhkjdi.exe
File created	C:\Windows\SysWOW64\Jkmjlphl.dll	Adfgdpmi.exe
File opened for modification	C:\Windows\SysWOW64\Aokkahlo.exe	Agdcpkll.exe
File created	C:\Windows\SysWOW64\Ofkgcobj.exe	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Bgnffj32.exe	Bdojjo32.exe
File created	C:\Windows\SysWOW64\Hnflfgji.dll	Cammjakm.exe
File created	C:\Windows\SysWOW64\Hbobhb32.dll	Apodoq32.exe
File created	C:\Windows\SysWOW64\Pnpkdp32.dll	Oabhfg32.exe
File created	C:\Windows\SysWOW64\Enfqikef.dll	Pmblagmf.exe
File created	C:\Windows\SysWOW64\Eepmqdbn.dll	Akkffkhk.exe
File created	C:\Windows\SysWOW64\Mfgomdnj.dll	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Afbgkl32.exe	Adcjop32.exe
File created	C:\Windows\SysWOW64\Bmijpchc.dll	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Gdglhf32.dll	Njmqnobn.exe
File opened for modification	C:\Windows\SysWOW64\Bgnffj32.exe	Bdojjo32.exe
File created	C:\Windows\SysWOW64\Akblfj32.exe	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Kfcfimfi.dll	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Cnfkdb32.exe	Cpbjkn32.exe
File opened for modification	C:\Windows\SysWOW64\Cpdgqmnb.exe	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Chnlgjlb.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Cggkemhh.dll	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Omfmcjlk.dll	Ohlqcagj.exe
File opened for modification	C:\Windows\SysWOW64\Adfgdpmi.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Hlohlk32.dll	Apaadpng.exe
File created	C:\Windows\SysWOW64\Pkoaeldi.dll	Bknlbhhe.exe
File opened for modification	C:\Windows\SysWOW64\Bhblllfo.exe	Bahdob32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfkdb32.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Gdmpga32.dll	Ofkgcobj.exe
File opened for modification	C:\Windows\SysWOW64\Aphnnafb.exe	Amjbbfgo.exe
File opened for modification	C:\Windows\SysWOW64\Bphgeo32.exe	Bmjkic32.exe
File opened for modification	C:\Windows\SysWOW64\Bknlbhhe.exe	Bphgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Ojajin32.exe	Nceefd32.exe
File opened for modification	C:\Windows\SysWOW64\Qpeahb32.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Amqhbe32.exe	Akblfj32.exe
File created	C:\Windows\SysWOW64\Ccoecbmi.dll	Bmeandma.exe
File opened for modification	C:\Windows\SysWOW64\Caojpaij.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Ojajin32.exe	Nceefd32.exe
File opened for modification	C:\Windows\SysWOW64\Ppolhcnm.exe	Pnmopk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2720	3056	WerFault.exe	173

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nglhld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkmjjaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjbbfgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppolhcnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akdilipp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f353903f829d02496e04466d9a3e59f273f7fbf2b8b2265c8cbc518edbef6380N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfiplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qobhkjdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfiddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknlbhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgeainn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajhndkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdimqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahfmpnql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akkffkhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcehdod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbemgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbjkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncchae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojajin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oanokhdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahdpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdojjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhblllfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnmopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpeahb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbgkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofkgcobj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohlqcagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnifekmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmblagmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppahmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njmqnobn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nceefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogekbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpdnjple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhiemoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeandma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opclldhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhhpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphnnafb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boihcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoigp32.dll"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncchae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmlia32.dll"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgaeof32.dll"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmijpchc.dll"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epopbo32.dll"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbcpc32.dll"	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbfjl32.dll"	Ojajin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmkebjc.dll"	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akdilipp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caojpaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll"	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjghl32.dll"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nglhld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apaadpng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoaeldi.dll"	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdagpnbk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 4120	1392	f353903f829d02496e04466d9a3e59f273f7fbf2b8b2265c8cbc518edbef6380N.exe	84
PID 1392 wrote to memory of 4120	1392	f353903f829d02496e04466d9a3e59f273f7fbf2b8b2265c8cbc518edbef6380N.exe	84
PID 1392 wrote to memory of 4120	1392	f353903f829d02496e04466d9a3e59f273f7fbf2b8b2265c8cbc518edbef6380N.exe	84
PID 4120 wrote to memory of 4192	4120	Nglhld32.exe	85
PID 4120 wrote to memory of 4192	4120	Nglhld32.exe	85
PID 4120 wrote to memory of 4192	4120	Nglhld32.exe	85
PID 4192 wrote to memory of 3804	4192	Ncchae32.exe	86
PID 4192 wrote to memory of 3804	4192	Ncchae32.exe	86
PID 4192 wrote to memory of 3804	4192	Ncchae32.exe	86
PID 3804 wrote to memory of 3388	3804	Njmqnobn.exe	87
PID 3804 wrote to memory of 3388	3804	Njmqnobn.exe	87
PID 3804 wrote to memory of 3388	3804	Njmqnobn.exe	87
PID 3388 wrote to memory of 2592	3388	Nmkmjjaa.exe	88
PID 3388 wrote to memory of 2592	3388	Nmkmjjaa.exe	88
PID 3388 wrote to memory of 2592	3388	Nmkmjjaa.exe	88
PID 2592 wrote to memory of 4052	2592	Nceefd32.exe	90
PID 2592 wrote to memory of 4052	2592	Nceefd32.exe	90
PID 2592 wrote to memory of 4052	2592	Nceefd32.exe	90
PID 4052 wrote to memory of 4792	4052	Ojajin32.exe	91
PID 4052 wrote to memory of 4792	4052	Ojajin32.exe	91
PID 4052 wrote to memory of 4792	4052	Ojajin32.exe	91
PID 4792 wrote to memory of 4268	4792	Ogekbb32.exe	92
PID 4792 wrote to memory of 4268	4792	Ogekbb32.exe	92
PID 4792 wrote to memory of 4268	4792	Ogekbb32.exe	92
PID 4268 wrote to memory of 2652	4268	Oanokhdb.exe	93
PID 4268 wrote to memory of 2652	4268	Oanokhdb.exe	93
PID 4268 wrote to memory of 2652	4268	Oanokhdb.exe	93
PID 2652 wrote to memory of 1380	2652	Ofkgcobj.exe	94
PID 2652 wrote to memory of 1380	2652	Ofkgcobj.exe	94
PID 2652 wrote to memory of 1380	2652	Ofkgcobj.exe	94
PID 1380 wrote to memory of 4848	1380	Opclldhj.exe	96
PID 1380 wrote to memory of 4848	1380	Opclldhj.exe	96
PID 1380 wrote to memory of 4848	1380	Opclldhj.exe	96
PID 4848 wrote to memory of 4696	4848	Oabhfg32.exe	97
PID 4848 wrote to memory of 4696	4848	Oabhfg32.exe	97
PID 4848 wrote to memory of 4696	4848	Oabhfg32.exe	97
PID 4696 wrote to memory of 4564	4696	Ohlqcagj.exe	98
PID 4696 wrote to memory of 4564	4696	Ohlqcagj.exe	98
PID 4696 wrote to memory of 4564	4696	Ohlqcagj.exe	98
PID 4564 wrote to memory of 212	4564	Pnfiplog.exe	99
PID 4564 wrote to memory of 212	4564	Pnfiplog.exe	99
PID 4564 wrote to memory of 212	4564	Pnfiplog.exe	99
PID 212 wrote to memory of 1624	212	Pnifekmd.exe	100
PID 212 wrote to memory of 1624	212	Pnifekmd.exe	100
PID 212 wrote to memory of 1624	212	Pnifekmd.exe	100
PID 1624 wrote to memory of 1324	1624	Pdenmbkk.exe	101
PID 1624 wrote to memory of 1324	1624	Pdenmbkk.exe	101
PID 1624 wrote to memory of 1324	1624	Pdenmbkk.exe	101
PID 1324 wrote to memory of 1080	1324	Pmnbfhal.exe	102
PID 1324 wrote to memory of 1080	1324	Pmnbfhal.exe	102
PID 1324 wrote to memory of 1080	1324	Pmnbfhal.exe	102
PID 1080 wrote to memory of 2708	1080	Pnmopk32.exe	103
PID 1080 wrote to memory of 2708	1080	Pnmopk32.exe	103
PID 1080 wrote to memory of 2708	1080	Pnmopk32.exe	103
PID 2708 wrote to memory of 2072	2708	Ppolhcnm.exe	104
PID 2708 wrote to memory of 2072	2708	Ppolhcnm.exe	104
PID 2708 wrote to memory of 2072	2708	Ppolhcnm.exe	104
PID 2072 wrote to memory of 2352	2072	Phfcipoo.exe	105
PID 2072 wrote to memory of 2352	2072	Phfcipoo.exe	105
PID 2072 wrote to memory of 2352	2072	Phfcipoo.exe	105
PID 2352 wrote to memory of 3332	2352	Pfiddm32.exe	106
PID 2352 wrote to memory of 3332	2352	Pfiddm32.exe	106
PID 2352 wrote to memory of 3332	2352	Pfiddm32.exe	106
PID 3332 wrote to memory of 4108	3332	Pmblagmf.exe	107

C:\Users\Admin\AppData\Local\Temp\f353903f829d02496e04466d9a3e59f273f7fbf2b8b2265c8cbc518edbef6380N.exe
"C:\Users\Admin\AppData\Local\Temp\f353903f829d02496e04466d9a3e59f273f7fbf2b8b2265c8cbc518edbef6380N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\SysWOW64\Nglhld32.exe
  C:\Windows\system32\Nglhld32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\SysWOW64\Ncchae32.exe
    C:\Windows\system32\Ncchae32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Windows\SysWOW64\Njmqnobn.exe
      C:\Windows\system32\Njmqnobn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3804
    - - C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3388
      - C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        25⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        73⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:184
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        89⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 408
        90⤵
        Program crash
        
        PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3056 -ip 3056
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
163KB

MD5
6de36da9a5818666c0e81fa0710054cd

SHA1
d22ccdb41d766a7c77431315fc9f0b8395fc9924

SHA256
3fc6f1d56b094770d2bbbe0d4868e97f9c6040f88df68fd250fe746c344558f9

SHA512
ae2cb17e02ce08905e55ec931952b1510229f3255a74b6d2e8f0eca766b09c2548a21ef5e5ca11c742dc37905f3a5e2fe64928d7e004a3785f9302b241a69f64

Download Submit
C:\Windows\SysWOW64\Ncchae32.exe

Filesize
163KB

MD5
76ac0575e582be68d00beb2beeb44dff

SHA1
ee9a97867cbb0189a2a26b213a0eed2821741887

SHA256
aa5383c64155eb58a7d5e24c2901aaea13bcef0bf748fd958a0dd0676c1c0efe

SHA512
66589a6afe27e9d5080d943362467a5dd6559e95ce452fda55d97e2873d3e997fc217ad242b2949ee7e3ae684247ece7394037851ce365aa30c242b34f9865a3

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
163KB

MD5
b3048c35fdae49034650075d6e128970

SHA1
d8762decd4b6695ede49d3b58b30d0376d037732

SHA256
168edcd8f71354114a40dbf576276902bb4281f61bfac85d9a6dd39244f42c1e

SHA512
1a862353e927cc1a809d9cbbc0ffd984a9fd74b092a40c90427ab55b5fee2e783526cbdb0487169e365d7f4bc4841fad37fa924576ae50d9a0bc58f807f34228

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
163KB

MD5
e45f2d3246d5fc476434abf2b2786592

SHA1
11b8ee1325ca92713624a8b7d3d632cf75d30104

SHA256
787a8b1ef6798ecc16eaf94cacde1d9c82bdea71dc069dfb8abcdbd645543f9f

SHA512
b6ad528715bbba42c7261d457480b03d5efacac2b9ca6a64ab8edbdb2ba8bbb77951e395c5506c5661094934b6c8bdf8d3d8a991bb1fd970e52aea86176f2d32

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
163KB

MD5
98ed89d35174d4ef614eede6731146bd

SHA1
182d062357da590fbf41ff6994bec65cfa66b4c0

SHA256
a1c681ff75c214fa8d81a8783ce6129792f86b85cc81387709fb3304b218d200

SHA512
6e56564d1de4e484f55d0584ed4b2819a1fb5d2ae9004ab024ad9d158f5da85982e926364c1e20c7462f030b090038429628838306b5bf3c57b518e01dedb40c

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
163KB

MD5
d7983addc11df27e10caef94a662cc4a

SHA1
b63044a994a52fbfbe2bbb7f7f20396e0c8a3745

SHA256
d1567ba3f83114cb6cafa3beab9c5e0c3d6891d34129847dd9bdf7effc7029c8

SHA512
6382672a6f90d3c35dae24bbb84a96d5188e96bd642b153e06cab148b3cdbff5766b5232884f24e1834a4dd5f20859985846eeddfa2760d8c3eed1ca1cf3dfc7

Download Submit
C:\Windows\SysWOW64\Oabhfg32.exe

Filesize
163KB

MD5
e34186f5b63967c752283134987ff2eb

SHA1
460296edc8eb62f60e4596d1b8d09916686278be

SHA256
fb057fa0debb6b6031937140069918e76f90e8ef8368af308c3ede63dc9ccbde

SHA512
0d9eaa25eecc54895a4facfc8942372e1cee944d6e10209df5e4c9237e7c59fc87fb11062b095a47156d46593ce559f4e050adb6e062fb6a5aebdc5b55dcf37f

Download Submit
C:\Windows\SysWOW64\Oanokhdb.exe

Filesize
163KB

MD5
1e9f218cfcd0e57b5bba57b7fc5c3a0f

SHA1
091fe3347e55a581f20ea33c07dd25d243de4aa7

SHA256
b9ae3413e1400729c8a27ecd707699753aaaf7109f064e0d4216b4dd7867432a

SHA512
4a494896b9be1b512426114b57a30fdbf4f3142111e5b823dd4aee9bf6c988d6c03239fce331e759acce3a1a18f1922ae389cb04b56e3e089d4a7c5f6034e9e5

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
163KB

MD5
2201eebb54cdd0ebaed626cf50bbc250

SHA1
02960e8538abbd239386e179088008e6df8d65b8

SHA256
a218ffc16e8cfa48af7ac2916ebced66bb1d94ec4aa3cd367e0bb4848072ff6c

SHA512
e819c97472d167d79b73e349ff3fc286c5258911a5ab72b0e870734802f483d8bb8be106a41c20f4ec596c4095415c831ab4b4797f7e299c0561a1ef7e17a5e2

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
163KB

MD5
9536534923a28b4d4480a769226fe34f

SHA1
fc153d82c5f7c679a409c3e848c281a8aef4b916

SHA256
25b3aefbfa9326e44551b72410e482ebd7fc211e02d72c389eb5e116d6a5af70

SHA512
df971803178ab91a5d5e6499808f479e0e60015c1e22f87de5b2fa2cf26e131e200384f7b4e6477a2621305c4d6db00c7258f95436a923e7a2ef9c3985b4b368

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
163KB

MD5
ef9a104dae1da125a2809a24158a64f4

SHA1
2bdf4047d21a0e723bd16934d0c3aa5d3146a0f2

SHA256
ca3c94e15efd8921948d08fb9ed16539460406565fef8bed0c6d5ecd3916941d

SHA512
1e0429010f414b0018673aec5ec7ff763dfc822c4861392c926b7118994c2c2a327c50fc78f863095ed31d97c4102f75813fb4d1cc5bf66d3bb34c9d21aca758

Download Submit
C:\Windows\SysWOW64\Ojajin32.exe

Filesize
163KB

MD5
d962a7ff9eac03c9adfb63b63caffd9f

SHA1
2ffe5b5ac5c44ac9ee916a27bc4c2fd6ec6c2efa

SHA256
f35913346ce2fa0c6de53d5439a641d0671ab144416af1e0430b4b2422365b97

SHA512
9e20805b6702768d915d8c5cf22f7dce3013b7bfb7d7bb1915ac4dcbb7668ad144d406288a4719445ad48c5cc1b0314d845591507ef1a51b892714af6d8fd47f

Download Submit
C:\Windows\SysWOW64\Opclldhj.exe

Filesize
163KB

MD5
619235b820d2c100887b5835408d1697

SHA1
bfbfe216eb450811e38122adc1438b1a772dd78e

SHA256
be8379d731fb53055baa11ac62ff3916f2276cb901d1e653223636b5c10102cb

SHA512
8fda31e9e937e52b11cb740e0120c135832b9369320d09f3db933de2394f5852e90a27384f5b3511dcddeb8f39d12d75f5c760c02ea937bb3e0cd840f676ea03

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
163KB

MD5
99cd89676e171e7664f9815c2ec15085

SHA1
ec6d670e5ebad6b31e50f20fb35bcd9ebfa919ad

SHA256
5eb4c5a18b6afe38dc7716d4d52a125a4083340a335792def6e8ee6cabb86297

SHA512
19dbe09124c36eb149b1d5e99bef6f06a863bbf1082ba2a8f3958f943b3072a779a4374a428df43eded63f7a577071b46ca70871f1265983dafe108355e6f868

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
163KB

MD5
b4faa9166c8576d7678eb0383575ab29

SHA1
c9a0ed757f2e3b4e2141c1e63674fc57dc92f6df

SHA256
1b6b0eca72f67c1eeb36ef21b89fdab209b3314f1ee2c27a5ffec203069748f7

SHA512
7c2d54753fbaff75edde161c6f33d22cf3bf8bdddbae410ccadf4e7f0dddfb084dd1d646d3aa1baee5db82016f13a7f4d84174b7b19ba0d0b277b34e4b79970a

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
163KB

MD5
4153d64af34085faea7c1725b738b563

SHA1
f11eb0aac50c3d7c87ac595e6be4f46dc7fa65ea

SHA256
b1d17e6a52b4fa9b8f241946cea315492455de4fc60e4b1ad38ab8c1285bd298

SHA512
9820cf96d07a050ac86256225f11dfdbed1e9e373ef7b63c9fca348f5eb603ca718eb0829680b70db1c4dc9d6d278f1eaab14fed6f84caafbbe0f81f132c4581

Download Submit
C:\Windows\SysWOW64\Pmblagmf.exe

Filesize
163KB

MD5
32c58f298d560c98f514d1a4e73d90d0

SHA1
db878158a2be7114d133f2f171409819c097c329

SHA256
113a23a0b35c6bc9b04a6d5022e401d1840c5a62f4ea5a08b11065750b08d06c

SHA512
dfd03c414b5cc84400f72a66001aaa00ee756f8913c382bb387a7adb618c525241ab167f998ebde9d7c565230598ac47354893b9b1fab12823670a4757cf2669

Download Submit
C:\Windows\SysWOW64\Pmnbfhal.exe

Filesize
163KB

MD5
d69786467ead30dd5634ab033dbe8bfe

SHA1
c3ab12b726e589fbf43312d4f3b25a79938a6624

SHA256
a0bc6d0435909d361feb6d9b3046b0760ddcecf6d74bd15fa52b0129fad67feb

SHA512
0048a35ed58e13431860444d34b9151a428b398fc4e8b2aa1817d7f970ccc97b6dfaf6d2e6614ce0de4a6381c2e2f48c8e4d0a038d16fa7ff85a95d5ebb19b93

Download Submit
C:\Windows\SysWOW64\Pnfiplog.exe

Filesize
163KB

MD5
9fdb9dc6539ec42205f418a4961b1875

SHA1
463b874fd3421f68e9280784d61394aeec0047de

SHA256
137e8ab237e3125c36b691e9d8a7e1e2c618d8519e3e0ca07361141def71c88a

SHA512
13cf7aec0b72f07bf2fea8b568b24ba1411a61b08898fa4f63b97d44bf3b3069900d4c722ccb3a83cc3c47acb103a92fbe5ff414f0ba8ae263811d9ed1cbb225

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
163KB

MD5
a811f3ee516bb382965af3b9c9db9767

SHA1
2d45bf5b417d426a92209f126bf41d4ce0f186d6

SHA256
04c917fd2e94815e690f4eaa068f39194f5d80bf27ab1ad22797dacfaf659a5e

SHA512
d46a52cf62c870ddb6f910e16fa5e3b11dceb9fdbb7919f54edbc3f1c5f6e269c36993b19ff844ee1b10dd4371bd770f684a7797abe705f17c2c908f88070c26

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
163KB

MD5
f297959c42e5166605a9605eafa5f10d

SHA1
c394ef83eec69687af220c3e42391c25f9bf0cf1

SHA256
23f37c5eeb39993ae6e1d14dcf7e9a410ea56a183aa8a7e412f5c5f2697f0d9b

SHA512
ea1f6be44fdc450a967679c5695646a917aceeea2bb1e134a999a852e06d015c1292f27307c223273a80b4e7ab0aeae183c01e779d7fdee4c09d2fe856a84b51

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
163KB

MD5
54c486e50112c717fdc2d5fab070146e

SHA1
e03f45051b9c3c9ba0b4b3f0e828bed1a029a4da

SHA256
36ed429b19b623e3d121097e11b8e0971e7a362245d97238b946e1b46f223563

SHA512
e27b1817d8354c10396a3f80bc528510c4df19221a7cc76c964f3fadbbfe2590d2522c2765a497392ae5d35bd9a47d5701bcf6d7eb7d2f200b0ab145abdef3fe

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
163KB

MD5
c8666a2ca69f6400dde5c6daf873b030

SHA1
2637f2f267ed0093c9a00231aeecc91429622076

SHA256
88031a5a02336ced34adbf2c2dceca6dc8ca522d0d4868eef6767db024f2ca61

SHA512
d55055067f4dcc83ac808b8ac21dea738ae5551cb9ebbfc722473de164ea1df7908c319edff95611adbc57490019793ffb0b31d8376f8ea191673f3c20e3a652

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
163KB

MD5
2f38ff18a529767bb6d191d2d7df8078

SHA1
405146dba86692b6e5252a3430afa1e39996f0af

SHA256
48005188e0fa009c505a24473a6c09620ddca66aed7b9c0f95f8d1bd350ab704

SHA512
b69ef2de7be0fb9e95bfc6745dd1686f222983d30fd38d1cd5487752cfffb211121697d516c47bf3aad1767706a568cd8f56dc33988ff15a9ba250adaae84999

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
163KB

MD5
cffc14c1cc3c43ba6f13a60a3da4f884

SHA1
265d27acac35eb095b3e0b5f46bf89d7c42e0134

SHA256
5297bf527c623df275bcec51fac50eaa261e5dac6ae7483543c84a86186578df

SHA512
6671cd7aa8f7fd931b9b649702f64831ffef9b6c08e55aceee4509beab60d7445dc89ee7fb01fb7f9a2a355f100fd298ca2aa76d22dc98aacb226aadaff9f76d

Download Submit
C:\Windows\SysWOW64\Qfkqjmdg.exe

Filesize
163KB

MD5
66ab8e4fe4486da6a20cf5571c6a9e63

SHA1
3de99e0bdcfeb18b7997691680fc8cd9d290b8c3

SHA256
34e237eda808cb201254989758d28b25251b55ccd47b54da96027ea829f3d1d7

SHA512
8909e8adefca9641b5db832448a0f053c4ca3df8e43ca7982d360e03d4e53735140692b49cc30da7d34b8acb864f28365b59b37ab21ddc161ac4220caae29139

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
163KB

MD5
1f6b6b5860b2d0ba8a790e1360340ef8

SHA1
20cceb092d94038867dba3e1988911e52fa855b0

SHA256
2f5f867d2a522d4706a50b71323de35b2e743c5fce77f17772b993d5a6c96343

SHA512
0c49e0fd70d5e53ed5d625ba96db07f40d3e1d839956eb882e879e1a262e2baec06bc03b8aa835820433c7b96d1375f784bebec5f0f597bebfb111cd2d65a4e9

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
163KB

MD5
21c9875b63abc7f5f58dc5fef1b56a2f

SHA1
0be2147fd7c6403f05b8b01909aea24d684296ed

SHA256
882cbcdc21524e344601981aa802cc25421ee184ddaa91ceff24c0e199689ce0

SHA512
c14a325d79fd1a2dce97b270f17d6ada432ad5855bfb307c41f3152d08610a61ea9cdba926106f28bde7027aeb4bdb68f127bbf00a647d7ee0af93ebdcbcc9ca

Download Submit
C:\Windows\SysWOW64\Qhjmdp32.exe

Filesize
163KB

MD5
6d3c88824f9665fe48253257b2950c8d

SHA1
0646483ae0a7773005606b8ed4b84dc82bd3a6f1

SHA256
1386038167445f8a1e3cd692dbd9439444729f3dc1dee09bf223d8258c528abd

SHA512
18de9d1cf6d1e1d499e5d67922bfeb27c5b80b7126f4f2696b5599621b4fc3c4cc3b74b48edaaba93860418806e25c3bbda870d9faca1389117d397a6dccdefe

Download Submit
C:\Windows\SysWOW64\Qobhkjdi.exe

Filesize
163KB

MD5
e40c6c51dd4a10fdfa42a68785433329

SHA1
bff8aeaf1d60df27800d9f465aa25fcbcd9632e3

SHA256
d448696ea982a8dfc551cc1fceaf9f20e7e85d8d1834b0ff6d9c9d432e4c1580

SHA512
5bd80f7f8bca898c3b4ed980cf32252a0531da6d97a29b6018a51835e45c74e3b176a7e6ffa48c08a06356a8ff35346c1697a01baf8c699f3667c2424a39e565

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
163KB

MD5
c802c5bed19b56acf9af820eb3a7599a

SHA1
4f5a55c68028d7ac54433bb830ccbc44817b3243

SHA256
8df42bceac4cd002fb70b02a795ab1427968adbe0d959c4e2f28c80a8eb3d70c

SHA512
ebe4bad995350ff10b55b1a0975cb9d50df137bf07b61b566de622ebda1fe43ccc45de92d9b020138ddd6bde7e256d3e29bd2ae84a6a1e4efe85c3ac7ab63b3e

Download Submit
C:\Windows\SysWOW64\Qpcecb32.exe

Filesize
163KB

MD5
d9c1cbb6d51f0ab59fad069b0f1cb55d

SHA1
4e6f7092c6fdebbfb6a467a3f43b7ece94868d35

SHA256
e9f17591f1c1dc49adb7348f9eef8c0b5e8e3473e29d31638807053da1a73e57

SHA512
7f2873243c02e3ca8ae0a4ada40abcbfa4b80c4f57f5b2c8defc1033af40bcc13bbc532dfbf2e52118749f0287b180c3bf62d5a9162995f1b121d78b148acb58

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
163KB

MD5
e6d39cceb57a3e85a0b3ecf40babffd9

SHA1
f944d9b24cee5fa6a8bfb41eee0f3f536ab1b1b2

SHA256
747a42cd6f7c312cb027afe4807141292849cca37c7ca6c0a8f2233c65d759ec

SHA512
d42de285e2ebdde3fd03bbd75a49c380cc0b53b9584064fe8215b805b1d6a885690213101dd7f97da43f3dd0e98716511a7d45a7a73f444087c60ecfc4a3f33f

Download Submit
memory/184-607-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/184-502-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/212-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/456-220-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/468-601-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/468-521-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/536-605-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/536-508-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/672-206-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/768-197-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1060-253-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1080-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1252-603-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1252-514-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1324-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1380-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1392-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1392-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1392-520-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1504-584-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1504-573-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1624-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1736-465-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1876-267-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1952-589-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1960-460-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2072-157-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2104-541-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2104-595-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2184-273-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-559-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-590-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2300-337-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2352-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2488-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2564-303-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2592-565-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2592-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2632-309-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2636-315-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2656-237-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2736-496-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2736-609-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2820-443-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2904-285-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3056-582-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3056-580-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3088-527-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3088-599-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3164-471-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3176-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3320-617-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3332-173-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3388-558-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3388-37-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3412-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3500-261-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3596-343-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3612-490-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3612-611-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3624-331-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3672-615-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3672-478-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3804-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3804-547-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3920-189-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3968-484-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3968-613-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3976-593-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3984-349-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3996-586-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3996-566-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4020-291-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4052-572-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4052-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4108-181-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4120-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4120-533-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4172-297-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4192-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4192-540-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4268-591-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4268-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4348-245-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4468-449-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4564-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4668-597-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4668-534-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4696-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4792-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4792-579-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4848-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4956-229-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5076-279-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads